Fedora has issued an advisory on October 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CCLUAGAEWOQKRY2C6HLTXT5WWTWSTNIP/ Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
Status comment: (none) => Fedora patch needs to be reconciled with ours
Fixed in mad-0.15.1b-26.mga7 by Shlomi. Thanks Shlomi! Patched package also uploaded for Mageia 6. Advisory: ======================== Updated mad packages fix security vulnerabilities: The mad_decoder_run function in decoder.c in libmad 0.15.1b allows remote attackers to cause a denial of service (memory corruption) via a crafted MP3 file (CVE-2017-11552). The mad_decoder_run() function in decoder.c in Underbit libmad through 0.15.1b allows attackers to cause a denial of service (SIGABRT because of double free or corruption) or possibly have unspecified other impact via a crafted file (CVE-2018-7263). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11552 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7263 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CCLUAGAEWOQKRY2C6HLTXT5WWTWSTNIP/ ======================== Updated packages in core/updates_testing: ======================== libmad0-0.15.1b-22.2.mga6 libmad-devel-0.15.1b-22.2.mga6 from mad-0.15.1b-22.2.mga6.src.rpm
Assignee: shlomif => qa-bugsWhiteboard: MGA6TOO => (none)Status comment: Fedora patch needs to be reconciled with ours => (none)CC: (none) => shlomifVersion: Cauldron => 6
MGA6-32 MATE on IBM Thinkpad R50e No installation issues # urpmq --whatrequires libmad0 gives a long list, I picked mplayer from it, so $ strace -o libmad.txt mplayer ~/Video\'s/canvas1verkort1.mpg Creating config file: /home/tester6/.mplayer/config MPlayer 1.3.0-13.mga6.tainted-5.5.0 (C) 2000-2016 MPlayer Team File plays OK. I stopped the viewing after about 1 min (is about 45 min long) and checked the trace file and found references to libmad.so OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0078.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update caused a regression in qmmp. The sound becomes distorted with pops and clicks. The distortion is independent of the output method. The previous version (lib64mad0-0.15.1b-22.1.mga6.x86_64) works correctly. I have downgraded the package so there is no problem for me (other than the unlikely security ones). Will let others decide if it is worth reopening this issue. System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ journalctl | grep lib64mad Fev 14 09:01:05 marte [RPM][3031]: erase lib64mad0-0.15.1b-22.1.mga6.x86_64: success Fev 14 09:01:28 marte [RPM][3031]: install lib64mad0-0.15.1b-22.2.mga6.x86_64: success Fev 14 09:01:28 marte [RPM][3031]: erase lib64mad0-0.15.1b-22.1.mga6.x86_64: success Fev 14 09:01:54 marte [RPM][3031]: install lib64mad0-0.15.1b-22.2.mga6.x86_64: success Fev 14 09:59:28 marte msec[8580]: - Added packages : lib64mad0-0.15.1b-22.2.mga6 Fev 14 09:59:28 marte msec[8603]: - Removed packages : lib64mad0-0.15.1b-22.1.mga6 Fev 15 09:38:21 marte urpmi[3765]: called with: --downgrade lib64mad0-0.15.1b-22.1.mga6 Fev 15 09:38:30 marte [RPM][3765]: erase lib64mad0-0.15.1b-22.2.mga6.x86_64: success Fev 15 09:38:31 marte [RPM][3765]: install lib64mad0-0.15.1b-22.1.mga6.x86_64: success Fev 15 09:38:32 marte [RPM][3765]: erase lib64mad0-0.15.1b-22.2.mga6.x86_64: success Fev 15 09:38:32 marte [RPM][3765]: install lib64mad0-0.15.1b-22.1.mga6.x86_64: success
CC: (none) => mageia
Please file a new bug and assign it to Shlomi. Hopefully he can figure it out and fix it.
Depends on: (none) => 24369