Bug 20466

Summary: audiofile new security issues CVE-2017-682[7-9] and CVE-2017-683[0-9]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, mageia, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Source RPM: audiofile-0.3.6-6.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-03-13 11:30:07 CET 
Several CVEs for audiofile were posted today (March 13):
http://openwall.com/lists/oss-security/2017/03/13/

They are CVE-2017-6829 and CVE-2017-683[0-9].
Marja Van Waes 2017-03-13 18:08:24 CET

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 1 David Walser 2017-03-15 01:50:41 CET 
CVE-2017-6827 and CVE-2017-6828:
http://openwall.com/lists/oss-security/2017/03/14/6
http://openwall.com/lists/oss-security/2017/03/14/7

Summary: audiofile new security issues CVE-2017-6829 and CVE-2017-683[0-9] => audiofile new security issues CVE-2017-682[7-9] and CVE-2017-683[0-9]

Comment 2 David Walser 2017-03-23 14:43:11 CET 
Debian has issued an advisory for this on March 22:
https://www.debian.org/security/2017/dsa-3814
Comment 3 Nicolas Lécureuil 2017-05-01 22:03:19 CEST 
Fixed in cauldron

CC: (none) => mageia

Comment 4 Nicolas Lécureuil 2017-05-01 22:04:04 CEST 
pushed in updates_testing to fix 
        * CVE-2017-6829 
        * CVE-2017-6831
        * CVE-2017-6832
        * CVE-2017-6833
        * CVE-2017-6834
        * CVE-2017-6835
        * CVE-2017-6836
        * CVE-2017-6837
        * CVE-2017-6838
        * CVE-2017-6839
        * CVE-2017-6827
        * CVE-2017-6828


src.rpm: audiofile-0.3.6-4.2.mga5

Assignee: shlomif => qa-bugs
Version: Cauldron => 5

Comment 5 David Walser 2017-05-02 01:44:56 CEST 
Nicolas, you missed one patch, one CVE, and didn't actually apply any of the patches in the Mageia 5 update.  All fixed now.

Advisory:
========================

Updated audiofile packages fix security vulnerabilities:

Several vulnerabilities have been discovered in the audiofile library, which
may result in denial of service or the execution of arbitrary code if a
malformed audio file is processed (CVE-2017-6827, CVE-2017-6828, CVE-2017-6829,
CVE-2017-6830, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833, CVE-2017-6834,
CVE-2017-6835, CVE-2017-6836, CVE-2017-6837, CVE-2017-6838, CVE-2017-6839).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6827
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6828
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6831
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6832
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6833
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6836
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6837
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6838
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6839
https://www.debian.org/security/2017/dsa-3814
========================

Updated packages in core/updates_testing:
========================
audiofile-0.3.6-4.3.mga5
libaudiofile1-0.3.6-4.3.mga5
libaudiofile-devel-0.3.6-4.3.mga5

from audiofile-0.3.6-4.3.mga5.src.rpm
Comment 6 Herman Viaene 2017-05-03 14:26:25 CEST 
MGA-32 on Asus A6000VM Xfce
No installation issues
Ref bug 16923 Comment 7
Converted two wav files (captured from cassette) and used ffmpeg to convert to mp3 as
$ ffmpeg -i Welington\'s\ Sieg.wav -codec mp3 Well.mp3
then 
$ normalize Well.mp3 Zapf.mp3 
Computing levels...
 Zapf.mp3           99% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) 
Applying adjustment of 3,05dB to Well.mp3...
 Well.mp3          100% done, ETA 00:00:00 (batch  81% done, ETA 00:00:00) 
Applying adjustment of 1,15dB to Zapf.mp3...
 Zapf.mp3          100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) 
 mp3 files play well.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Lewis Smith 2017-05-04 09:54:49 CEST

Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => lewyssmith

Comment 7 Lewis Smith 2017-05-06 09:58:17 CEST 
Testing M5_64

After update:   audiofile-0.3.6-4.3.mga5   lib64audiofile1-0.3.6-4.3.mga5
using 'normalize'.
This time it worked directly on .wav files (as says the man page) as well as .mp3 ; [but not .flac nor .ogg]. Note that it overwrites the source file.

 $ normalize cbach.wav
 Computing levels...
  cbach.wav         100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) 
 Applying adjustment of 1.07dB to cbach.wav...
  cbach.wav         100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) 

Confirmed that the library *is* called:
 $ strace normalize cbach.wav 2>&1 | grep audiofile
 open("/lib64/libaudiofile.so.1", O_RDONLY|O_CLOEXEC) = 3

 $ normalize cbach.mp3
 Computing levels...
  cbach.mp3         100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) 
 Applying adjustment of 1.52dB to cbach.mp3...
  cbach.mp3         100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) 

The results were fine, so the update is OK. Validating, already advisoried.

Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2017-05-06 14:24:04 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0129.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED