Fedora has issued an advisory on December 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XGAZHDTXXL3RFRCNGE4XLOHD4MASNLBB/ The issues are fixed upstream in 0.4.2. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Updating it on Mageia 5 would require rebuilding qmmp and both gstreamer bad plugins packages, so let's not do that. Upstream patch also doesn't apply. Updated to 0.4.2 in Cauldron by Rémi. Synced to Mageia 6 by me. Advisory: ======================== Updated wildmidi packages fix security vulnerabilities: The _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI before 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file (CVE-2017-11661). The _WM_ParseNewMidi function in f_midi.c in WildMIDI before 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file (CVE-2017-11662). The _WM_SetupMidiEvent function in internal_midi.c:2315 in WildMIDI before 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file (CVE-2017-11663). The _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI before 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file (CVE-2017-11664). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11661 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11663 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11664 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XGAZHDTXXL3RFRCNGE4XLOHD4MASNLBB/ ======================== Updated packages in core/updates_testing: ======================== wildmidi-0.4.2-1.mga6 libwildmidi2-0.4.2-1.mga6 libwildmidi-devel-0.4.2-1.mga6 from wildmidi-0.4.2-1.mga6.src.rpm
QA Contact: (none) => securityAssignee: rverschelde => qa-bugsComponent: RPM Packages => SecurityWhiteboard: MGA6TOO, MGA5TOO => (none)CC: (none) => rverscheldeVersion: Cauldron => 6
Debian says 0.3.x isn't affected, so Mageia 5 is OK. Even better.
Installed and tested without issues. Tests: - Play a test midi (wildmidi -t). - Play a bunch of midi files (wildmidi *.mid). - Play a bunch of midi files and output to a wav file (wildmidi -o out.wav *.mid). System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.9.56-desktop-1.mga6 #1 SMP Thu Oct 12 22:55:31 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q wildmidi lib64wildmidi2 timidity-patch-freepats wildmidi-0.4.2-1.mga6 lib64wildmidi2-0.4.2-1.mga6 timidity-patch-freepats-20060219-20.mga6 $ lspci | grep -i audio 00:1b.0 Audio device: Intel Corporation 82801JI (ICH10 Family) HD Audio Controller 01:00.1 Audio device: NVIDIA Corporation High Definition Audio Controller (rev a1)
CC: (none) => mageiaWhiteboard: (none) => MGA6-64-OK
Thank you PC_LX for the test. Advisoried, & good for validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0061.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED