openSUSE has issued an advisory on March 30: https://lists.opensuse.org/opensuse-updates/2018-03/msg00118.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
aubio-0.4.2-2.1.mga6 libaubio4-0.4.2-2.1.mga6 libaubio-devel-0.4.2-2.1.mga6 python-aubio-0.4.2-2.1.mga6 from aubio-0.4.2-2.1.mga6.src.rpm built for Mageia 6 by Shlomi. I don't recall seeing a Cauldron build.
(In reply to David Walser from comment #2) > aubio-0.4.2-2.1.mga6 > libaubio4-0.4.2-2.1.mga6 > libaubio-devel-0.4.2-2.1.mga6 > python-aubio-0.4.2-2.1.mga6 > > from aubio-0.4.2-2.1.mga6.src.rpm > > built for Mageia 6 by Shlomi. I don't recall seeing a Cauldron build. sorry - I submitted it for cauldron now.
Advisory: ======================== Updated aubio packages fix security vulnerability: Specially crafted wav files could have been used to cause an application crash (CVE-2017-17054). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17054 https://lists.opensuse.org/opensuse-updates/2018-03/msg00118.html ======================== Updated packages in core/updates_testing: ======================== aubio-0.4.2-2.1.mga6 libaubio4-0.4.2-2.1.mga6 libaubio-devel-0.4.2-2.1.mga6 python-aubio-0.4.2-2.1.mga6 from aubio-0.4.2-2.1.mga6.src.rpm
Assignee: shlomif => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)CC: (none) => shlomif
Mageia6, x86_64 Installed aubio and looked for documentation. It installs as a set of tools which operate on audio files, returning information on pitch and other parameters. /bin/aubiocut* /bin/aubiomfcc* /bin/aubionotes* /bin/aubioonset* /bin/aubiopitch* /bin/aubioquiet* /bin/aubiotrack* These all respond to --help. From the aubio site https://aubio.org/ "aubio is a tool designed for the extraction of annotations from audio signals. Its features include segmenting a sound file before each of its attacks, performing pitch detection, tapping the beat and producing midi streams from live audio." Unfamiliar territory. There is a PoC at https://bugzilla.suse.com/show_bug.cgi?id=1070399. CVE-2017-17054 $ aubioquiet -i id000007,sig08,src000068,opext_AO,pos48 Before updating: $ aubioquiet -i id000007,sig08,src000068,opext_AO,pos48 AUBIO ERROR: source_sndfile: Failed opening id000007,sig08,src000068,opext_AO,pos48: Error in WAV file. No 'data' chunk marker. AUBIO ERROR: source_wavread: data RIFF header not found in id000007,sig08,src000068,opext_AO,pos48 AUBIO ERROR: source: failed creating aubio source with id000007,sig08,src000068,opext_AO,pos48 at samplerate 0 with hop_size 256 Error: could not open input file id000007,sig08,src000068,opext_AO,pos48 After updating: $ aubioquiet -i id000007,sig08,src000068,opext_AO,pos48 AUBIO ERROR: source_sndfile: Failed opening id000007,sig08,src000068,opext_AO,pos48: Error in WAV file. No 'data' chunk marker. AUBIO ERROR: source_wavread: Failed opening id000007,sig08,src000068,opext_AO,pos48 (samplerate can not be 0) AUBIO ERROR: source: failed creating aubio source with id000007,sig08,src000068,opext_AO,pos48 at samplerate 0 with hop_size 256 Error: could not open input file id000007,sig08,src000068,opext_AO,pos48 There is a difference between the output which might confirm that the fix is working. Running some of the tools with the -i switch to indicate an input file returns numbers which would probably make sense to a sound engineer. $ aubioquiet -i organ4-1-1.wav NOISY: 1.160998 $ aubiotrack -i Three_Parts_upon_a_Ground.wav 1.864422 2.425351 3.011383 3.310181 3.609002 3.907800 4.206621 4.875510 5.328866 ......... $ aubiopitch -o test -i PadstowMaySong.wav produced a binary data file called test. $ file test test: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz $ play test test: File Size: 21.0M Bit Rate: 706k Encoding: Signed PCM Channels: 1 @ 16-bit Samplerate: 44100Hz Replaygain: off Duration: 00:03:57.62 ................... The original WAV file held about 42 MB. test weighed in at about half that and the sound was considerably degraded so RIFF is probably not intended to be played as is. This can be considered as a working package however.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0194.html
Status: NEW => RESOLVEDResolution: (none) => FIXED