| Summary: | mp3gain new security issue CVE-2019-18359 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, nicolas.salguero, sysadmin-bugs, tarazed25, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-32-OK MGA7-64-OK | ||
| Source RPM: | mp3gain-1.6.2-2.mga7.src.rpm | CVE: | CVE-2019-18359 |
| Status comment: | |||
|
Description
David Walser
2020-04-20 16:51:28 CEST
David Walser
2020-04-20 16:52:03 CEST
Status comment:
(none) =>
Patch available from openSUSE No registered or evident maintainer for this, so having to assign it globally. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated package fixes a security vulnerability: A buffer over-read was discovered in ReadMP3APETag in apetag.c in MP3Gain 1.6.2. The vulnerability causes an application crash, which leads to remote denial of service. (CVE-2019-18359) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18359 https://lists.opensuse.org/opensuse-updates/2020-04/msg00085.html ======================== Updated package in core/updates_testing: ======================== mp3gain-1.6.2-2.1.mga7 from SRPM: mp3gain-1.6.2-2.1.mga7.src.rpm Whiteboard:
MGA7TOO =>
(none) $ uname -a Linux localhost 5.5.15-desktop-3.mga7 #1 SMP Sat Apr 4 20:17:59 UTC 2020 i686 i686 i386 GNU/Linux installed - mp3gain-1.6.2-2.1.mga7.i586 ---- Ran a basic mp3gain -r *.mp3 test It seemed to work. CC:
(none) =>
brtians1 mga7, x86_64 CVE-2019-18359 https://sourceforge.net/p/mp3gain/bugs/46/ $ mp3gain mp3gain_poc1 ... [src/libmpg123/layer3.c:2039] error: dequantization failed! Note: broken frame 7, filling up with 9216 zeroes, from 0 ... Recommended "Album" dB change for all files: -0.670000 Recommended "Album" mp3 gain change for all files: 0 $ mp3gain mp3gain_poc2 mp3gain_poc2 Delaying a frame in decoding with old libmpg123. Recommended "Track" dB change: -12.470000 Recommended "Track" mp3 gain change: -8 Max PCM sample at current gain: 86720.132812 Max mp3 global gain field: 183 Min mp3 global gain field: 170 Recommended "Album" dB change for all files: -12.470000 Recommended "Album" mp3 gain change for all files: -8 Updated the package. Ran the PoC again: The same result for both files but without error messages. Not too convincing but it does no damage. $ mp3gain -r LongLankin.mp3 LongLankin.mp3 Delaying a frame in decoding with old libmpg123. Applying mp3 gain change of -2 to LongLankin.mp3... $ mp3gain -g 10 ItsMagic.mp3 Applying gain change of 10 to ItsMagic.mp3... Definitely louder. Good to go for 64-bits. Whiteboard:
MGA7-32-OK =>
MGA7-32-OK MGA7-64-OK Thank you, Brian and Len. I am not against validating on just a 32-bit test, but I do like to have at least a clean 64-bit install to go with it. And, of course, tests on both arches are *always* best. Validating. Advisory in Comment 2. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Thomas Backlund
2020-04-24 17:59:32 CEST
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0179.html Status:
ASSIGNED =>
RESOLVED |