A security issue fixed upstream in libsamplerate 0.1.9 has been announced: http://openwall.com/lists/oss-security/2017/04/12/1
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
QA Contact: (none) => securityComponent: RPM Packages => Security
Updated package uploaded for Mageia 5. Advisory: ======================== Updated libsamplerate package fixes security vulnerability: It was discovered that libsamplerate contained a global buffer overflow in calc_output_single (CVE-20176-5223). References: http://openwall.com/lists/oss-security/2017/04/12/1 https://blogs.gentoo.org/ago/2017/04/11/libsamplerate-global-buffer-overflow-in-calc_output_single-src_sinc-c/ ======================== Updated packages in core/updates_testing: ======================== lib64samplerate0-0.1.9-1.mga6.x86_64.rpm lib64samplerate-devel-0.1.9-1.mga6.x86_64.rpm libsamplerate-debuginfo-0.1.9-1.mga6.x86_64.rpm libsamplerate-progs-0.1.9-1.mga6.x86_64.rpm from libsamplerate-0.1.9-1.mga5.src.rpm Reproducer: https://github.com/asarubbo/poc/blob/master/00262-libsamplerate-globaloverflow-calc_output_single
Assignee: pkg-bugs => qa-bugsCC: (none) => mrambo
MGA5-32 on Asus A6000VM Xfce No installation issues From comments in MCC: Secret Rabbit Code (aka libsamplerate) is a Sample Rate Converter for audio. One example of where such a thing would be useful is converting audio from the CD sample rate of 44.1kHz to the 48kHz sample rate used by DAT players. So at CLI: $ sndfile-resample -to 48000 Zapfenstreich.wav Zapf1.wav Input File : Zapfenstreich.wav Sample Rate : 44100 Input Frames : 8596790 SRC Ratio : 1.088435 Converter : Medium Sinc Interpolator Output file : Zapf1.wav Sample Rate : 48000 Output Frames : 9357051 resulting file is a bit larger than original one, that was to be expected. Plays equally well in Parole.
Whiteboard: (none) => MGA5-32-OKCC: (none) => herman.viaene
Advisory uploaded ex Comment 2; but I corrected the CVE-id in the text to that in the title (which I checked): CVE-2017-7697
CC: (none) => lewyssmithWhiteboard: MGA5-32-OK => MGA5-32-OK advisory
Testing M5 64 bit Needed to install the 'progs' pkg. $ sndfile-resample -h gives useful info; but -by <amount> is not explained. BEFORE the update:- lib64samplerate0-0.1.8-5.mga5 libsamplerate-progs-0.1.8-5.mga5 Tried the PoC and its demonstration given in Comment 2: https://blogs.gentoo.org/ago/2017/04/11/libsamplerate-global-buffer-overflow-in-calc_output_single-src_sinc-c/ https://github.com/asarubbo/poc/blob/master/00262-libsamplerate-globaloverflow-calc_output_single but it did *not* fail as ilustrated in the first link above: $ sndfile-resample -to 24000 -c 1 sampleratePoC out Input File : sampleratePoC Sample Rate : 152690 Input Frames : 38388006656 SRC Ratio : 0.157181 Converter : Medium Sinc Interpolator Output file : out Sample Rate : 24000 Output Frames : 1287 UPDATEd to: - lib64samplerate0-0.1.9-1.mga5.x86_64 - libsamplerate-progs-0.1.9-1.mga5.x86_64 Result with the PoC identical. $ sndfile-resample -to 36000 BachKBconcerto.wav out $ sndfile-resample -to 36000 track1.flac out produced a good output files (listened to with Parole). FWIW: $ sndfile-resample -to 36000 BachKBconcerto.ogg out hogged the processor for a very long time, but finished. However, the output was not good. It does not accept .mp3 files. Update looks good, validating.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0131.html
Status: NEW => RESOLVEDResolution: (none) => FIXED