openSUSE has issued an advisory on May 18: https://lists.opensuse.org/opensuse-updates/2018-05/msg00067.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11, nicolas.salgueroAssignee: bugsquad => pkg-bugs
SUSE has issued an advisory on June 7: http://lists.suse.com/pipermail/sle-security-updates/2018-June/004158.html It fixes one additional issue.
Summary: libvorbis new security issues CVE-2017-14160 and CVE-2018-10393 => libvorbis new security issues CVE-2017-14160 and CVE-2018-1039[23]
openSUSE has issued an advisory on June 9 for that additional issue: https://lists.opensuse.org/opensuse-updates/2018-06/msg00047.html
Suggested advisory: ======================== The updated packages fix security vulnerabilities: The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact via a crafted mp4 file. (CVE-2017-14160) mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not validate the number of channels, which allows remote attackers to cause a denial of service (heap-based buffer overflow or over-read) or possibly have unspecified other impact via a crafted file. (CVE-2018-10392) bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a stack-based buffer over-read. (CVE-2018-10393) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14160 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10392 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10393 https://lists.opensuse.org/opensuse-updates/2018-05/msg00067.html http://lists.suse.com/pipermail/sle-security-updates/2018-June/004158.html https://lists.opensuse.org/opensuse-updates/2018-06/msg00047.html ======================== Updated package in 5/core/updates_testing: ======================== lib(64)vorbis0-1.3.5-2.4.mga6 lib(64)vorbis-devel-1.3.5-2.4.mga6 lib(64)vorbisenc2-1.3.5-2.4.mga6 lib(64)vorbisfile3-1.3.5-2.4.mga6 from SRPMS: libvorbis-1.3.5-2.4.mga6.src.rpm Updated package in 6/core/updates_testing: ======================== lib(64)vorbis0-1.3.5-1.4.mga5 lib(64)vorbis-devel-1.3.5-1.4.mga5 lib(64)vorbisenc2-1.3.5-1.4.mga5 lib(64)vorbisfile3-1.3.5-1.4.mga5 from SRPMS: libvorbis-1.3.5-1.4.mga5.src.rpm
CVE: (none) => CVE-2017-14160, CVE-2018-10392, CVE-2018-10393Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO => MGA5TOOStatus: NEW => ASSIGNED
Mageia 6, x86_64 CVE-2017-14160 http://openwall.com/lists/oss-security/2017/09/21/2 Test is given but no link to a test file. No other test-cases available from the other links. 'urpmq --whatrequires lib64vorbis0' returns a long list including mplayer, vlc, kodi, k3b, iceape, audacity and deadbeef. Have to run. Maybe somebody else would like to take this one.
CC: (none) => tarazed25
uname -a Linux localhost 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 23:51:04 UTC 2018 i686 i686 i686 GNU/Linux Installed libvorbis0-1.3.5-2.4 libvorbisenc2-1.3.5-2.4 libvorbisfile3-1.3.5-2.4 I've run: mplayer against ogg files - working as designed converted to a wav file using oggdec ---- really hard to tell which version it is hitting, but everything is working as designed.
Whiteboard: MGA5TOO => MGA5TOO mga6-32-okCC: (none) => brtians1
List of packages are switched in Comment 4.
CC: (none) => herman.viaene
MGA5-32 on Dell Latitude D600 Xfce No installation issues Opened .ogg file with audacity, strace shows call to libvorbis to import the file. Apparently no calls to libvorbis to save to .wav in audacity. Used oggdec to convert the ogg file to wav. Get exactly the same size of file as from audacity and the resulting file plays OK in parole. Seems OK. To Brian: capitals are needed in whiteboard to OK your tests (should I tell you???). Correcting while I'm at it.
Whiteboard: MGA5TOO mga6-32-ok => MGA5TOO MGA5-32-OK MGA6-32-OK
Thanks Herman - I was banging my head trying to find tools that are confirmed to use libvorbis. Now I know, audacity! CAPS - will try to do that correctly in the future. I'll move on to 64-bit later today
mga6-64 Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart. The following 8 packages are going to be installed: - glibc-2.22-29.mga6.x86_64 - glibc-devel-2.22-29.mga6.x86_64 - kernel-userspace-headers-4.14.50-2.mga6.x86_64 - lib64ogg-devel-1.3.2-4.mga6.x86_64 - lib64vorbis-devel-1.3.5-2.4.mga6.x86_64 - lib64vorbis0-1.3.5-2.4.mga6.x86_64 - lib64vorbisenc2-1.3.5-2.4.mga6.x86_64 - lib64vorbisfile3-1.3.5-2.4.mga6.x86_64 10MB of additional disk space will be used. 9.4MB of packages will be retrieved. Is it ok to continue? Ran audacity against .ogg file ran oggdec and it worked. working as designed.
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK
$ uname -a Linux localhost 4.4.114-desktop-1.mga5 #1 SMP Wed Jan 31 19:24:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux mga5-64 Installed vorbis libraries Audacity is working Audacious is working Working as designed with ogg files.
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK MGA5-64-OK
Validating. Advisoried.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0294.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
*** Bug 25684 has been marked as a duplicate of this bug. ***
*** Bug 25776 has been marked as a duplicate of this bug. ***
CC: (none) => zombie.ryushu