Bug 23178 - taglib new security issue CVE-2018-11439
Summary: taglib new security issue CVE-2018-11439
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-13 23:51 CEST by David Walser
Modified: 2018-07-01 19:18 CEST (History)
8 users (show)

See Also:
Source RPM: taglib-1.11.1-2.mga7.src.rpm
CVE: CVE-2018-11439
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-06-13 23:51:57 CEST 
openSUSE has issued an advisory today (June 13):
https://lists.opensuse.org/opensuse-updates/2018-06/msg00084.html

Mageia 6 is also affected.  Mageia 5 may also be.
David Walser 2018-06-13 23:52:11 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-06-14 10:51:07 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing some committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, mageia, marja11, shlomif

Comment 2 Nicolas Salguero 2018-06-19 13:57:25 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file. (CVE-2018-11439)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11439
https://lists.opensuse.org/opensuse-updates/2018-06/msg00084.html
========================

Updated package in 5/core/updates_testing:
========================
lib(64)taglib1-1.9.1-4.1.mga5
lib(64)taglib_c0-1.9.1-4.1.mga5
lib(64)taglib-devel-1.9.1-4.1.mga5

from SRPMS:
taglib-1.9.1-4.1.mga5.src.rpm

Updated package in 6/core/updates_testing:
========================
lib(64)taglib1-1.11.1-1.2.mga6
lib(64)taglib_c0-1.11.1-1.2.mga6
lib(64)taglib-devel-1.11.1-1.2.mga6

from SRPMS:
taglib-1.11.1-1.2.mga6.src.rpm

Version: Cauldron => 6
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2018-11439
Status: NEW => ASSIGNED
Whiteboard: MGA6TOO => MGA5TOO
Assignee: pkg-bugs => qa-bugs

Comment 3 Herman Viaene 2018-06-22 14:49:18 CEST 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues.
Checked contents of metadata of an .ogg file in audacity.
Run eaytag with strace and change a data item in the tags. Libtag found in trace file.
Checked contents of metadata again of this .ogg file in audacity. Found change made. Seems OK.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 4 Herman Viaene 2018-06-30 14:30:28 CEST 
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues.
Same test as above Comment 3 using currently official version of easytag. Works OK.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK

Comment 5 Dave Hodgins 2018-07-01 00:36:29 CEST 
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2018-07-01 19:18:26 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0300.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.