Bug 15634

Summary: flac regression fix for CVE-2014-9028
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: has_procedure advisory mga4-64-ok mga4-32-ok
Source RPM: flac-1.3.0-2.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-04-06 14:07:33 CEST 
The fix for CVE-2014-9028 (which was initially fixed in 1.3.1 upstream) caused a regression in seeking, a fix for which was included in upstream git after 1.3.1.  The more correct fix was included in a RedHat advisory on March 31:
https://rhn.redhat.com/errata/RHSA-2015-0767.html

as well as the Mandriva advisory on April 1:
http://www.mandriva.com/en/support/security/advisories/mbs2/MDVSA-2015%3A188/

Oden has updated our CVE-2014-9028 patch with the additional fixes from upstream.

You can find testing information in our previous update in Bug 14658.

Advisory:
----------------------------------------

Updated flac packages fix regression:

In MGASA-2014-0499, a fix for a heap overflow in libFLAC (CVE-2014-9028) was
implemented, which caused a problem with seeking.  A more correct fix has
been implemented that does not cause any known regressions.

References:
http://advisories.mageia.org/MGASA-2014-0499.html
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
flac-1.3.0-2.2.mga4
libflac8-1.3.0-2.2.mga4
libflac-devel-1.3.0-2.2.mga4
libflac++6-1.3.0-2.2.mga4
libflac++-devel-1.3.0-2.2.mga4

from flac-1.3.0-2.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-06 14:07:46 CEST

Whiteboard: (none) => has_procedure

Comment 1 claire robinson 2015-04-24 15:26:37 CEST 
Testing complete mga4 64

Used VLC (which requires lib64flac8) to seek forward and backwards in the flac file. Also as below..

$ flac -a flacfile.flac

flac 1.3.0, Copyright (C) 2000-2009, 2011-2013  Josh Coalson & Xiph.Org Foundation
flac comes with ABSOLUTELY NO WARRANTY.  This is free software, and you are
welcome to redistribute it under certain conditions.  Type `flac' for details.

flacfile.flac: done

This analyses the flac file and creates a flacfile.ana which presumably contains some analysis data.

$ flac -t flacfile.flac 

flac 1.3.0, Copyright (C) 2000-2009, 2011-2013  Josh Coalson & Xiph.Org Foundation
flac comes with ABSOLUTELY NO WARRANTY.  This is free software, and you are
welcome to redistribute it under certain conditions.  Type `flac' for details.

flacfile.flac: ok                    

Also opened flacfile.flac in kwave sound editor, which requires lib64flac++6

Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 2 claire robinson 2015-04-24 18:03:37 CEST 
Advisory uploaded.

Whiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok

Comment 3 claire robinson 2015-04-25 14:34:08 CEST 
Testing complete mga4 32

Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory mga4-64-ok => has_procedure advisory mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-04-25 22:15:42 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGAA-2015-0038.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED