Bug 20082 - flac new security issues fixed upstream in 1.3.2
Summary: flac new security issues fixed upstream in 1.3.2
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/710896/
Whiteboard: advisory mga5-32-ok mga5-64-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-01-06 23:40 CET by David Walser
Modified: 2017-03-12 21:34 CET (History)
5 users (show)

See Also:
Source RPM: flac-1.3.1-2.mga5.src.rpm
CVE:
Status comment: need some input on this one before I okay it.

Attachments
Add an attachment (proposed patch, testcase, etc.)

Marja Van Waes 2017-01-07 10:08:16 CET

CC: (none) => marja11
Assignee: bugsquad => rverschelde

Comment 1 Rémi Verschelde 2017-03-06 18:18:53 CET 
Submitted flac-1.3.2-1.mga5 to core/updates_testing.

Advisory:
=========

Updated flac packages fix security vulnerabilities

  FLAC 1.3.2 fixes a NULL pointer dereference bug and adds bounds checking in the
  encoder. It also fixes various non security-relevant issues.

References:
 - https://xiph.org/flac/changelog.html


RPMs in core/updates_testing:
=============================
flac-1.3.2-1.mga5
lib{64,}flac8-1.3.2-1.mga5
lib{64,}flac-devel-1.3.2-1.mga5
lib{64,}flac++6-1.3.2-1.mga5
lib{64,}flac++-devel-1.3.2-1.mga5

SRPM in core/updates_testing:
=============================
flac-1.3.2-1.mga5

Assignee: rverschelde => qa-bugs

Dave Hodgins 2017-03-08 03:43:32 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 2 Brian Rockwell 2017-03-08 03:52:00 CET 
mga5-32-ok

The following 3 packages are going to be installed:

- flac-1.3.2-1.mga5.i586
- libflac++6-1.3.2-1.mga5.i586
- libflac8-1.3.2-1.mga5.i586

872KB of additional disk space will be used.

468KB of packages will be retrieved.

Is it ok to continue?


$ flac -f --best --keep-foreign-metadata *.wav

able to the play the files without issue

CC: (none) => brtians1
Whiteboard: advisory => advisory mga5-32-ok

Comment 3 Brian Rockwell 2017-03-10 00:36:44 CET 
The following 3 packages are going to be installed:

- flac-1.3.2-1.mga5.x86_64
- lib64flac++6-1.3.2-1.mga5.x86_64
- lib64flac8-1.3.2-1.mga5.x86_64

865KB of additional disk space will be used.

467KB of packages will be retrieved.

Is it ok to continue?

---------------------

ok not sure on this one.  

Converted WAV file without issue.  Tried an ogg file and it toasted.

ERROR got FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC while decoding FLAC input
12_-_Sangre_Dolce.ogg: ERROR: out of memory or too many metadata blocks while reading metadata in FLAC input


--- anybody have some input on this one?

Status comment: (none) => need some input on this one before I okay it.

Brian Rockwell 2017-03-10 00:38:59 CET

Whiteboard: advisory mga5-32-ok => advisory mga5-32-ok feedback

Comment 4 Brian Rockwell 2017-03-10 04:40:34 CET 
Ok - flac utility does not transcode from ogg.  So, it worked on wav files.  I think it is fine.  Approving and removing the feedback flag.

Whiteboard: advisory mga5-32-ok feedback => advisory mga5-32-ok mga5-64-ok

Lewis Smith 2017-03-10 20:34:15 CET

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2017-03-12 21:34:19 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0074.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.