Bug 22984

Summary: flac new security issue CVE-2017-6888
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, marja11, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK
Source RPM: flac-1.3.2-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-05-02 23:35:30 CEST 
openSUSE has issued an advisory today (May 2):
https://lists.opensuse.org/opensuse-updates/2018-05/msg00002.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-05-02 23:36:11 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2018-05-03 07:09:53 CEST 
Assigning to the registered maintainer.

Assignee: bugsquad => rverschelde
CC: (none) => marja11

Comment 2 David Walser 2018-05-04 05:47:02 CEST 
Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron.

Advisory:
========================

Updated flac packages fix security vulnerability:

Memory leak in read_metadata_vorbiscomment_() function could lead to denial of
service (CVE-2017-6888).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6888
https://lists.opensuse.org/opensuse-updates/2018-05/msg00002.html
========================

Updated packages in core/updates_testing:
========================
flac-1.3.2-1.1.mga5
libflac8-1.3.2-1.1.mga5
libflac-devel-1.3.2-1.1.mga5
libflac++6-1.3.2-1.1.mga5
libflac++-devel-1.3.2-1.1.mga5
flac-1.3.2-1.1.mga6
libflac8-1.3.2-1.1.mga6
libflac-devel-1.3.2-1.1.mga6
libflac++6-1.3.2-1.1.mga6
libflac++-devel-1.3.2-1.1.mga6

from SRPMS:
flac-1.3.2-1.1.mga5.src.rpm
flac-1.3.2-1.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: rverschelde => qa-bugs

Comment 3 PC LX 2018-05-05 21:59:14 CEST 
Installed and tested without issues.

System: Mageia 6, x86_64, Intel CPU.

Tested using the following script on a few dozen pre existing flac files.

#!/bin/sh
for U in *.flac ; do
  cp "$U" test.flac
  flac -t test.flac
  flac -d --delete-input-file test.flac
  flac -8 --delete-input-file test.wav
  flac -t test.flac
  mplayer test.flac
  rm -f test.flac
done

$ uname -a
Linux marte 4.14.38-desktop-1.mga6 #1 SMP Mon Apr 30 13:15:08 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep '^(lib(64)?)?flac'
flac-1.3.2-1.1.mga6
libflac8-1.3.2-1.1.mga6
lib64flac++6-1.3.2-1.1.mga6
lib64flac8-1.3.2-1.1.mga6

CC: (none) => mageia
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 4 Lewis Smith 2018-05-06 21:08:13 CEST 
Testing M5 x64

UPDATED flac packages:
 flac-1.3.2-1.1.mga5
 lib64flac8-1.3.2-1.1.mga5
 lib64flac++6-1.3.2-1.1.mga5
I downloaded some FLAC files from the Internet, of different qualities. Then shamelessly copied PC_LX's script above; thank you for that! Listened to the final outputs, they sounded OK.

 $ flac -t test.flac    [test the file]
...
 test.flac: ok

 $ flac -d --delete-input-file test.flac       [decode it]
...
 test.flac: done

 $ flac -8 --delete-input-file test.wav        [encode & compress it ]
...
 test.wav: wrote 16217655 bytes, ratio=0.6273

 $ flac -t test.flac       [test the file]
...
 test.flac: ok

mplayer output lots of complaints about various things, but played the tracks OK. Update good.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2018-05-09 20:34:11 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0227.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2020-12-27 00:48:49 CET 
CVE-2020-0487 is a dupplicate of CVE-2017-6888:
https://lists.suse.com/pipermail/sle-security-updates/2020-December/008120.html