Bug 15634 - flac regression fix for CVE-2014-9028
Summary: flac regression fix for CVE-2014-9028
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: has_procedure advisory mga4-64-ok mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-04-06 14:07 CEST by David Walser
Modified: 2015-04-25 22:15 CEST (History)
1 user (show)

See Also:
Source RPM: flac-1.3.0-2.1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-04-06 14:07:33 CEST
The fix for CVE-2014-9028 (which was initially fixed in 1.3.1 upstream) caused a regression in seeking, a fix for which was included in upstream git after 1.3.1.  The more correct fix was included in a RedHat advisory on March 31:
https://rhn.redhat.com/errata/RHSA-2015-0767.html

as well as the Mandriva advisory on April 1:
http://www.mandriva.com/en/support/security/advisories/mbs2/MDVSA-2015%3A188/

Oden has updated our CVE-2014-9028 patch with the additional fixes from upstream.

You can find testing information in our previous update in Bug 14658.

Advisory:
----------------------------------------

Updated flac packages fix regression:

In MGASA-2014-0499, a fix for a heap overflow in libFLAC (CVE-2014-9028) was
implemented, which caused a problem with seeking.  A more correct fix has
been implemented that does not cause any known regressions.

References:
http://advisories.mageia.org/MGASA-2014-0499.html
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
flac-1.3.0-2.2.mga4
libflac8-1.3.0-2.2.mga4
libflac-devel-1.3.0-2.2.mga4
libflac++6-1.3.0-2.2.mga4
libflac++-devel-1.3.0-2.2.mga4

from flac-1.3.0-2.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-06 14:07:46 CEST

Whiteboard: (none) => has_procedure

Comment 1 claire robinson 2015-04-24 15:26:37 CEST
Testing complete mga4 64

Used VLC (which requires lib64flac8) to seek forward and backwards in the flac file. Also as below..

$ flac -a flacfile.flac

flac 1.3.0, Copyright (C) 2000-2009, 2011-2013  Josh Coalson & Xiph.Org Foundation
flac comes with ABSOLUTELY NO WARRANTY.  This is free software, and you are
welcome to redistribute it under certain conditions.  Type `flac' for details.

flacfile.flac: done

This analyses the flac file and creates a flacfile.ana which presumably contains some analysis data.

$ flac -t flacfile.flac 

flac 1.3.0, Copyright (C) 2000-2009, 2011-2013  Josh Coalson & Xiph.Org Foundation
flac comes with ABSOLUTELY NO WARRANTY.  This is free software, and you are
welcome to redistribute it under certain conditions.  Type `flac' for details.

flacfile.flac: ok                    

Also opened flacfile.flac in kwave sound editor, which requires lib64flac++6

Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 2 claire robinson 2015-04-24 18:03:37 CEST
Advisory uploaded.

Whiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-ok

Comment 3 claire robinson 2015-04-25 14:34:08 CEST
Testing complete mga4 32

Validating.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory mga4-64-ok => has_procedure advisory mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-04-25 22:15:42 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGAA-2015-0038.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.