Bug 20177

Summary: audacious-plugins new security issues in bundled game-music-emu
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, davidwhodgins, herman.viaene, jim, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/709663/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Source RPM: audacious-plugins-3.5.2-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-01-25 01:30:34 CET 
Fedora has issued an advisory today (January 24):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5JCR3VLAF2YQQIMAJABV4G7LQQYBXH5V/

The issues are fixed upstream in 3.8.2.  Freeze push requested for Cauldron.

These are the same issues we just fixed in Bug 19952.

The patch is checked into Mageia 5 SVN.
Comment 1 David Walser 2017-01-26 02:05:51 CET 
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated audacious-plugins packages fix security vulnerabilities:

Chris Evans discovered that incorrect emulation of the SPC700 audio
co-processor of the Super Nintendo Entertainment System allows the execution
of arbitrary code if a malformed SPC music file is opened (CVE-2016-9957,
CVE-2016-9958, CVE-2016-9959, CVE-2016-9960, CVE-2016-9961).

These issues were previously fixed in MGASA-2016-0428 in the game-music-emu
library, but audacious-plugins contains a decoder built with a bundled
copy, which has been patched to fix the issues.

References:
http://advisories.mageia.org/MGASA-2016-0428.html
========================

Updated packages in core/updates_testing:
========================
audacious-plugins-3.5.2-2.1.mga5
audacious-wavpack-3.5.2-2.1.mga5
audacious-jack-3.5.2-2.1.mga5
audacious-pulse-3.5.2-2.1.mga5
audacious-adplug-3.5.2-2.1.mga5
audacious-fluidsynth-3.5.2-2.1.mga5
audacious-sid-3.5.2-2.1.mga5

from audacious-plugins-3.5.2-2.1.mga5.src.rpm

Assignee: bugsquad => qa-bugs
URL: (none) => https://lwn.net/Vulnerabilities/709663/

Comment 2 Dave Hodgins 2017-02-03 00:44:34 CET 
What about the tainted version?

I've added the advisory to svn with ...
   tainted:
     - audacious-plugins-3.5.2-2.1.mga5.tainted

Either the tainted version needs to be added or the advisory in svn updated.

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory feedback

Comment 3 David Walser 2017-02-03 01:38:38 CET 
Ugh, tainted is annoying.  It's on its way.  Thanks for catching it.

Whiteboard: advisory feedback => advisory

Comment 4 Herman Viaene 2017-02-09 13:57:21 CET 
I first added Tainted Updates Testing repos (the regular Tainted I have always), then searched for audacious, but I did not get audacious-wavpack, audacious-jack , audacious-fluidsynth nor audacious-sid in any version. belnet is usually a day later, but not that much and it carries the other updates correctly.

CC: (none) => herman.viaene

Comment 5 James Kerr 2017-02-09 15:01:54 CET 
They are there. Perhaps you forgot to update the tainted/updates repo after enabling it.

CC: (none) => jim

Comment 6 James Kerr 2017-02-09 15:08:17 CET 
(In reply to James Kerr from comment #5)
> They are there. Perhaps you forgot to update the tainted/updates repo after
> enabling it.

Meant to write tainted/updates-testing
Comment 7 Herman Viaene 2017-02-09 16:19:33 CET 
@ James:
I routinely refresh all repos before starting a test session, and then still, the tainted audacious-adplug was found, but not the ones I indicated. But now indeed all are present.
Comment 8 Herman Viaene 2017-02-09 16:22:18 CET 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
At CLI:
$ strace -o audacious.txt audacious
Played CD and checked in trace that plugins are called: OK

Whiteboard: advisory => advisory MGA5-32-OK

Comment 9 Brian Rockwell 2017-02-09 17:37:54 CET 
David - did you get tainted updated as well?

CC: (none) => brtians1

Comment 10 Brian Rockwell 2017-02-11 13:09:47 CET 
Tested tainted plugins 

# urpmi audacious-plugins
Package audacious-plugins-3.5.2-2.1.mga5.tainted.i586 is already installed
installing audacious-pulse-3.5.2-2.1.mga5.tainted.i586.rpm from /var/cache/urpmi/rpms


sounds and different effects available are working properly.

tainted works.
Comment 11 Brian Rockwell 2017-02-11 14:07:11 CET 
To satisfy dependencies, the following package(s) also need to be installed:

- audacious-plugins-3.5.2-2.1.mga5.x86_64
- audacious-pulse-3.5.2-2.1.mga5.x86_64
- lib64audcore1-3.5.2-1.mga5.x86_64
- lib64audgui2-3.5.2-1.mga5.x86_64
- lib64guess1-1.2-0.git.20131127.3.mga5.x86_64
- lib64mms0-0.6.4-4.mga5.x86_64
- lib64mowgli-2_0-2.0.0-4.mga5.x86_64

6.6MB of additional disk space will be used.


Jammed out to âFrom the Beginningâ in FLAC by Emerson, Lake & Palmer.  Working as designed

Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK

Lewis Smith 2017-02-11 21:55:36 CET

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 12 Mageia Robot 2017-02-12 00:48:06 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0046.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED