Fedora has issued an advisory today (January 24): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5JCR3VLAF2YQQIMAJABV4G7LQQYBXH5V/ The issues are fixed upstream in 3.8.2. Freeze push requested for Cauldron. These are the same issues we just fixed in Bug 19952. The patch is checked into Mageia 5 SVN.
Patched package uploaded for Mageia 5. Advisory: ======================== Updated audacious-plugins packages fix security vulnerabilities: Chris Evans discovered that incorrect emulation of the SPC700 audio co-processor of the Super Nintendo Entertainment System allows the execution of arbitrary code if a malformed SPC music file is opened (CVE-2016-9957, CVE-2016-9958, CVE-2016-9959, CVE-2016-9960, CVE-2016-9961). These issues were previously fixed in MGASA-2016-0428 in the game-music-emu library, but audacious-plugins contains a decoder built with a bundled copy, which has been patched to fix the issues. References: http://advisories.mageia.org/MGASA-2016-0428.html ======================== Updated packages in core/updates_testing: ======================== audacious-plugins-3.5.2-2.1.mga5 audacious-wavpack-3.5.2-2.1.mga5 audacious-jack-3.5.2-2.1.mga5 audacious-pulse-3.5.2-2.1.mga5 audacious-adplug-3.5.2-2.1.mga5 audacious-fluidsynth-3.5.2-2.1.mga5 audacious-sid-3.5.2-2.1.mga5 from audacious-plugins-3.5.2-2.1.mga5.src.rpm
Assignee: bugsquad => qa-bugsURL: (none) => https://lwn.net/Vulnerabilities/709663/
What about the tainted version? I've added the advisory to svn with ... tainted: - audacious-plugins-3.5.2-2.1.mga5.tainted Either the tainted version needs to be added or the advisory in svn updated.
CC: (none) => davidwhodginsWhiteboard: (none) => advisory feedback
Ugh, tainted is annoying. It's on its way. Thanks for catching it.
Whiteboard: advisory feedback => advisory
I first added Tainted Updates Testing repos (the regular Tainted I have always), then searched for audacious, but I did not get audacious-wavpack, audacious-jack , audacious-fluidsynth nor audacious-sid in any version. belnet is usually a day later, but not that much and it carries the other updates correctly.
CC: (none) => herman.viaene
They are there. Perhaps you forgot to update the tainted/updates repo after enabling it.
CC: (none) => jim
(In reply to James Kerr from comment #5) > They are there. Perhaps you forgot to update the tainted/updates repo after > enabling it. Meant to write tainted/updates-testing
@ James: I routinely refresh all repos before starting a test session, and then still, the tainted audacious-adplug was found, but not the ones I indicated. But now indeed all are present.
MGA5-32 on Asus A6000VM Xfce No installation issues. At CLI: $ strace -o audacious.txt audacious Played CD and checked in trace that plugins are called: OK
Whiteboard: advisory => advisory MGA5-32-OK
David - did you get tainted updated as well?
CC: (none) => brtians1
Tested tainted plugins # urpmi audacious-plugins Package audacious-plugins-3.5.2-2.1.mga5.tainted.i586 is already installed installing audacious-pulse-3.5.2-2.1.mga5.tainted.i586.rpm from /var/cache/urpmi/rpms sounds and different effects available are working properly. tainted works.
To satisfy dependencies, the following package(s) also need to be installed: - audacious-plugins-3.5.2-2.1.mga5.x86_64 - audacious-pulse-3.5.2-2.1.mga5.x86_64 - lib64audcore1-3.5.2-1.mga5.x86_64 - lib64audgui2-3.5.2-1.mga5.x86_64 - lib64guess1-1.2-0.git.20131127.3.mga5.x86_64 - lib64mms0-0.6.4-4.mga5.x86_64 - lib64mowgli-2_0-2.0.0-4.mga5.x86_64 6.6MB of additional disk space will be used. Jammed out to âFrom the Beginningâ in FLAC by Emerson, Lake & Palmer. Working as designed
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0046.html
Status: NEW => RESOLVEDResolution: (none) => FIXED