Fedora has issued an advisory on August 4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LIZBEBMU7CW7K7KQ53E4OPSRTR6DZRNO/ I'm not sure why Fedora has version 1.2.0 still, so I'm not sure if the issue was fixed upstream in 1.2.2. If not, Mageia 5 or Mageia 6 may be affected.
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing some committers.
CC: (none) => anssi.hannula, ghibomgx, marja11, olavAssignee: bugsquad => pkg-bugs
Upstream patch added to libao-1.2.2-5.mga7 to fix this in Cauldron.
Version: Cauldron => 6
Advisory: ======================== Updated libao packages fix security vulnerability: A flaw was found in libao. The _tokenize_matrix function in audio_out.c in Xiph.Org libao 1.2.0 can cause a denial of service(memory corruption) via a crafted mp3 file (CVE-2017-11548). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11548 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LIZBEBMU7CW7K7KQ53E4OPSRTR6DZRNO/ ======================== Updated packages in core/updates_testing: ======================== libao4-1.2.2-3.1.mga6 libao-devel-1.2.2-3.1.mga6 from libao-1.2.2-3.1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
MGA6-32 on IBM Thinkpad R50e No installation issues No previous update bug found, so used # urpmq --whatrequires libao4 and found a.o. cmus as dependent on it. Installed cmus and (after googling how to run it) $ strace -o libao.txt cmus played a wav file in cmus and found refs to libao n the trace file. OK for me.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0018.html
Status: NEW => RESOLVEDResolution: (none) => FIXED