Bug 23698

Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Fixed in mad-0.15.1b-26.mga7 by Shlomi.  Thanks Shlomi!

Patched package also uploaded for Mageia 6.

Advisory:
========================

Updated mad packages fix security vulnerabilities:

The mad_decoder_run function in decoder.c in libmad 0.15.1b allows remote
attackers to cause a denial of service (memory corruption) via a crafted MP3
file (CVE-2017-11552).

The mad_decoder_run() function in decoder.c in Underbit libmad through 0.15.1b
allows attackers to cause a denial of service (SIGABRT because of double free
or corruption) or possibly have unspecified other impact via a crafted file
(CVE-2018-7263).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11552
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7263
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CCLUAGAEWOQKRY2C6HLTXT5WWTWSTNIP/
========================

Updated packages in core/updates_testing:
========================
libmad0-0.15.1b-22.2.mga6
libmad-devel-0.15.1b-22.2.mga6

from mad-0.15.1b-22.2.mga6.src.rpm

Assignee: shlomif => qa-bugs
Whiteboard: MGA6TOO => (none)
Status comment: Fedora patch needs to be reconciled with ours => (none)
CC: (none) => shlomif
Version: Cauldron => 6

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
# urpmq --whatrequires libmad0
gives a long list, I picked mplayer from it, so
$ strace -o libmad.txt mplayer ~/Video\'s/canvas1verkort1.mpg 
Creating config file: /home/tester6/.mplayer/config
MPlayer 1.3.0-13.mga6.tainted-5.5.0 (C) 2000-2016 MPlayer Team
File plays OK.
I stopped the viewing after about 1 min (is about 45 min long) and checked the trace file and found references to libmad.so
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0078.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

This update caused a regression in qmmp.
The sound becomes distorted with pops and clicks. The distortion is independent of the output method.

The previous version (lib64mad0-0.15.1b-22.1.mga6.x86_64) works correctly.

I have downgraded the package so there is no problem for me (other than the unlikely security ones).
Will let others decide if it is worth reopening this issue.

System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ journalctl | grep lib64mad
Fev 14 09:01:05 marte [RPM][3031]: erase lib64mad0-0.15.1b-22.1.mga6.x86_64: success
Fev 14 09:01:28 marte [RPM][3031]: install lib64mad0-0.15.1b-22.2.mga6.x86_64: success
Fev 14 09:01:28 marte [RPM][3031]: erase lib64mad0-0.15.1b-22.1.mga6.x86_64: success
Fev 14 09:01:54 marte [RPM][3031]: install lib64mad0-0.15.1b-22.2.mga6.x86_64: success
Fev 14 09:59:28 marte msec[8580]: -   Added packages : lib64mad0-0.15.1b-22.2.mga6
Fev 14 09:59:28 marte msec[8603]: - Removed packages : lib64mad0-0.15.1b-22.1.mga6
Fev 15 09:38:21 marte urpmi[3765]: called with: --downgrade lib64mad0-0.15.1b-22.1.mga6
Fev 15 09:38:30 marte [RPM][3765]: erase lib64mad0-0.15.1b-22.2.mga6.x86_64: success
Fev 15 09:38:31 marte [RPM][3765]: install lib64mad0-0.15.1b-22.1.mga6.x86_64: success
Fev 15 09:38:32 marte [RPM][3765]: erase lib64mad0-0.15.1b-22.2.mga6.x86_64: success
Fev 15 09:38:32 marte [RPM][3765]: install lib64mad0-0.15.1b-22.1.mga6.x86_64: success

CC: (none) => mageia

Please file a new bug and assign it to Shlomi.  Hopefully he can figure it out and fix it.