Bug 23402

Summary: libao new security issue CVE-2017-11548
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: anssi.hannula, ghibomgx, herman.viaene, lewyssmith, marja11, olav, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: libao-1.2.2-3.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-08-06 22:13:21 CEST 
Fedora has issued an advisory on August 4:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LIZBEBMU7CW7K7KQ53E4OPSRTR6DZRNO/

I'm not sure why Fedora has version 1.2.0 still, so I'm not sure if the issue was fixed upstream in 1.2.2.  If not, Mageia 5 or Mageia 6 may be affected.
Comment 1 Marja Van Waes 2018-08-07 07:40:31 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.


CC'ing some committers.

CC: (none) => anssi.hannula, ghibomgx, marja11, olav
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2019-01-01 02:32:38 CET 
Upstream patch added to libao-1.2.2-5.mga7 to fix this in Cauldron.

Version: Cauldron => 6

Comment 3 David Walser 2019-01-01 20:56:30 CET 
Advisory:
========================

Updated libao packages fix security vulnerability:

A flaw was found in libao. The _tokenize_matrix function in audio_out.c in
Xiph.Org libao 1.2.0 can cause a denial of service(memory corruption) via a
crafted mp3 file (CVE-2017-11548).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11548
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LIZBEBMU7CW7K7KQ53E4OPSRTR6DZRNO/
========================

Updated packages in core/updates_testing:
========================
libao4-1.2.2-3.1.mga6
libao-devel-1.2.2-3.1.mga6

from libao-1.2.2-3.1.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 4 Herman Viaene 2019-01-05 12:08:50 CET 
MGA6-32 on IBM Thinkpad R50e
No installation issues
No previous update bug found, so used
# urpmq --whatrequires libao4
and found  a.o. cmus as dependent on it. Installed cmus and (after googling how to run it)
$ strace -o libao.txt cmus
played a wav file in cmus and found refs to libao n  the trace file.
OK for me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Lewis Smith 2019-01-06 10:20:28 CET

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2019-01-06 17:42:32 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0018.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED