Bug 21552

Summary: taglib new security issue CVE-2017-12678
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, marja11, sysadmin-bugs
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA6-64-OK
Source RPM: taglib-1.11.1-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-08-17 12:32:52 CEST 
openSUSE has issued an advisory today (August 17):
https://lists.opensuse.org/opensuse-updates/2017-08/msg00076.html

Mageia 6 is also affected.  Mageia 5 may be as well.
David Walser 2017-08-17 12:33:00 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-08-17 19:21:00 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Nicolas Lécureuil 2017-08-18 00:55:50 CEST

Version: Cauldron => 6
CC: (none) => mageia
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 2 Nicolas Lécureuil 2017-08-18 01:03:47 CEST 
this bug is not valid on mga5.

Pushed in updates_testing of mga6
src.rpm:
        taglib-1.11.1-1.1.mga6

Whiteboard: MGA5TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 David Walser 2017-08-18 02:24:44 CEST 
Advisory:
========================

Updated taglib packages fix security vulnerability:

Denial of service vulnerability via specially crafted ID3v2 data
(CVE-2017-12678).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12678
https://lists.opensuse.org/opensuse-updates/2017-08/msg00076.html
========================

Updated packages in core/updates_testing:
========================
libtaglib1-1.11.1-1.1.mga6
libtaglib_c0-1.11.1-1.1.mga6
libtaglib-devel-1.11.1-1.1.mga6

from taglib-1.11.1-1.1.mga6.src.rpm
Comment 4 Rémi Verschelde 2017-08-19 11:57:09 CEST 
Testing OK on Mageia 6 x86_64, via clementine which makes use of taglib:

$ ldd /usr/bin/clementine | grep libtag.so.1
        libtag.so.1 => /lib64/libtag.so.1 (0x00007f95ca52d000)

Reading and modifying tags work in Clementine.

Whiteboard: (none) => MGA6-64-OK

Comment 5 Rémi Verschelde 2017-08-19 11:58:13 CEST 
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA6-64-OK => advisory MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Nicolas Lécureuil 2017-08-19 12:37:29 CEST 
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â (None found)
Checking SRPMs⦠                      â (6/core/taglib-1.11.1-1.mga6) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 7 Rémi Verschelde 2017-08-19 12:39:11 CEST 
Advisory fixed.

Keywords: (none) => validated_update

Comment 8 Mageia Robot 2017-08-19 12:54:38 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0286.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED