Bug 7181

Summary: audacious-plugins uses bundled modplug library
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, jani.valimaa, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Articles/458594/
Whiteboard: MGA1-32-OK MGA1-64-OK
Source RPM: audacious-plugins-2.4.4-1.1.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-08-25 19:07:12 CEST 
Despite having BuildRequires: libmodplug-devel, audacious-plugins does not use the system modplug library, it uses a bundled copy.  This is unfortunate, as this library can be affected by security issues, and we have issued security updates for it in the past (Bug 1150, Bug 5257).

Fedora has issued an advisory on September 9:
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065720.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/066044.html

They patched it to remove the bundled copy and really use the system modplug.

Only Mageia 1 is affected.  Mageia 2's version is linked to the system library, and I think it was fixed upstream in 3.0.3.

Here is the patch against 2.4.5 that Fedora used in Fedora 14 to fix this:
http://pkgs.fedoraproject.org/cgit/audacious-plugins.git/plain/audacious-plugins-2.4.5-libmodplug-system.patch?h=f14&id=6b579b02ee1a97566cd5cdc4a20ebeef424e6489

They also added "autoreconf -I m4" to the SPEC after applying patches.
David Walser 2012-08-25 19:07:30 CEST

CC: (none) => jani.valimaa

David Walser 2012-08-25 19:07:45 CEST

Assignee: bugsquad => jani.valimaa

Comment 1 Jani Välimaa 2012-08-25 22:33:25 CEST 
Updated audacious and audacious-plugins to version 2.4.5 which is a bugfix release for 2.4 branch. Added patches from Fedora to audacious-plugins to fix several issues and this modplug one (see the %changelog).

Please test the new releases [1] [2] from core/updates_testing. Had to update audacious-plugins twice to make sure the modplug issue is fixed for sure, thus the %mkrel 1.1.

[1] audacious-2.4.5-1.mga1
[2] audacious-plugins-2.4.5-1.1.mga1

Assignee: jani.valimaa => qa-bugs

Comment 2 David Walser 2012-08-26 00:19:03 CEST 
Thanks Jani!

Here's the salient entry from the audacious-plugins package changelog:

- new bugfix release 2.4.5
- add patches from Fedora
  - fix missing newline NULL-ptr crash in m3u loader (rhbz#699107)
  - fix Ogg metadata save for i686 (rhbz#711796)
  - use system's libmodplug (mga#7181)

Full package list:

audacious-2.4.5-1.mga1
libaudacious1-2.4.5-1.mga1
libaudacious2-2.4.5-1.mga1
libaudacious-devel-2.4.5-1.mga1
audacious-plugins-2.4.5-1.1.mga1
audacious-wavpack-2.4.5-1.1.mga1
audacious-jack-2.4.5-1.1.mga1
audacious-pulse-2.4.5-1.1.mga1
audacious-adplug-2.4.5-1.1.mga1
audacious-fluidsynth-2.4.5-1.1.mga1
audacious-sid-2.4.5-1.1.mga1
audacious-projectm-2.4.5-1.1.mga1
Comment 3 Dave Hodgins 2012-08-26 18:10:09 CEST 
Testing complete on Mageia 1 i586 for the srpms
audacious-2.4.5-1.mga1.src.rpm
audacious-plugins-2.4.5-1.1.mga1.src.rpm

Just testing that it can play music and plugins like the status icon work.

CC: (none) => davidwhodgins
Whiteboard: (none) => MGA1-32-OK

Comment 4 Dave Hodgins 2012-08-26 18:45:55 CEST 
Testing complete on Mageia 1 x86-64.

Could someone from the sysadmin team push the srpms
audacious-2.4.5-1.mga1.src.rpm
audacious-plugins-2.4.5-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Bugfix update for audacious and audacious-plugins
- new bugfix release 2.4.5
- add patches from Fedora
  - fix missing newline NULL-ptr crash in m3u loader (rhbz#699107)
  - fix Ogg metadata save for i686 (rhbz#711796)
  - use system's libmodplug (mga#7181)

https://bugs.mageia.org/show_bug.cgi?id=7181

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1-32-OK => MGA1-32-OK MGA1-64-OK

Comment 5 Thomas Backlund 2012-08-27 00:33:02 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0175

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED