Security issues in the mad library have been announced today (May 1): http://openwall.com/lists/oss-security/2017/05/01/7 http://openwall.com/lists/oss-security/2017/05/01/8 http://openwall.com/lists/oss-security/2017/05/01/9 Fixes do not appear to be available yet. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to the registered maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Checked the Debian CVE tracker, apparently they consider those three CVEs fixed by a patch they included in 2008: https://security-tracker.debian.org/tracker/CVE-2017-8372 https://security-tracker.debian.org/tracker/CVE-2017-8373 https://security-tracker.debian.org/tracker/CVE-2017-8374 The 2008 bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133 The patch: https://sources.debian.net/src/libmad/0.15.1b-8/debian/patches/frame_length.diff/ Would have to check the PoCs to be sure the patch is enough, but that should be a start. No activity whatsoever upstream otherwise.
Note that the patch would need to be rediffed as it won't apply on top of our own contrib_src_mad_check-bitstream-length--mod2.patch.
Status comment: (none) => Old 2008 Debian patch supposed to fix those before they were redescovered and attributed a CVE - need rediff and checking that PoC no longer apply
Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO
Advisory: ======================== Updated mad packages fix security vulnerabilities: The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file (CVE-2017-8373). The mad_bit_skip function in bit.c in Underbit MAD libmad 0.15.1b allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file (CVE-2017-8374). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8374 http://openwall.com/lists/oss-security/2017/05/01/8 http://openwall.com/lists/oss-security/2017/05/01/9 https://security-tracker.debian.org/tracker/CVE-2017-8373 https://security-tracker.debian.org/tracker/CVE-2017-8374 ======================== Updated packages in core/updates_testing: ======================== libmad0-0.15.1b-17.4.mga5 libmad-devel-0.15.1b-17.4.mga5 libmad0-0.15.1b-22.1.mga6 libmad-devel-0.15.1b-22.1.mga6 from SRPMS: mad-0.15.1b-17.4.mga5.src.rpm mad-0.15.1b-22.1.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOAssignee: shlomif => qa-bugs
To test normally.
CC: (none) => davidwhodginsKeywords: (none) => advisory
Installed lib64mad0-0.15.1b-17.4.mga5 on real hardware, then played mp3 files with Audacity, vlc, and xine. No problems noted. Giving the 64-bit OK for MGA5.
CC: (none) => andrewsfarmWhiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Installed lib64mad0-0.15.1b-22.1.mga6 on real hardware, then played mp3 files with Kmplayer, vlc, and Dragon Player. No problems noted. Giving the 64-bit OK for MGA6.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
Confirming M6/64 *after* update: lib64mad0-0.15.1b-22.1.mga6 Thanks TJ for the spread of tests. Because this is a library-only update, confirmed its employment. Mplayer: $ strace mplayer /mnt/common/Mageia/BachSomething.mp3 2>&1 | grep libmad open("/lib64/libmad.so.0", O_RDONLY|O_CLOEXEC) = 3 write(1, "Trying to force audio codec driv"..., 52Trying to force audio codec driver family libmad... write(1, "Opening audio decoder: [libmad] "..., 58Opening audio decoder: [libmad] libmad mpeg audio decoder write(1, "Selected audio codec: [mad] afm:"..., 66Selected audio codec: [mad] afm: libmad (libMAD MPEG layer 1-2-3) shows the library is well used, the music played OK. VLC: $ strace vlc 2>&1 | grep libmad stat("/usr/lib64/vlc/plugins/audio_filter/libmad_plugin.so", {st_mode=S_IFREG|0755, st_size=11208, ...}) = 0 Played fine. Audacity: $ strace audacity 2>&1 | grep libmad open("/lib64/libmad.so.0", O_RDONLY|O_CLOEXEC) = 3 Made it obvious it was importing an .mp3 file, played & displayed fine.
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0019.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED