Bug 20177 - audacious-plugins new security issues in bundled game-music-emu
Summary: audacious-plugins new security issues in bundled game-music-emu
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/709663/
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Keywords: validated_update
Depends on:
Reported: 2017-01-25 01:30 CET by David Walser
Modified: 2017-02-12 00:48 CET (History)
6 users (show)

See Also:
Source RPM: audacious-plugins-3.5.2-2.mga5.src.rpm
Status comment:


Description David Walser 2017-01-25 01:30:34 CET
Fedora has issued an advisory today (January 24):

The issues are fixed upstream in 3.8.2.  Freeze push requested for Cauldron.

These are the same issues we just fixed in Bug 19952.

The patch is checked into Mageia 5 SVN.
Comment 1 David Walser 2017-01-26 02:05:51 CET
Patched package uploaded for Mageia 5.


Updated audacious-plugins packages fix security vulnerabilities:

Chris Evans discovered that incorrect emulation of the SPC700 audio
co-processor of the Super Nintendo Entertainment System allows the execution
of arbitrary code if a malformed SPC music file is opened (CVE-2016-9957,
CVE-2016-9958, CVE-2016-9959, CVE-2016-9960, CVE-2016-9961).

These issues were previously fixed in MGASA-2016-0428 in the game-music-emu
library, but audacious-plugins contains a decoder built with a bundled
copy, which has been patched to fix the issues.


Updated packages in core/updates_testing:

from audacious-plugins-3.5.2-2.1.mga5.src.rpm

Assignee: bugsquad => qa-bugs
URL: (none) => https://lwn.net/Vulnerabilities/709663/

Comment 2 Dave Hodgins 2017-02-03 00:44:34 CET
What about the tainted version?

I've added the advisory to svn with ...
     - audacious-plugins-3.5.2-2.1.mga5.tainted

Either the tainted version needs to be added or the advisory in svn updated.

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory feedback

Comment 3 David Walser 2017-02-03 01:38:38 CET
Ugh, tainted is annoying.  It's on its way.  Thanks for catching it.

Whiteboard: advisory feedback => advisory

Comment 4 Herman Viaene 2017-02-09 13:57:21 CET
I first added Tainted Updates Testing repos (the regular Tainted I have always), then searched for audacious, but I did not get audacious-wavpack, audacious-jack , audacious-fluidsynth nor audacious-sid in any version. belnet is usually a day later, but not that much and it carries the other updates correctly.

CC: (none) => herman.viaene

Comment 5 James Kerr 2017-02-09 15:01:54 CET
They are there. Perhaps you forgot to update the tainted/updates repo after enabling it.

CC: (none) => jim

Comment 6 James Kerr 2017-02-09 15:08:17 CET
(In reply to James Kerr from comment #5)
> They are there. Perhaps you forgot to update the tainted/updates repo after
> enabling it.

Meant to write tainted/updates-testing
Comment 7 Herman Viaene 2017-02-09 16:19:33 CET
@ James:
I routinely refresh all repos before starting a test session, and then still, the tainted audacious-adplug was found, but not the ones I indicated. But now indeed all are present.
Comment 8 Herman Viaene 2017-02-09 16:22:18 CET
MGA5-32 on Asus A6000VM Xfce
No installation issues.
$ strace -o audacious.txt audacious
Played CD and checked in trace that plugins are called: OK

Whiteboard: advisory => advisory MGA5-32-OK

Comment 9 Brian Rockwell 2017-02-09 17:37:54 CET
David - did you get tainted updated as well?

CC: (none) => brtians1

Comment 10 Brian Rockwell 2017-02-11 13:09:47 CET
Tested tainted plugins 

# urpmi audacious-plugins
Package audacious-plugins-3.5.2-2.1.mga5.tainted.i586 is already installed
installing audacious-pulse-3.5.2-2.1.mga5.tainted.i586.rpm from /var/cache/urpmi/rpms

sounds and different effects available are working properly.

tainted works.
Comment 11 Brian Rockwell 2017-02-11 14:07:11 CET
To satisfy dependencies, the following package(s) also need to be installed:

- audacious-plugins-3.5.2-2.1.mga5.x86_64
- audacious-pulse-3.5.2-2.1.mga5.x86_64
- lib64audcore1-3.5.2-1.mga5.x86_64
- lib64audgui2-3.5.2-1.mga5.x86_64
- lib64guess1-1.2-0.git.20131127.3.mga5.x86_64
- lib64mms0-0.6.4-4.mga5.x86_64
- lib64mowgli-2_0-2.0.0-4.mga5.x86_64

6.6MB of additional disk space will be used.

Jammed out to âFrom the Beginningâ in FLAC by Emerson, Lake & Palmer.  Working as designed

Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK

Lewis Smith 2017-02-11 21:55:36 CET

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 12 Mageia Robot 2017-02-12 00:48:06 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.