Security update for libass
SUSE Patch
security@suse.de
SUSE Security Team
SUSE-SU-2016:3107-1
Final
1
1
2016-12-13T08:19:14Z
current
2016-12-13T08:19:14Z
2016-12-13T08:19:14Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for libass
This update for libass fixes the following issues:
CVE-2016-7969, CVE-2016-7970, CVE-2016-7971, CVE-2016-7972: Fixed multiple memory allocation issues found by fuzzing (bsc#1002982).
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
SUSE-SLE-DESKTOP-12-SP1-2016-1804,SUSE-SLE-DESKTOP-12-SP2-2016-1804,SUSE-SLE-RPI-12-SP2-2016-1804,SUSE-SLE-SDK-12-SP1-2016-1804,SUSE-SLE-SDK-12-SP2-2016-1804,SUSE-SLE-SERVER-12-SP1-2016-1804,SUSE-SLE-SERVER-12-SP2-2016-1804
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://www.suse.com/support/update/announcement/2016/suse-su-20163107-1/
Link for SUSE-SU-2016:3107-1
https://lists.suse.com/pipermail/sle-security-updates/2016-December/002475.html
E-Mail link for SUSE-SU-2016:3107-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1002982
SUSE Bug 1002982
https://www.suse.com/security/cve/CVE-2016-7969/
SUSE CVE CVE-2016-7969 page
https://www.suse.com/security/cve/CVE-2016-7970/
SUSE CVE CVE-2016-7970 page
https://www.suse.com/security/cve/CVE-2016-7971/
SUSE CVE CVE-2016-7971 page
https://www.suse.com/security/cve/CVE-2016-7972/
SUSE CVE CVE-2016-7972 page
SUSE Linux Enterprise Desktop 12 SP1
SUSE Linux Enterprise Desktop 12 SP2
SUSE Linux Enterprise Server 12 SP1
SUSE Linux Enterprise Server 12 SP2
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
SUSE Linux Enterprise Server for SAP Applications 12 SP1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
SUSE Linux Enterprise Software Development Kit 12 SP1
SUSE Linux Enterprise Software Development Kit 12 SP2
libass5-0.10.2-3.1
libass-devel-0.10.2-3.1
libass5-0.10.2-3.1 as a component of SUSE Linux Enterprise Desktop 12 SP1
libass5-0.10.2-3.1 as a component of SUSE Linux Enterprise Desktop 12 SP2
libass5-0.10.2-3.1 as a component of SUSE Linux Enterprise Server 12 SP1
libass5-0.10.2-3.1 as a component of SUSE Linux Enterprise Server 12 SP2
libass5-0.10.2-3.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
libass5-0.10.2-3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1
libass5-0.10.2-3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2
libass-devel-0.10.2-3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1
libass-devel-0.10.2-3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2
The wrap_lines_smart function in ass_render.c in libass before 0.13.4 allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to "0/3 line wrapping equalization."
CVE-2016-7969
SUSE Linux Enterprise Desktop 12 SP1:libass5-0.10.2-3.1
SUSE Linux Enterprise Desktop 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Server 12 SP1:libass5-0.10.2-3.1
SUSE Linux Enterprise Server 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:libass5-0.10.2-3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Software Development Kit 12 SP1:libass-devel-0.10.2-3.1
SUSE Linux Enterprise Software Development Kit 12 SP2:libass-devel-0.10.2-3.1
moderate
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20163107-1/
https://www.suse.com/security/cve/CVE-2016-7969.html
CVE-2016-7969
https://bugzilla.suse.com/1002982
SUSE Bug 1002982
Buffer overflow in the calc_coeff function in libass/ass_blur.c in libass before 0.13.4 allows remote attackers to cause a denial of service via unspecified vectors.
CVE-2016-7970
SUSE Linux Enterprise Desktop 12 SP1:libass5-0.10.2-3.1
SUSE Linux Enterprise Desktop 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Server 12 SP1:libass5-0.10.2-3.1
SUSE Linux Enterprise Server 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:libass5-0.10.2-3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Software Development Kit 12 SP1:libass-devel-0.10.2-3.1
SUSE Linux Enterprise Software Development Kit 12 SP2:libass-devel-0.10.2-3.1
moderate
2.6
AV:N/AC:H/Au:N/C:N/I:N/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20163107-1/
https://www.suse.com/security/cve/CVE-2016-7970.html
CVE-2016-7970
https://bugzilla.suse.com/1002982
SUSE Bug 1002982
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2016-7971
SUSE Linux Enterprise Desktop 12 SP1:libass5-0.10.2-3.1
SUSE Linux Enterprise Desktop 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Server 12 SP1:libass5-0.10.2-3.1
SUSE Linux Enterprise Server 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:libass5-0.10.2-3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Software Development Kit 12 SP1:libass-devel-0.10.2-3.1
SUSE Linux Enterprise Software Development Kit 12 SP2:libass-devel-0.10.2-3.1
moderate
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20163107-1/
https://www.suse.com/security/cve/CVE-2016-7971.html
CVE-2016-7971
https://bugzilla.suse.com/1002982
SUSE Bug 1002982
The check_allocations function in libass/ass_shaper.c in libass before 0.13.4 allows remote attackers to cause a denial of service (memory allocation failure) via unspecified vectors.
CVE-2016-7972
SUSE Linux Enterprise Desktop 12 SP1:libass5-0.10.2-3.1
SUSE Linux Enterprise Desktop 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Server 12 SP1:libass5-0.10.2-3.1
SUSE Linux Enterprise Server 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1:libass5-0.10.2-3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2:libass5-0.10.2-3.1
SUSE Linux Enterprise Software Development Kit 12 SP1:libass-devel-0.10.2-3.1
SUSE Linux Enterprise Software Development Kit 12 SP2:libass-devel-0.10.2-3.1
moderate
5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20163107-1/
https://www.suse.com/security/cve/CVE-2016-7972.html
CVE-2016-7972
https://bugzilla.suse.com/1002982
SUSE Bug 1002982