Bug 20082

Summary:	flac new security issues fixed upstream in 1.3.2
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	brtians1, davidwhodgins, lewyssmith, marja11, sysadmin-bugs
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	https://lwn.net/Vulnerabilities/710896/
Whiteboard:	advisory mga5-32-ok mga5-64-ok
Source RPM:	flac-1.3.1-2.mga5.src.rpm	CVE:
Status comment:	need some input on this one before I okay it.

Description David Walser 2017-01-06 23:40:40 CET

Fedora has issued an advisory today (January 6):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N4PM4XSC7DQUG2ICWTLDQZFOXFMVL3MQ/

The issues are fixed in 1.3.2:
https://xiph.org/flac/changelog.html

or in this commit:
https://git.xiph.org/?p=flac.git;a=commitdiff;h=c06a44969c1145242a22f75fc8fb2e8b54c55303

Marja Van Waes 2017-01-07 10:08:16 CET

CC: (none) => marja11
Assignee: bugsquad => rverschelde

Comment 1 Rémi Verschelde 2017-03-06 18:18:53 CET

Submitted flac-1.3.2-1.mga5 to core/updates_testing.

Advisory:
=========

Updated flac packages fix security vulnerabilities

  FLAC 1.3.2 fixes a NULL pointer dereference bug and adds bounds checking in the
  encoder. It also fixes various non security-relevant issues.

References:
 - https://xiph.org/flac/changelog.html


RPMs in core/updates_testing:
=============================
flac-1.3.2-1.mga5
lib{64,}flac8-1.3.2-1.mga5
lib{64,}flac-devel-1.3.2-1.mga5
lib{64,}flac++6-1.3.2-1.mga5
lib{64,}flac++-devel-1.3.2-1.mga5

SRPM in core/updates_testing:
=============================
flac-1.3.2-1.mga5

Assignee: rverschelde => qa-bugs

Dave Hodgins 2017-03-08 03:43:32 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 2 Brian Rockwell 2017-03-08 03:52:00 CET

mga5-32-ok

The following 3 packages are going to be installed:

- flac-1.3.2-1.mga5.i586
- libflac++6-1.3.2-1.mga5.i586
- libflac8-1.3.2-1.mga5.i586

872KB of additional disk space will be used.

468KB of packages will be retrieved.

Is it ok to continue?


$ flac -f --best --keep-foreign-metadata *.wav

able to the play the files without issue

CC: (none) => brtians1
Whiteboard: advisory => advisory mga5-32-ok

Comment 3 Brian Rockwell 2017-03-10 00:36:44 CET

The following 3 packages are going to be installed:

- flac-1.3.2-1.mga5.x86_64
- lib64flac++6-1.3.2-1.mga5.x86_64
- lib64flac8-1.3.2-1.mga5.x86_64

865KB of additional disk space will be used.

467KB of packages will be retrieved.

Is it ok to continue?

---------------------

ok not sure on this one.  

Converted WAV file without issue.  Tried an ogg file and it toasted.

ERROR got FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC while decoding FLAC input
12_-_Sangre_Dolce.ogg: ERROR: out of memory or too many metadata blocks while reading metadata in FLAC input


--- anybody have some input on this one?

Status comment: (none) => need some input on this one before I okay it.

Brian Rockwell 2017-03-10 00:38:59 CET

Whiteboard: advisory mga5-32-ok => advisory mga5-32-ok feedback

Comment 4 Brian Rockwell 2017-03-10 04:40:34 CET

Ok - flac utility does not transcode from ogg.  So, it worked on wav files.  I think it is fine.  Approving and removing the feedback flag.

Whiteboard: advisory mga5-32-ok feedback => advisory mga5-32-ok mga5-64-ok

Lewis Smith 2017-03-10 20:34:15 CET

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2017-03-12 21:34:19 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0074.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED