Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Checked the Debian CVE tracker, apparently they consider those three CVEs fixed by a patch they included in 2008:

https://security-tracker.debian.org/tracker/CVE-2017-8372
https://security-tracker.debian.org/tracker/CVE-2017-8373
https://security-tracker.debian.org/tracker/CVE-2017-8374

The 2008 bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133
The patch: https://sources.debian.net/src/libmad/0.15.1b-8/debian/patches/frame_length.diff/

Would have to check the PoCs to be sure the patch is enough, but that should be a start. No activity whatsoever upstream otherwise.

Note that the patch would need to be rediffed as it won't apply on top of our own contrib_src_mad_check-bitstream-length--mod2.patch.

Advisory:
========================

Updated mad packages fix security vulnerabilities:

The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b allows
remote attackers to cause a denial of service (heap-based buffer overflow and
application crash) or possibly have unspecified other impact via a crafted
audio file (CVE-2017-8373).

The mad_bit_skip function in bit.c in Underbit MAD libmad 0.15.1b allows
remote attackers to cause a denial of service (heap-based buffer over-read
and application crash) via a crafted audio file (CVE-2017-8374).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8374
http://openwall.com/lists/oss-security/2017/05/01/8
http://openwall.com/lists/oss-security/2017/05/01/9
https://security-tracker.debian.org/tracker/CVE-2017-8373
https://security-tracker.debian.org/tracker/CVE-2017-8374
========================

Updated packages in core/updates_testing:
========================
libmad0-0.15.1b-17.4.mga5
libmad-devel-0.15.1b-17.4.mga5
libmad0-0.15.1b-22.1.mga6
libmad-devel-0.15.1b-22.1.mga6

from SRPMS:
mad-0.15.1b-17.4.mga5.src.rpm
mad-0.15.1b-22.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: shlomif => qa-bugs

To test normally.

Installed lib64mad0-0.15.1b-17.4.mga5 on real hardware, then played mp3 files with Audacity, vlc, and xine. 

No problems noted. Giving the 64-bit OK for MGA5.

CC: (none) => andrewsfarm
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Installed lib64mad0-0.15.1b-22.1.mga6 on real hardware, then played mp3 files with Kmplayer, vlc, and Dragon Player.

No problems noted. Giving the 64-bit OK for MGA6.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Confirming M6/64 *after* update: lib64mad0-0.15.1b-22.1.mga6

Thanks TJ for the spread of tests.
Because this is a library-only update, confirmed its employment.

Mplayer:
 $ strace mplayer /mnt/common/Mageia/BachSomething.mp3 2>&1 | grep libmad
open("/lib64/libmad.so.0", O_RDONLY|O_CLOEXEC) = 3
write(1, "Trying to force audio codec driv"..., 52Trying to force audio codec driver family libmad...
write(1, "Opening audio decoder: [libmad] "..., 58Opening audio decoder: [libmad] libmad mpeg audio decoder
write(1, "Selected audio codec: [mad] afm:"..., 66Selected audio codec: [mad] afm: libmad (libMAD MPEG layer 1-2-3)
shows the library is well used, the music played OK.

VLC:
 $ strace vlc 2>&1 | grep libmad
stat("/usr/lib64/vlc/plugins/audio_filter/libmad_plugin.so", {st_mode=S_IFREG|0755, st_size=11208, ...}) = 0
Played fine.

Audacity:
 $ strace audacity 2>&1 | grep libmad
open("/lib64/libmad.so.0", O_RDONLY|O_CLOEXEC) = 3
Made it obvious it was importing an .mp3 file, played & displayed fine.

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0019.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED