Details of several security issues in lame have been announced: http://openwall.com/lists/oss-security/2017/06/28/4 http://openwall.com/lists/oss-security/2017/06/28/5 http://openwall.com/lists/oss-security/2017/06/28/6 http://openwall.com/lists/oss-security/2017/06/28/7 http://openwall.com/lists/oss-security/2017/06/28/8 http://openwall.com/lists/oss-security/2017/06/28/9 http://openwall.com/lists/oss-security/2017/06/28/10 http://openwall.com/lists/oss-security/2017/06/28/11 I don't think there are fixes available yet. Mageia 5 is also affected. In other news, lame is in core/release in Mageia 6 and should be removed from tainted/release.
CC: (none) => sysadmin-bugsWhiteboard: (none) => MGA5TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => lists.jjorge
Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO
LAME 3.100 has been announced today (October 22): http://openwall.com/lists/oss-security/2017/10/21/7 I believe it fixes these issues.
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
It is in cauldron now, thanks to Peter Semiletov. I will push it to Mageia 5 and 6, in updates testing for both now that mp3 patents have expired.
CC: (none) => lists.jjorgeStatus: NEW => ASSIGNED
Updates pushed, I suggest this advisory : LAME 3.100 has been released including fixes to security vulnerabilities. It is also now in Mageia 5 core media as the MP3 patents have expired. References: http://openwall.com/lists/oss-security/2017/10/21/7 RPMS: lame-3.100-1.mga[5-6].srpm lame-3.100-1.mga[5-6].i586.rpm libmp3lame0-3.100-1.mga[5-6].i586.rpm libmp3lame-devel-3.100-1.mga[5-6].i586.rpm lame-3.100-1.mga[5-6].x86_64.rpm lib64mp3lame0-3.100-1.mga[5-6].x86_64.rpm lib64mp3lame-devel-3.100-1.mga[5-6].x86_64.rpm
Assignee: lists.jjorge => qa-bugs
I don't think it makes sense to build it in core for Mageia 5. It's an already long-since released product and that doesn't really serve any purpose at this point (in fact it will probably lead to confusion to people expecting to find the good packages in tainted). As for Cauldron, you built it in both, so it should be removed from tainted by a sysadmin.
Keywords: (none) => feedback
(In reply to David Walser from comment #5) > I don't think it makes sense to build it in core for Mageia 5. It's an > already long-since released product and that doesn't really serve any > purpose at this point (in fact it will probably lead to confusion to people > expecting to find the good packages in tainted). I agree it is not clear as water, but I don't think so : if they search in Tainted, they will still find the old version. And then updates will upgrade this version automagically. So no confusion. > As for Cauldron, you built it in both, so it should be removed from tainted by a sysadmin. This is a bug in our BS, I sent a message to sysadmin list.
MGA6 64-bit The following 5 packages are going to be installed: - glibc-devel-2.22-25.mga6.x86_64 - kernel-userspace-headers-4.9.50-1.mga6.x86_64 - lame-3.100-1.mga6.x86_64 - lib64mp3lame-devel-3.100-1.mga6.x86_64 - lib64mp3lame0-3.100-1.mga6.x86_64 10MB of additional disk space will be used. 4MB of packages will be retrieved. Is it ok to continue? lame -v LAME 64bits version 3.100 (http://lame.sf.net) usage: lame [options] <infile> [outfile] <infile> and/or <outfile> can be "-", which means stdin/stdout. Try: "lame --help" for general usage information or: "lame --preset help" for information on suggested predefined settings or: "lame --longhelp" or "lame -?" for a complete options list [brian@localhost ~]$ [brian@localhost sf_vmshared]$ lame -V9 '02 - Pete Bardens - Seascape.wav' '02 - Pete Bardens - Seascape.mp3' LAME 3.100 64bits (http://lame.sf.net) Resampling: input 44.1 kHz output 22.05 kHz polyphase lowpass filter disabled Encoding 02 - Pete Bardens - Seascape.wav to 02 - Pete Bardens - Seascape.mp3 Encoding as 22.05 kHz j-stereo MPEG-2 Layer III VBR(q=6.47451) Frame | CPU time/estim | REAL time/estim | play/CPU | ETA 10223/10223 (100%)| 0:08/ 0:08| 0:09/ 0:09| 30.878x| 0:00 8 [ 223] %** 16 [ 19] % 24 [ 19] % 32 [ 18] % 40 [ 27] % 48 [ 43] % 56 [ 336] %%** 64 [ 5845] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%****************************** 80 [ 2801] %%%%%%%%%%%%%%%%%%%%************* 96 [ 191] %%* 112 [ 45] % 128 [ 88] %* 144 [ 266] %*** 160 [ 302] %%** ------------------------------------------------------------------------------- kbps LR MS % long switch short % 72.8 53.9 46.1 84.9 8.6 6.5 Writing LAME Tag...done ReplayGain: -0.7dB [brian@localhost sf_vmshared]$ Now take the same mp3 and reprocess it. [brian@localhost sf_vmshared]$ lame --mp3input -V9 '02 - Pete Bardens - Seascape.mp3' 'Seascape.mp3' LAME 3.100 64bits (http://lame.sf.net) polyphase lowpass filter disabled Encoding 02 - Pete Bardens - Seascape.mp3 to Seascape.mp3 Encoding as 22.05 kHz j-stereo MPEG-2 Layer III VBR(q=6.47451) Frame | CPU time/estim | REAL time/estim | play/CPU | ETA 10223/10223 (100%)| 0:07/ 0:07| 0:07/ 0:07| 38.025x| 0:00 8 [ 224] %** 16 [ 16] % 24 [ 18] % 32 [ 21] % 40 [ 27] % 48 [ 46] % 56 [ 347] %%** 64 [ 5913] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%***************************** 80 [ 2752] %%%%%%%%%%%%%%%%%%%%************ 96 [ 194] %%* 112 [ 44] % 128 [ 83] % 144 [ 249] %** 160 [ 289] %%** ------------------------------------------------------------------------------- kbps LR MS % long switch short % 72.5 54.3 45.7 85.7 8.2 6.2 Writing LAME Tag...done ReplayGain: -0.7dB [brian@localhost sf_vmshared]$ I went back and also processed at a higher resolution with no issues. Working as designed.
Whiteboard: MGA5TOO => MGA5TOO mga6-64-okCC: (none) => brtians1
32-bit MGA6 [brian@localhost Music]$ lame -V3 '09 - Amin Bhatia - The Ship.wav' '09 - Amin Bhatia - The Ship.mp3' LAME 3.100 32bits (http://lame.sf.net) CPU features: MMX (ASM used), 3DNow! (ASM used), SSE, SSE2 Using polyphase lowpass filter, transition band: 17960 Hz - 18494 Hz Encoding 09 - Amin Bhatia - The Ship.wav to 09 - Amin Bhatia - The Ship.mp3 Encoding as 44.1 kHz j-stereo MPEG-1 Layer III VBR(q=3) Frame | CPU time/estim | REAL time/estim | play/CPU | ETA 6467/6467 (100%)| 0:07/ 0:07| 0:07/ 0:07| 22.884x| 0:00 32 [ 128] %** 40 [ 6] % 48 [ 0] 56 [ 1] * 64 [ 3] % 80 [ 2] % 96 [ 9] % 112 [ 13] % 128 [1544] %%%%%%%%%%%************** 160 [4237] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%*************************************** 192 [ 445] %%%%%*** 224 [ 42] % 256 [ 30] % 320 [ 7] % ------------------------------------------------------------------------------- kbps LR MS % long switch short % 152.7 43.5 56.5 98.0 1.1 0.9 Writing LAME Tag...done ReplayGain: +9.4dB [brian@localhost Music]$
Whiteboard: MGA5TOO mga6-64-ok => MGA5TOO mga6-64-ok mga6-32-ok
Installed and tested without issues. System: Mageia 5, x86_64, Intel CPU. Tests involved encoding various wav files using several quality targets, playing the created mp3 with mplayer and check the quality. $ uname -a Linux marte 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:14:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | egrep lame.*3.100 lame-3.100-1.mga5 lib64lame0-3.100-1.mga5 $ lame -V0 test.wav test.mp3 <SNIP> $ mplayer test.mp3 <SNIP>
CC: (none) => mageiaWhiteboard: MGA5TOO mga6-64-ok mga6-32-ok => MGA5TOO mga6-64-ok mga6-32-ok MGA5-64-OK
$ uname -a Linux localhost 4.4.92-desktop-1.mga5 #1 SMP Thu Oct 12 20:29:18 UTC 2017 i686 i686 i686 GNU/Linux The following 5 packages are going to be installed: - glibc-devel-2.20-25.mga5.i586 - kernel-userspace-headers-4.4.92-1.mga5.i586 - lame-3.100-1.mga5.i586 - liblame-devel-3.100-1.mga5.i586 - liblame0-3.100-1.mga5.i586 10MB of additional disk space will be used. 3.7MB of packages will be retrieved. Is it ok to continue? [brian@localhost sf_vmshared]$ lame -V0 'beginning.wav' begin.mp3LAME 3.100 32bits (http://lame.sf.net) CPU features: MMX (ASM used), 3DNow! (ASM used), SSE, SSE2 polyphase lowpass filter disabled Encoding beginning.wav to begin.mp3 Encoding as 48 kHz j-stereo MPEG-1 Layer III VBR(q=0) Frame | CPU time/estim | REAL time/estim | play/CPU | ETA 10656/10656 (100%)| 0:13/ 0:13| 0:16/ 0:16| 19.013x| 0:00 32 [ 1] * 40 [ 0] 48 [ 0] 56 [ 0] 64 [ 0] 80 [ 0] 96 [ 2] % 112 [ 2] % 128 [ 4] % 160 [ 17] % 192 [ 328] %%%*** 224 [ 2670] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%*********** 256 [ 4294] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%************ 320 [ 3338] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%***** ------------------------------------------------------------------------------- kbps LR MS % long switch short % 265.8 81.9 18.1 80.3 9.1 10.6 Writing LAME Tag...done ReplayGain: -2.5dB
Whiteboard: MGA5TOO mga6-64-ok mga6-32-ok MGA5-64-OK => MGA5TOO mga6-64-ok mga6-32-ok MGA5-64-OK mga5-32-ok
It has 4 OK (32 M5, 32 M6, 64 M5,64 M6). Does this bug need anything else? Any objections in me adding a "validated_update" to this?
It needs to be removed from core on Mageia 5 and rebuilt in tainted, that's why it has the feedback marker.
(In reply to David Walser from comment #12) > It needs to be removed from core on Mageia 5 and rebuilt in tainted, that's > why it has the feedback marker. I forgot that. So I've just submitted to tainted in MGA5, and we still need a sysadmin to do the rest. I think it can be validated_updated now.
Keywords: feedback => (none)
Thanks to those who tested this so quickly. I am validating it to get it off the main list. It will not be pushed until the advisory is done; about which I am confused. The current bug RPMs link shows the 3 pkgs (& implicitly SRPMs) in 'core'. Should they appear twice, 'core' and 'tainted'? Or just the latter? For 'tainted', should there be a separate SRPM? I will do the advisory [comment 4] once this is clarified.
CC: (none) => lewyssmithKeywords: (none) => validated_update
One SRPM each for Mageia 5 and 6. Mageia 6 one will be listed under core: and Mageia 5 one will be listed under tainted: and have a .tainted at the end.
I'll add the advisory to svn shortly
CC: (none) => davidwhodgins
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0434.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
openSUSE has issued an advisory for this on February 26: https://lists.opensuse.org/opensuse-updates/2018-02/msg00108.html It shows that 3.100 in this update also fixed additional issues CVE-2017-9872, CVE-2017-11720, CVE-2017-13712, CVE-2017-15019, CVE-2017-941[0-2].
Advisory updated with the CVEs from comment 18.