| Summary: | flac new security issue CVE-2020-0499 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | flac-1.3.3-2.mga8.src.rpm | CVE: | CVE-2020-0499 |
| Status comment: | |||
|
Description
David Walser
2020-12-26 17:47:15 CET
David Walser
2020-12-26 17:47:21 CET
Whiteboard:
(none) =>
MGA7TOO From debian , CVE-2020-0487 is a dupplicate of CVE-2017-6888.
src:
flac-1.3.2-3.1.mga7CC:
(none) =>
mageia (In reply to Nicolas Lécureuil from comment #1) > From debian , CVE-2020-0487 is a dupplicate of CVE-2017-6888. Indeed it is. Noting that in Bug 22984. Summary:
flac new security issues CVE-2020-0487 and CVE-2020-0499 =>
flac new security issue CVE-2020-0499 Advisory: ======================== Updated flac packages fix security vulnerability: In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation (CVE-2020-0499). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0499 https://lists.suse.com/pipermail/sle-security-updates/2020-December/008120.html ======================== Updated packages in core/updates_testing: ======================== flac-1.3.2-3.1.mga7 libflac8-1.3.2-3.1.mga7 libflac-devel-1.3.2-3.1.mga7 libflac++6-1.3.2-3.1.mga7 libflac++-devel-1.3.2-3.1.mga7 from flac-1.3.2-3.1.mga7.src.rpm Assignee:
bugsquad =>
qa-bugs mga7, x64
Not able to find any way to reproduce the issues reported.
Ran flac before updating using a shell script (flactest) from PC LX.
Updated all five packages.
Produced an ogg file from an input flac file.
$ flac --ogg test2.flac
flac 1.3.2
[...]
test2.flac: WARNING, lead-out offset of cuesheet in input FLAC file does not match input length, dropping existing cuesheet...
test2.flac: wrote 37343868 bytes, ratio=1.000
$ ll test2.*
-rw-r--r-- 1 lcl lcl 37356262 Dec 28 11:44 test2.flac
-rw-r--r-- 1 lcl lcl 37534861 Dec 28 11:44 test2.oga
mplayer could handle test2.oga OK.
$ flac -d --delete-input-file test2.flac
Created test2.wav which played without loss of fidelity.
$ flac -a locke.flac
Created an analysis of the input file.
$ ll locke.ana
-rw-r--r-- 1 lcl lcl 6216461 Dec 28 11:40 locke.ana
$ less locke.ana
frame=0 offset=2412 bits=9776 blocksize=4608 sample_rate=44100 channels=2 channel_assignment=INDEPENDENT
subframe=0 wasted_bits=0 type=FIXED order=0 residual_type=RICE partition_order=3
parameter[0]=0
.....
There is a lot more to this application but that is as far as I am taking it.CC:
(none) =>
tarazed25 openSUSE has issued an advisory for this today (December 28): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3IU5K7DTVB7RH7VVIUTMX4XFQDWSHYUS/ Validating. Advisory in Comment 3. CC:
(none) =>
andrewsfarm, sysadmin-bugs Advisory pushed to SVN. Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0480.html Resolution:
(none) =>
FIXED |