Hello libgig maintainers and security team, I have verified that all CVE still affect the latest version in Debian. Most of them just lead to a denial of service (application crash). CVE-2018-18193 leads to memory exhaustion and almost completely freezes the system. The heap-based buffer overflows may have a more serious impact depending on the situation. The upstream maintainer of libgig, Christian Schoenebeck (CCed), was not aware of them. In a private conversation Christian stated that "The file types I mentioned above are always consciously, manually opened by users (all in pro-audio context) with these applications, and (except of .sf2 probably) are rather quite exotic file formats from an average user's point of view. Most of our users either create those files by themselves with our tools (e.g. with gigedit and/or gigtools) or they are loading files from commercial sample library CDs dating back between mid 1980s - mid 2000s (libgig started in 2003), and yet some users share their files with close/trusted persons. In short: the chance that somebody successfully attempts to use these file types for security exploits that would really harm somebody seriously in reality, is quite low." I have the same impression and the risk of being affected by one of these vulnerabilities is low because of the special file format and how those files are created. libgig was not designed to be secure and to process untrusted files. Christian asked me that we should notify users about the situation, to open only trusted files or in a sandboxed environment, and I suggested to add a README.Debian file to libgig for clarification. I hereby forward this request to the maintainers of libgig. I have come to the conclusion that we won't spend time on fixing these issues in Jessie because of the low security risk. Fixing those bugs is not a development priority of upstream currently and Christian asked for help and patches. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature