Bug 29222

Summary: libebml missing update for security issue and CVE-2021-3405
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libebml-1.4.1-1.mga8.src.rpm CVE: CVE-2021-3405
Status comment:

Description David Walser 2021-07-05 06:59:49 CEST 
+++ This bug was initially created as a clone of Bug #28278 +++

https://bugs.mageia.org/show_bug.cgi?id=28278#c11
https://bugs.mageia.org/show_bug.cgi?id=28278#c12

1.4.2, which we're updating to here, also fixes a heap overflow (CVE-2021-3405):
https://www.debian.org/lts/security/2021/dla-2629

Fedora has issued an advisory for this on March 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JNHQI6MDOECJ2HT5GCLEX2DMJFEOWPW7/

We updated Mageia 7 to 1.4.2, but somehow the update failed to make it into Mageia 8.
Comment 1 David Walser 2021-07-06 02:02:51 CEST 
libebml5-1.4.2-1.mga8
libebml-devel-1.4.2-1.mga8

from libebml-1.4.2-1.mga8.src.rpm

Assignee: mageia => qa-bugs
CC: (none) => mageia

Comment 2 David Walser 2021-07-09 19:31:43 CEST 
VLC working fine with the update lib64ebml5 package.

Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2021-07-10 13:48:10 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 Aurelien Oudelet 2021-07-10 20:32:34 CEST 
Advisory:
========================

A flaw was found in libebml before 1.4.2. A heap overflow bug exists in the implementation of EbmlString::ReadData and EbmlUnicodeString::ReadData in libebml (CVE-2021-3405).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29222
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3405
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JNHQI6MDOECJ2HT5GCLEX2DMJFEOWPW7/
 - https://www.debian.org/lts/security/2021/dla-2629
========================

Updated packages in core/updates_testing:
========================
libebml5-1.4.2-1.mga8
libebml-devel-1.4.2-1.mga8

from libebml-1.4.2-1.mga8.src.rpm

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 5 Mageia Robot 2021-07-10 22:02:04 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0338.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED