CVEs have been assigned for security issues fixed in libass 0.13.4: http://www.openwall.com/lists/oss-security/2016/10/05/2 https://github.com/libass/libass/releases/tag/0.13.4 Freeze push requested for Cauldron. Update checked into Mageia 5 SVN.
Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated libass packages fixes security vulnerabilities: Amount of memory allocated during memory reallocation in the shaper wasn't tracked, possibly resulting in undefined behavior (CVE-2016-7972). Illegal read in Gaussian blur coefficient calculations (CVE-2016-7970). Mode 0/3 line wrapping equalization in specific cases could result in illegal reads while laying out and shaping text. (CVE-2016-7969) The libass package has been updated to version 0.13.4, fixing this issue and several other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7969 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7970 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7972 https://github.com/libass/libass/releases ======================== Updated packages in core/updates_testing: ======================== libass5-0.13.4-1.mga5 libass-devel-0.13.4-1.mga5 from libass-0.13.4-1.mga5.src.rpm
Assignee: bugsquad => qa-bugs
Testing on x86_64, real hardware. libass is used in subtitle rendering by multimedia applications like mpv, vlc, mplayer, kodi, bino and mythtv so running any of these may be a sufficient test. In the case od mythtv and vlc certain plugins should be installed, such as vlc-plugin-libass. There is no obvious help upstream for the various CVEs. Installed the updates. Played a film from arteFetcher using mplayer, French subtitles packaged with the film. They were rendered OK. Installed the vlc plugin and watched another French subtitled film. No problem there. mpv handled subtitles OK as well. OK for 64 bits.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
CC: (none) => mageiaWhiteboard: MGA5-64-OK => MGA5-64-OK advisory
i586 on virtualbox Before and after the updates mplayer handled the subtitles in a documentary MP4 file with merged subtitles.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0341.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/703461/