openSUSE has issued an advisory today (May 2): https://lists.opensuse.org/opensuse-updates/2018-05/msg00002.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to the registered maintainer.
Assignee: bugsquad => rverscheldeCC: (none) => marja11
Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron. Advisory: ======================== Updated flac packages fix security vulnerability: Memory leak in read_metadata_vorbiscomment_() function could lead to denial of service (CVE-2017-6888). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6888 https://lists.opensuse.org/opensuse-updates/2018-05/msg00002.html ======================== Updated packages in core/updates_testing: ======================== flac-1.3.2-1.1.mga5 libflac8-1.3.2-1.1.mga5 libflac-devel-1.3.2-1.1.mga5 libflac++6-1.3.2-1.1.mga5 libflac++-devel-1.3.2-1.1.mga5 flac-1.3.2-1.1.mga6 libflac8-1.3.2-1.1.mga6 libflac-devel-1.3.2-1.1.mga6 libflac++6-1.3.2-1.1.mga6 libflac++-devel-1.3.2-1.1.mga6 from SRPMS: flac-1.3.2-1.1.mga5.src.rpm flac-1.3.2-1.1.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOAssignee: rverschelde => qa-bugs
Installed and tested without issues. System: Mageia 6, x86_64, Intel CPU. Tested using the following script on a few dozen pre existing flac files. #!/bin/sh for U in *.flac ; do cp "$U" test.flac flac -t test.flac flac -d --delete-input-file test.flac flac -8 --delete-input-file test.wav flac -t test.flac mplayer test.flac rm -f test.flac done $ uname -a Linux marte 4.14.38-desktop-1.mga6 #1 SMP Mon Apr 30 13:15:08 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | egrep '^(lib(64)?)?flac' flac-1.3.2-1.1.mga6 libflac8-1.3.2-1.1.mga6 lib64flac++6-1.3.2-1.1.mga6 lib64flac8-1.3.2-1.1.mga6
CC: (none) => mageiaWhiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Testing M5 x64 UPDATED flac packages: flac-1.3.2-1.1.mga5 lib64flac8-1.3.2-1.1.mga5 lib64flac++6-1.3.2-1.1.mga5 I downloaded some FLAC files from the Internet, of different qualities. Then shamelessly copied PC_LX's script above; thank you for that! Listened to the final outputs, they sounded OK. $ flac -t test.flac [test the file] ... test.flac: ok $ flac -d --delete-input-file test.flac [decode it] ... test.flac: done $ flac -8 --delete-input-file test.wav [encode & compress it ] ... test.wav: wrote 16217655 bytes, ratio=0.6273 $ flac -t test.flac [test the file] ... test.flac: ok mplayer output lots of complaints about various things, but played the tracks OK. Update good.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0227.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE-2020-0487 is a dupplicate of CVE-2017-6888: https://lists.suse.com/pipermail/sle-security-updates/2020-December/008120.html