Bug 23178

Summary: taglib new security issue CVE-2018-11439
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, geiger.david68210, herman.viaene, mageia, marja11, nicolas.salguero, shlomif, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK
Source RPM: taglib-1.11.1-2.mga7.src.rpm CVE: CVE-2018-11439
Status comment:

Description David Walser 2018-06-13 23:51:57 CEST
openSUSE has issued an advisory today (June 13):
https://lists.opensuse.org/opensuse-updates/2018-06/msg00084.html

Mageia 6 is also affected.  Mageia 5 may also be.
David Walser 2018-06-13 23:52:11 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-06-14 10:51:07 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing some committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, mageia, marja11, shlomif

Comment 2 Nicolas Salguero 2018-06-19 13:57:25 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file. (CVE-2018-11439)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11439
https://lists.opensuse.org/opensuse-updates/2018-06/msg00084.html
========================

Updated package in 5/core/updates_testing:
========================
lib(64)taglib1-1.9.1-4.1.mga5
lib(64)taglib_c0-1.9.1-4.1.mga5
lib(64)taglib-devel-1.9.1-4.1.mga5

from SRPMS:
taglib-1.9.1-4.1.mga5.src.rpm

Updated package in 6/core/updates_testing:
========================
lib(64)taglib1-1.11.1-1.2.mga6
lib(64)taglib_c0-1.11.1-1.2.mga6
lib(64)taglib-devel-1.11.1-1.2.mga6

from SRPMS:
taglib-1.11.1-1.2.mga6.src.rpm

Version: Cauldron => 6
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2018-11439
Status: NEW => ASSIGNED
Whiteboard: MGA6TOO => MGA5TOO
Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2018-06-22 14:49:18 CEST
MGA5-32 on Dell Latitude D600 Xfce
No installation issues.
Checked contents of metadata of an .ogg file in audacity.
Run eaytag with strace and change a data item in the tags. Libtag found in trace file.
Checked contents of metadata again of this .ogg file in audacity. Found change made. Seems OK.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 4 Herman Viaene 2018-06-30 14:30:28 CEST
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues.
Same test as above Comment 3 using currently official version of easytag. Works OK.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK

Comment 5 Dave Hodgins 2018-07-01 00:36:29 CEST
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2018-07-01 19:18:26 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0300.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED