Bug 29718

Summary: speex new security issue CVE-2020-23903
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, summercurrants, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: speex-1.2.0-3.mga8.src.rpm CVE: CVE-2020-23903
Status comment:
Attachments: original file from site mentioned

Description David Walser 2021-12-01 23:29:48 CET 
SUSE has issued an advisory today (December 1):
https://lists.suse.com/pipermail/sle-security-updates/2021-December/009798.html

Mageia 8 is also affected.
David Walser 2021-12-01 23:30:00 CET

Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-12-01 23:32:17 CET 
openSUSE has issued an advisory for this today (December 1):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M3JTMWLYWFOOWVMDAUX2VBB5ZULOV3LY/

Status comment: (none) => Patch available from openSUSE

Comment 2 David Walser 2021-12-01 23:46:23 CET 
Fedora has issued an advisory for this today (December 1):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R3SEV2ZRR47GSD3M7O5PH4XEJMKJJNG2/
Comment 3 Nicolas Salguero 2021-12-03 09:22:17 CET 
Done for Mga8.

For Cauldron, submission to BS fails with:
"""
Submission errors, aborting:
- speex-1.2.0-4.mga9.src:
 - Unresolved dep on autoconf2.5 
 - Unresolved dep on chrpath 
 - Unresolved dep on pkgconfig(ogg) 
 - Unresolved dep on pkgconfig(speexdsp) 
"""

CVE: (none) => CVE-2020-23903
Status comment: Patch available from openSUSE => (none)
CC: (none) => nicolas.salguero

Comment 4 David Walser 2021-12-03 19:50:10 CET 
Temporary build system error I guess.  It submits now.  Thanks.

libspeex-devel-1.2.0-3.1.mga8
libspeex1-1.2.0-3.1.mga8
speex-1.2.0-3.1.mga8

from speex-1.2.0-3.1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 8

Comment 5 Herman Viaene 2021-12-08 15:11:27 CET 
Hmmm, while looking for info, I found this text "—The Speex codec has been obsoleted by Opus. It will continue to be available, but since Opus is better than Speex in all aspects, users are encouraged to switch— " on the page https://www.speex.org/
Continuing searcheing for some test file.

CC: (none) => herman.viaene

Comment 6 Herman Viaene 2021-12-08 15:21:41 CET 
Found some at https://www.signalogic.com/index.pl?page=speech_codec_wav_samples, attaching the file I picked out.
At  CLI:
$ speexenc female.wav femaleenc.spx
Encoding 8000 Hz audio using narrowband mode (mono)
]$ speexdec fe
femaleenc.spx  female.wav     
]$ speexdec femaleenc.spx femaledec.wav
Decoding 8000 Hz audio using narrowband mode (mono)
Encoded with Speex 1.2.0
I play all three files on VLCplayer and any possible difference escapes me.
OK for me.

Whiteboard: (none) => MGA8-64-OK

Comment 7 Herman Viaene 2021-12-08 15:22:18 CET 
Created attachment 13026 [details]
original file from site mentioned
Comment 8 Thomas Andrews 2021-12-09 19:31:07 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-10 21:45:19 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2021-12-10 23:20:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0550.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 10 carillon store 2022-07-18 10:12:22 CEST Comment hidden (spam)

CC: (none) => summercurrants