Several CVEs for audiofile were posted today (March 13): http://openwall.com/lists/oss-security/2017/03/13/ They are CVE-2017-6829 and CVE-2017-683[0-9].
CC: (none) => marja11Assignee: bugsquad => shlomif
CVE-2017-6827 and CVE-2017-6828: http://openwall.com/lists/oss-security/2017/03/14/6 http://openwall.com/lists/oss-security/2017/03/14/7
Summary: audiofile new security issues CVE-2017-6829 and CVE-2017-683[0-9] => audiofile new security issues CVE-2017-682[7-9] and CVE-2017-683[0-9]
Debian has issued an advisory for this on March 22: https://www.debian.org/security/2017/dsa-3814
Fixed in cauldron
CC: (none) => mageia
pushed in updates_testing to fix * CVE-2017-6829 * CVE-2017-6831 * CVE-2017-6832 * CVE-2017-6833 * CVE-2017-6834 * CVE-2017-6835 * CVE-2017-6836 * CVE-2017-6837 * CVE-2017-6838 * CVE-2017-6839 * CVE-2017-6827 * CVE-2017-6828 src.rpm: audiofile-0.3.6-4.2.mga5
Assignee: shlomif => qa-bugsVersion: Cauldron => 5
Nicolas, you missed one patch, one CVE, and didn't actually apply any of the patches in the Mageia 5 update. All fixed now. Advisory: ======================== Updated audiofile packages fix security vulnerabilities: Several vulnerabilities have been discovered in the audiofile library, which may result in denial of service or the execution of arbitrary code if a malformed audio file is processed (CVE-2017-6827, CVE-2017-6828, CVE-2017-6829, CVE-2017-6830, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833, CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, CVE-2017-6837, CVE-2017-6838, CVE-2017-6839). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6827 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6828 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6829 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6830 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6831 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6832 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6833 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6834 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6836 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6837 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6838 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6839 https://www.debian.org/security/2017/dsa-3814 ======================== Updated packages in core/updates_testing: ======================== audiofile-0.3.6-4.3.mga5 libaudiofile1-0.3.6-4.3.mga5 libaudiofile-devel-0.3.6-4.3.mga5 from audiofile-0.3.6-4.3.mga5.src.rpm
MGA-32 on Asus A6000VM Xfce No installation issues Ref bug 16923 Comment 7 Converted two wav files (captured from cassette) and used ffmpeg to convert to mp3 as $ ffmpeg -i Welington\'s\ Sieg.wav -codec mp3 Well.mp3 then $ normalize Well.mp3 Zapf.mp3 Computing levels... Zapf.mp3 99% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) Applying adjustment of 3,05dB to Well.mp3... Well.mp3 100% done, ETA 00:00:00 (batch 81% done, ETA 00:00:00) Applying adjustment of 1,15dB to Zapf.mp3... Zapf.mp3 100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) mp3 files play well.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Whiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => lewyssmith
Testing M5_64 After update: audiofile-0.3.6-4.3.mga5 lib64audiofile1-0.3.6-4.3.mga5 using 'normalize'. This time it worked directly on .wav files (as says the man page) as well as .mp3 ; [but not .flac nor .ogg]. Note that it overwrites the source file. $ normalize cbach.wav Computing levels... cbach.wav 100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) Applying adjustment of 1.07dB to cbach.wav... cbach.wav 100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) Confirmed that the library *is* called: $ strace normalize cbach.wav 2>&1 | grep audiofile open("/lib64/libaudiofile.so.1", O_RDONLY|O_CLOEXEC) = 3 $ normalize cbach.mp3 Computing levels... cbach.mp3 100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) Applying adjustment of 1.52dB to cbach.mp3... cbach.mp3 100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) The results were fine, so the update is OK. Validating, already advisoried.
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0129.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED