Bug 5217

Summary: libvorbis new security issue CVE-2012-0444
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: libvorbis-1.3.2-1.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-04-04 00:29:19 CEST 
Mandriva has issued this advisory today (April 3):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:052

Cauldron is not affected.

Patched package for Mageia 1 is uploaded.

Advisory:
========================

Updated libvorbis packages fix security vulnerability:

If a specially-crafted Ogg Vorbis media file was opened by an
application using libvorbis, it could cause the application to crash
or, possibly, execute arbitrary code with the privileges of the user
running the application (CVE-2012-0444).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0444
https://bugzilla.redhat.com/show_bug.cgi?id=786026
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:052
========================

Updated packages in core/updates_testing:
========================
libvorbis0-1.3.2-1.1.mga1
libvorbis-devel-1.3.2-1.1.mga1
libvorbisenc2-1.3.2-1.1.mga1
libvorbisfile3-1.3.2-1.1.mga1

from libvorbis-1.3.2-1.1.mga1.src.rpm
Comment 1 Dave Hodgins 2012-04-04 05:34:53 CEST 
Testing complete on i586 for the srpm
libvorbis-1.3.2-1.1.mga1.src.rpm

$ strace -f -ostrace.txt play /usr/share/sounds/KDE-Window-Maximize.ogg >/dev/null 2>&1
$ grep libvorbis strace.txt
1739  open("/usr/lib/libvorbisfile.so.3", O_RDONLY) = 3
1739  open("/usr/lib/libvorbisenc.so.2", O_RDONLY) = 3
1739  open("/usr/lib/libvorbis.so.0", O_RDONLY) = 3

CC: (none) => davidwhodgins

Comment 2 Dave Hodgins 2012-04-10 22:37:36 CEST 
Also tested using audacity to convert an mp3 to ogg, to ensure the enc
library was tested.
Comment 3 Manuel Hiebel 2012-04-11 02:24:16 CEST 
Testing with the test case of dave, works fine.


Suggested Advisory:
-------------
Updated libvorbis packages fix security vulnerability:

If a specially-crafted Ogg Vorbis media file was opened by an
application using libvorbis, it could cause the application to crash
or, possibly, execute arbitrary code with the privileges of the user
running the application (CVE-2012-0444).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0444
https://bugzilla.redhat.com/show_bug.cgi?id=786026
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:052

https://bugs.mageia.org/show_bug.cgi?id=5217
-------------

SRPM: libvorbis-1.3.2-1.1.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2012-04-11 21:51:43 CEST 
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED