Firefox 52.7.2 has been released today (March 16): https://www.mozilla.org/en-US/firefox/52.7.2/releasenotes/ It includes a security fix for libvorbis: https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/ http://openwall.com/lists/oss-security/2018/03/16/4 Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron. Advisory: ======================== Updated libvorbis packages fix security vulnerability: libvorbis can write out of bounds on codebook decoding when processing malformed Vorbis audio data (CVE-2018-5146). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146 https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/ http://openwall.com/lists/oss-security/2018/03/16/4 ======================== Updated packages in core/updates_testing: ======================== libvorbis0-1.3.5-1.3.mga5 libvorbis-devel-1.3.5-1.3.mga5 libvorbisenc2-1.3.5-1.3.mga5 libvorbisfile3-1.3.5-1.3.mga5 libvorbis0-1.3.5-2.3.mga6 libvorbis-devel-1.3.5-2.3.mga6 libvorbisenc2-1.3.5-2.3.mga6 libvorbisfile3-1.3.5-2.3.mga6 from SRPMS: libvorbis-1.3.5-1.3.mga5.src.rpm libvorbis-1.3.5-2.3.mga6.src.rpm
Whiteboard: (none) => MGA5TOOBlocks: (none) => 22776
$ uname -a Linux localhost 4.4.114-desktop-1.mga5 #1 SMP Wed Jan 31 19:24:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux The following 7 packages are going to be installed: - glibc-devel-2.20-27.mga5.x86_64 - kernel-userspace-headers-4.4.114-1.mga5.x86_64 - lib64ogg-devel-1.3.2-3.mga5.x86_64 - lib64vorbis-devel-1.3.5-1.3.mga5.x86_64 - lib64vorbis0-1.3.5-1.3.mga5.x86_64 - lib64vorbisenc2-1.3.5-1.3.mga5.x86_64 - lib64vorbisfile3-1.3.5-1.3.mga5.x86_64 9.7MB of additional disk space will be used. 3.8MB of packages will be retrieved. Is it ok to continue? I used ffmpeg to encode (after reboot). $ ffmpeg -i begin.flac -c:a libvorbis begin.ogg working as designed.
CC: (none) => brtians1Whiteboard: MGA5TOO => MGA5TOO mga5-64-ok
Keywords: (none) => advisory
Installed and tested without issues. Tests used the vorbis-tools and involved decoding existing ogg files to wav files, encoding the wav files back to ogg files, and playing the resulting ogg files. $ uname -a Linux marte 4.14.25-desktop-1.mga6 #1 SMP Fri Mar 9 19:48:35 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep vorbis | sort lib64vorbis0-1.3.5-2.3.mga6 lib64vorbisenc2-1.3.5-2.3.mga6 lib64vorbisfile3-1.3.5-2.3.mga6 libvorbis0-1.3.5-2.3.mga6 libvorbisenc2-1.3.5-2.3.mga6 libvorbisfile3-1.3.5-2.3.mga6 vorbis-tools-1.4.0-12.mga6 $ strace -o ogg123.strace ogg123 *.ogg <SNIP> $ grep libvorbis ogg123.strace | grep -v ENOENT open("/usr/lib64/libvorbisfile.so.3", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/libvorbis.so.0", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libvorbisenc.so.2", O_RDONLY|O_CLOEXEC) = 4 $ for U in *.ogg ; do oggdec -o "$U.wav" "$U" ; oggenc -q 6 -o "$U.2.ogg" "$U.wav" ; ogg123 "$U.2.ogg" ; done <SNIP>
CC: (none) => mageiaWhiteboard: MGA5TOO mga5-64-ok => MGA5TOO MGA5-64-OK MGA6-64-OK
$ uname -a Linux localhost 4.4.114-desktop-1.mga5 #1 SMP Wed Jan 31 20:41:03 UTC 2018 i686 i686 i686 GNU/Linux The following 7 packages are going to be installed: - glibc-devel-2.20-27.mga5.i586 - kernel-userspace-headers-4.4.114-1.mga5.i586 - libogg-devel-1.3.2-3.mga5.i586 - libvorbis-devel-1.3.5-1.3.mga5.i586 - libvorbis0-1.3.5-1.3.mga5.i586 - libvorbisenc2-1.3.5-1.3.mga5.i586 - libvorbisfile3-1.3.5-1.3.mga5.i586 9.3MB of additional disk space will be used. 3.7MB of packages will be retrieved. Ran the following commands: ffmpeg -i begin.flac -c:a libvorbis in_the_begining.ogg ffmpeg -c:a libvorbis -i in_the_begining.ogg begginning.flac ffmpeg -i beginning.wav -c:a libvorbis in_the_begining_wav.ogg all of the files played using mplayer and sounded fine.
(In reply to PC LX from comment #2) > Installed and tested without issues. > > Tests used the vorbis-tools and involved decoding existing ogg files to wav > files, encoding the wav files back to ogg files, and playing the resulting > ogg files. > > $ uname -a > Linux marte 4.14.25-desktop-1.mga6 #1 SMP Fri Mar 9 19:48:35 UTC 2018 x86_64 > x86_64 x86_64 GNU/Linux > $ rpm -qa | grep vorbis | sort > lib64vorbis0-1.3.5-2.3.mga6 > lib64vorbisenc2-1.3.5-2.3.mga6 > lib64vorbisfile3-1.3.5-2.3.mga6 > libvorbis0-1.3.5-2.3.mga6 > libvorbisenc2-1.3.5-2.3.mga6 > libvorbisfile3-1.3.5-2.3.mga6 > vorbis-tools-1.4.0-12.mga6 > $ strace -o ogg123.strace ogg123 *.ogg > <SNIP> > $ grep libvorbis ogg123.strace | grep -v ENOENT > open("/usr/lib64/libvorbisfile.so.3", O_RDONLY|O_CLOEXEC) = 3 > open("/usr/lib64/libvorbis.so.0", O_RDONLY|O_CLOEXEC) = 3 > open("/lib64/libvorbisenc.so.2", O_RDONLY|O_CLOEXEC) = 4 > $ for U in *.ogg ; do oggdec -o "$U.wav" "$U" ; oggenc -q 6 -o "$U.2.ogg" > "$U.wav" ; ogg123 "$U.2.ogg" ; done > <SNIP> Where did you find oggenc? I was looking for that one.
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK MGA5-32-OK
oggenc is in vorbis-tools package. Use the command "urpmf --files SOMEFILE" to find files in the enabled repositories. $ urpmf --files oggenc | sort -u fish:/usr/share/fish/completions/oggenc.fish man-pages-de:/usr/share/man/de/man1/oggenc.1.xz man-pages-fr:/usr/share/man/fr/man1/oggenc.1.xz vorbis-tools:/usr/bin/oggenc vorbis-tools:/usr/share/man/man1/oggenc.1.xz
Thanks to you both for the testing. I see no reason not to validate this update.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0179.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Blocks: (none) => 22904