Bug 21170 - lame new security issues CVE-2015-9099, CVE-2015-910[01], CVE-2017-9869, CVE-2017-987[01]
Summary: lame new security issues CVE-2015-9099, CVE-2015-910[01], CVE-2017-9869, CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO mga6-64-ok mga6-32-ok MGA5-64...
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-07-01 20:19 CEST by David Walser
Modified: 2018-03-04 11:17 CET (History)
7 users (show)

See Also:
Source RPM: lame-3.99.5-13.mga6.src.rpm
CVE:
Status comment:


Attachments

David Walser 2017-07-01 20:20:02 CEST

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-07-02 22:23:23 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => lists.jjorge

David Walser 2017-07-07 04:24:53 CEST

Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO

Comment 2 David Walser 2017-10-22 17:29:34 CEST
LAME 3.100 has been announced today (October 22):
http://openwall.com/lists/oss-security/2017/10/21/7

I believe it fixes these issues.

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Comment 3 José Jorge 2017-10-22 19:05:35 CEST
It is in cauldron now, thanks to Peter Semiletov.
I will push it to Mageia 5 and 6, in updates testing for both now that mp3 patents have expired.

CC: (none) => lists.jjorge
Status: NEW => ASSIGNED

Comment 4 José Jorge 2017-10-22 19:24:55 CEST
Updates pushed, I suggest this advisory :

LAME 3.100 has been released including fixes to security vulnerabilities.
It is also now in Mageia 5 core media as the MP3 patents have expired.

References: http://openwall.com/lists/oss-security/2017/10/21/7

RPMS:
lame-3.100-1.mga[5-6].srpm

lame-3.100-1.mga[5-6].i586.rpm
libmp3lame0-3.100-1.mga[5-6].i586.rpm
libmp3lame-devel-3.100-1.mga[5-6].i586.rpm

lame-3.100-1.mga[5-6].x86_64.rpm
lib64mp3lame0-3.100-1.mga[5-6].x86_64.rpm
lib64mp3lame-devel-3.100-1.mga[5-6].x86_64.rpm
José Jorge 2017-10-22 19:25:07 CEST

Assignee: lists.jjorge => qa-bugs

Comment 5 David Walser 2017-10-22 19:54:15 CEST
I don't think it makes sense to build it in core for Mageia 5.  It's an already long-since released product and that doesn't really serve any purpose at this point (in fact it will probably lead to confusion to people expecting to find the good packages in tainted).  As for Cauldron, you built it in both, so it should be removed from tainted by a sysadmin.

Keywords: (none) => feedback

Comment 6 José Jorge 2017-10-22 21:17:01 CEST
(In reply to David Walser from comment #5)
> I don't think it makes sense to build it in core for Mageia 5.  It's an
> already long-since released product and that doesn't really serve any
> purpose at this point (in fact it will probably lead to confusion to people
> expecting to find the good packages in tainted).

I agree it is not clear as water, but I don't think so : if they search in Tainted, they will still find the old version. And then updates will upgrade this version automagically. So no confusion.

>  As for Cauldron, you built it in both, so it should be removed from tainted by a sysadmin.

This is a bug in our BS, I sent a message to sysadmin list.
Comment 7 Brian Rockwell 2017-10-23 18:17:52 CEST
MGA6 64-bit

The following 5 packages are going to be installed:

- glibc-devel-2.22-25.mga6.x86_64
- kernel-userspace-headers-4.9.50-1.mga6.x86_64
- lame-3.100-1.mga6.x86_64
- lib64mp3lame-devel-3.100-1.mga6.x86_64
- lib64mp3lame0-3.100-1.mga6.x86_64

10MB of additional disk space will be used.

4MB of packages will be retrieved.

Is it ok to continue?


 lame -v
LAME 64bits version 3.100 (http://lame.sf.net)

usage: lame [options] <infile> [outfile]

    <infile> and/or <outfile> can be "-", which means stdin/stdout.

Try:
     "lame --help"           for general usage information
 or:
     "lame --preset help"    for information on suggested predefined settings
 or:
     "lame --longhelp"
  or "lame -?"              for a complete options list

[brian@localhost ~]$


[brian@localhost sf_vmshared]$ lame -V9 '02 - Pete Bardens - Seascape.wav' '02 - Pete Bardens - Seascape.mp3'
LAME 3.100 64bits (http://lame.sf.net)
Resampling:  input 44.1 kHz  output 22.05 kHz
polyphase lowpass filter disabled
Encoding 02 - Pete Bardens - Seascape.wav to 02 - Pete Bardens - Seascape.mp3
Encoding as 22.05 kHz j-stereo MPEG-2 Layer III VBR(q=6.47451)
    Frame          |  CPU time/estim | REAL time/estim | play/CPU |    ETA 
 10223/10223 (100%)|    0:08/    0:08|    0:09/    0:09|   30.878x|    0:00 
  8 [  223] %**
 16 [   19] %
 24 [   19] %
 32 [   18] %
 40 [   27] %
 48 [   43] %
 56 [  336] %%**
 64 [ 5845] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%******************************
 80 [ 2801] %%%%%%%%%%%%%%%%%%%%*************
 96 [  191] %%*
112 [   45] %
128 [   88] %*
144 [  266] %***
160 [  302] %%**
-------------------------------------------------------------------------------
   kbps        LR    MS  %     long switch short %
   72.8       53.9  46.1        84.9   8.6   6.5
Writing LAME Tag...done
ReplayGain: -0.7dB
[brian@localhost sf_vmshared]$


Now take the same mp3 and reprocess it.

[brian@localhost sf_vmshared]$ lame --mp3input -V9 '02 - Pete Bardens - Seascape.mp3' 'Seascape.mp3'
LAME 3.100 64bits (http://lame.sf.net)
polyphase lowpass filter disabled
Encoding 02 - Pete Bardens - Seascape.mp3 to Seascape.mp3
Encoding as 22.05 kHz j-stereo MPEG-2 Layer III VBR(q=6.47451)
    Frame          |  CPU time/estim | REAL time/estim | play/CPU |    ETA 
 10223/10223 (100%)|    0:07/    0:07|    0:07/    0:07|   38.025x|    0:00 
  8 [  224] %**
 16 [   16] %
 24 [   18] %
 32 [   21] %
 40 [   27] %
 48 [   46] %
 56 [  347] %%**
 64 [ 5913] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%*****************************
 80 [ 2752] %%%%%%%%%%%%%%%%%%%%************
 96 [  194] %%*
112 [   44] %
128 [   83] %
144 [  249] %**
160 [  289] %%**
-------------------------------------------------------------------------------
   kbps        LR    MS  %     long switch short %
   72.5       54.3  45.7        85.7   8.2   6.2
Writing LAME Tag...done
ReplayGain: -0.7dB
[brian@localhost sf_vmshared]$

I went back and also processed at a higher resolution with no issues.

Working as designed.

Whiteboard: MGA5TOO => MGA5TOO mga6-64-ok
CC: (none) => brtians1

Comment 8 Brian Rockwell 2017-10-23 20:54:23 CEST
32-bit MGA6

[brian@localhost Music]$ lame -V3 '09 - Amin Bhatia - The Ship.wav' '09 - Amin Bhatia - The Ship.mp3'
LAME 3.100 32bits (http://lame.sf.net)
CPU features: MMX (ASM used), 3DNow! (ASM used), SSE, SSE2
Using polyphase lowpass filter, transition band: 17960 Hz - 18494 Hz
Encoding 09 - Amin Bhatia - The Ship.wav to 09 - Amin Bhatia - The Ship.mp3
Encoding as 44.1 kHz j-stereo MPEG-1 Layer III VBR(q=3)
    Frame          |  CPU time/estim | REAL time/estim | play/CPU |    ETA 
  6467/6467  (100%)|    0:07/    0:07|    0:07/    0:07|   22.884x|    0:00 
 32 [ 128] %**
 40 [   6] %
 48 [   0] 
 56 [   1] *
 64 [   3] %
 80 [   2] %
 96 [   9] %
112 [  13] %
128 [1544] %%%%%%%%%%%**************
160 [4237] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%***************************************
192 [ 445] %%%%%***
224 [  42] %
256 [  30] %
320 [   7] %
-------------------------------------------------------------------------------
   kbps        LR    MS  %     long switch short %
  152.7       43.5  56.5        98.0   1.1   0.9
Writing LAME Tag...done
ReplayGain: +9.4dB
[brian@localhost Music]$

Whiteboard: MGA5TOO mga6-64-ok => MGA5TOO mga6-64-ok mga6-32-ok

Comment 9 PC LX 2017-10-26 20:57:21 CEST
Installed and tested without issues.

System: Mageia 5, x86_64, Intel CPU.

Tests involved encoding various wav files using several quality targets, playing the created mp3 with mplayer and check the quality.

$ uname -a
Linux marte 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:14:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep lame.*3.100
lame-3.100-1.mga5
lib64lame0-3.100-1.mga5
$ lame -V0 test.wav test.mp3
<SNIP>
$ mplayer test.mp3
<SNIP>

CC: (none) => mageia
Whiteboard: MGA5TOO mga6-64-ok mga6-32-ok => MGA5TOO mga6-64-ok mga6-32-ok MGA5-64-OK

Comment 10 Brian Rockwell 2017-11-19 05:40:31 CET
$ uname -a
Linux localhost 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:29:18 UTC 2017 i686 i686 i686 GNU/Linux


The following 5 packages are going to be installed:

- glibc-devel-2.20-25.mga5.i586
- kernel-userspace-headers-4.4.92-1.mga5.i586
- lame-3.100-1.mga5.i586
- liblame-devel-3.100-1.mga5.i586
- liblame0-3.100-1.mga5.i586

10MB of additional disk space will be used.

3.7MB of packages will be retrieved.

Is it ok to continue?



[brian@localhost sf_vmshared]$ lame -V0 'beginning.wav' begin.mp3LAME 3.100 32bits (http://lame.sf.net)
CPU features: MMX (ASM used), 3DNow! (ASM used), SSE, SSE2
polyphase lowpass filter disabled
Encoding beginning.wav to begin.mp3
Encoding as 48 kHz j-stereo MPEG-1 Layer III VBR(q=0)
    Frame          |  CPU time/estim | REAL time/estim | play/CPU |    ETA 
 10656/10656 (100%)|    0:13/    0:13|    0:16/    0:16|   19.013x|    0:00 
 32 [    1] *
 40 [    0] 
 48 [    0] 
 56 [    0] 
 64 [    0] 
 80 [    0] 
 96 [    2] %
112 [    2] %
128 [    4] %
160 [   17] %
192 [  328] %%%***
224 [ 2670] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%***********
256 [ 4294] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%************
320 [ 3338] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%*****
-------------------------------------------------------------------------------
   kbps        LR    MS  %     long switch short %
  265.8       81.9  18.1        80.3   9.1  10.6
Writing LAME Tag...done
ReplayGain: -2.5dB

Whiteboard: MGA5TOO mga6-64-ok mga6-32-ok MGA5-64-OK => MGA5TOO mga6-64-ok mga6-32-ok MGA5-64-OK mga5-32-ok

Comment 11 PC LX 2017-11-29 22:34:47 CET
It has 4 OK (32 M5, 32 M6, 64 M5,64 M6).
Does this bug need anything else? Any objections in me adding a "validated_update" to this?
Comment 12 David Walser 2017-11-29 23:50:48 CET
It needs to be removed from core on Mageia 5 and rebuilt in tainted, that's why it has the feedback marker.
Comment 13 José Jorge 2017-11-29 23:58:24 CET
(In reply to David Walser from comment #12)
> It needs to be removed from core on Mageia 5 and rebuilt in tainted, that's
> why it has the feedback marker.

I forgot that. So I've just submitted to tainted in MGA5, and we still need a sysadmin to do the rest.

I think it can be validated_updated now.

Keywords: feedback => (none)

Comment 14 Lewis Smith 2017-11-30 09:59:36 CET
Thanks to those who tested this so quickly.
I am validating it to get it off the main list.
It will not be pushed until the advisory is done; about which I am confused. The current bug RPMs link shows the 3 pkgs (& implicitly SRPMs) in 'core'. Should they appear twice, 'core' and 'tainted'? Or just the latter? For 'tainted', should there be a separate SRPM?
I will do the advisory [comment 4] once this is clarified.

CC: (none) => lewyssmith
Keywords: (none) => validated_update

Comment 15 David Walser 2017-11-30 16:09:22 CET
One SRPM each for Mageia 5 and 6.  Mageia 6 one will be listed under core: and Mageia 5 one will be listed under tainted: and have a .tainted at the end.
Comment 16 Dave Hodgins 2017-11-30 18:46:45 CET
I'll add the advisory to svn shortly

CC: (none) => davidwhodgins

Dave Hodgins 2017-11-30 18:54:10 CET

Keywords: (none) => advisory

Comment 17 Mageia Robot 2017-12-02 00:14:17 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0434.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 18 David Walser 2018-03-03 21:19:30 CET
openSUSE has issued an advisory for this on February 26:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00108.html

It shows that 3.100 in this update also fixed additional issues CVE-2017-9872, CVE-2017-11720, CVE-2017-13712, CVE-2017-15019, CVE-2017-941[0-2].
Comment 19 Lewis Smith 2018-03-04 11:17:35 CET
Advisory updated with the CVEs from comment 18.

Note You need to log in before you can comment on or make changes to this bug.