Fedora has issued an advisory on January 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZKHZKWBC6F5SBYVTHQOQ5ZQURSZSNQ36/ Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated opus packages fix security vulnerability: A remote code execution vulnerability in silk/NLSF_stabilize.c in libopus could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing (CVE-2017-0381). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0381 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZKHZKWBC6F5SBYVTHQOQ5ZQURSZSNQ36/ ======================== Updated packages in core/updates_testing: ======================== libopus0-1.1-3.1.mga5 libopus-devel-1.1-3.1.mga5 from opus-1.1-3.1.mga5.src.rpm
URL: (none) => https://lwn.net/Vulnerabilities/712298/
Testing Mageia 5 x64 Preamble -------- Opus: This package provides the library that implements the Opus codec. The Opus codec is designed for interactive speech and audio transmission over the Internet. These are programs (not libraries) using lib[64]opus0: # urpmq --whatrequires lib64opus0 | sort | uniq asterisk chromium-browser-stable easytag gstreamer0.10-plugins-bad gstreamer1.0-plugins-bad iceape idjc kwave mpd mumble opus-tools vlc-plugin-common idjc: A graphical shoutcast/icecast client with two media players... Supports playing of mp3, ogg, flac, wma, wav, m4a, files. mpd: Music Player Daemon (MPD) allows remote access for playing music (MP3, Ogg Vorbis, FLAC, Mod, and wave files) and managing playlists... it is also makes a great desktop music player I got neither of these to work! Of more precise interest is *opus-tools*; worth installing for this test: - opusdec decode audio from Opus format to WAV (or simple audio output) - opusenc encode audio [WAV, AIFF, FLAC, Ogg/FLAC, raw] into the Opus format - opusinfo gives information about Opus files and does extensive validation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Testing the update: lib64opus0-1.1-3.1.mga5 with opus-tools-0.1.8-3.mga5, starting with a known .wav file converted to .opus then back again to .wav. 1. Encode .wav -> .opus file: $ opusenc track1.wav track1.opus Encoding using libopus 1.1 (audio) ----------------------------------------------------- Input: 44.1kHz 2 channels Output: 2 channels (2 coupled) 20ms packets, 96kbit/sec VBR Preskip: 356 [\] 00:03:30.92 10.5x realtime, 86.2kbit/s Encoding complete ----------------------------------------------------- Encoded: 3 minutes and 42.74 seconds Runtime: 20 seconds (11.14x realtime) Wrote: 2410124 bytes, 11137 packets, 225 pages Bitrate: 85.8685kbit/s (without overhead) Instant rates: 1.2kbit/s to 191.6kbit/s (3 to 479 bytes per packet) Overhead: 0.802% (container+metadata) 2. Get info on the opus file: $ opusinfo track1.opus Processing file "track1.opus"... New logical stream (#1, serial: 51fbce1f): type opus Encoded with libopus 1.1 [Lots o sensible looking O/P] Opus stream 1: [Lots o sensible looking O/P] Logical stream 1 ended 3. Decode .opus -> .wav file: $ opusdec track1.opus track1.wav Decoding to 44100 Hz (2 channels) Encoded with libopus 1.1 ENCODER=opusenc from opus-tools 0.1.8 ... Decoding complete. Played the resulting wav file, it seemed fine. Update OK.
CC: (none) => lewyssmithWhiteboard: (none) => MGA5-64-OK
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
Taking this up on a 32bit vbox.
CC: (none) => tarazed25
i586 in virtualbox Installed opus-tools and libopus0 $ ls tracks CherryOhBaby.ogg LaDanserye.flac LammasTide.wav Padstow.mp3 $ opusenc CherryOhBaby.ogg cherryohbaby.opus Error parsing input file: CherryOhBaby.ogg $ opusenc Padstow.mp3 padstow.opus Error parsing input file: Padstow.mp3 $ opusenc LammasTide.wav lammastide.opus Encoding using libopus 1.1 (audio) ----------------------------------------------------- Encoded: 2 minutes and 52.76 seconds Runtime: 3 seconds (57.59x realtime) Wrote: 1645340 bytes, 8638 packets, 175 pages Bitrate: 75.5123kbit/s (without overhead) Instant rates: 1.2kbit/s to 190.4kbit/s (3 to 476 bytes per packet) Overhead: 0.891% (container+metadata) $ opusinfo lammastide.opus Processing file "lammastide.opus"... New logical stream (#1, serial: 398b09fe): type opus Encoded with libopus 1.1 User comments section follows... ENCODER=opusenc from opus-tools 0.1.8 Opus stream 1: Pre-skip: 356 Playback gain: 0 dB Channels: 2 Original sample rate: 44100Hz Packet duration: 20.0ms (max), 20.0ms (avg), 20.0ms (min) Page duration: 1000.0ms (max), 998.6ms (avg), 760.0ms (min) Total data length: 1645340 bytes (overhead: 0.891%) Playback length: 2m:52.733s Average bitrate: 76.2 kb/s, w/o overhead: 75.52 kb/s Logical stream 1 ended *** Updated to libopus0-1.1-3.1.mga5 and libopus-devel-1.1-3.1.mga5. *** $ opusenc LaDanserye.flac ladanserye.opus Encoding using libopus 1.1 (audio) ----------------------------------------------------- Input: 44.1kHz 2 channels Output: 2 channels (2 coupled) 20ms packets, 96kbit/sec VBR Preskip: 356 [/] 00:07:10.39 43x realtime, 109kbit/s Encoding complete ----------------------------------------------------- Encoded: 7 minutes and 28.8 seconds Runtime: 10 seconds (44.88x realtime) Wrote: 6107692 bytes, 22440 packets, 451 pages Bitrate: 108.025kbit/s (without overhead) Instant rates: 1.2kbit/s to 192.8kbit/s (3 to 482 bytes per packet) Overhead: 0.778% (container+metadata) $ opusinfo lammastide.opus Processing file "lammastide.opus"... New logical stream (#1, serial: 398b09fe): type opus Encoded with libopus 1.1 User comments section follows... ENCODER=opusenc from opus-tools 0.1.8 Opus stream 1: Pre-skip: 356 Playback gain: 0 dB Channels: 2 Original sample rate: 44100Hz Packet duration: 20.0ms (max), 20.0ms (avg), 20.0ms (min) Page duration: 1000.0ms (max), 998.6ms (avg), 760.0ms (min) Total data length: 1645340 bytes (overhead: 0.891%) Playback length: 2m:52.733s Average bitrate: 76.2 kb/s, w/o overhead: 75.52 kb/s Logical stream 1 ended mplayer had a bit of a problem getting started on lammastide.opus because pulseaudio was not running. Started pulseaudio and it ran fine. Also installed sox (for play). $ opusdec ladanserye.opus ladanserye.wav Decoding to 44100 Hz (2 channels) Encoded with libopus 1.1 ENCODER=opusenc from opus-tools 0.1.8 TITLE=Track 1 ARTIST=Unknown Artist TRACKNUMBER=1 TRACKTOTAL=13 ALBUM=Unknown Title ALBUMARTIST=Unknown Artist DISCID=c1111f0d MUSICBRAINZ_DISCID=Skhvg016kE6VTSzxMnz48x1tvKE- Decoding complete. $ play ladanserye.wav ladanserye.wav: File Size: 79.2M Bit Rate: 1.41M Encoding: Signed PCM Channels: 2 @ 16-bit Samplerate: 44100Hz Replaygain: off Duration: 00:07:28.77 In:3.41% 00:00:15.33 [00:07:13.45] Out:676k [-=====|====- ] Hd:2.1 Clip:0 Also tried idjc but since it is aimed at playing streams it did not recognize static files. That all looks OK.
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0029.html
Status: NEW => RESOLVEDResolution: (none) => FIXED