Fedora has issued an advisory on October 2:
Mageia 6 is also affected.
Assigning to the registered maintainer.
Fedora patch needs to be reconciled with ours
Fixed in mad-0.15.1b-26.mga7 by Shlomi. Thanks Shlomi!
Patched package also uploaded for Mageia 6.
Updated mad packages fix security vulnerabilities:
The mad_decoder_run function in decoder.c in libmad 0.15.1b allows remote
attackers to cause a denial of service (memory corruption) via a crafted MP3
The mad_decoder_run() function in decoder.c in Underbit libmad through 0.15.1b
allows attackers to cause a denial of service (SIGABRT because of double free
or corruption) or possibly have unspecified other impact via a crafted file
Updated packages in core/updates_testing:
Fedora patch needs to be reconciled with ours =>
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
# urpmq --whatrequires libmad0
gives a long list, I picked mplayer from it, so
$ strace -o libmad.txt mplayer ~/Video\'s/canvas1verkort1.mpg
Creating config file: /home/tester6/.mplayer/config
MPlayer 1.3.0-13.mga6.tainted-5.5.0 (C) 2000-2016 MPlayer Team
File plays OK.
I stopped the viewing after about 1 min (is about 45 min long) and checked the trace file and found references to libmad.so
OK for me.
An update for this issue has been pushed to the Mageia Updates repository.
This update caused a regression in qmmp.
The sound becomes distorted with pops and clicks. The distortion is independent of the output method.
The previous version (lib64mad0-0.15.1b-22.1.mga6.x86_64) works correctly.
I have downgraded the package so there is no problem for me (other than the unlikely security ones).
Will let others decide if it is worth reopening this issue.
System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.
$ journalctl | grep lib64mad
Fev 14 09:01:05 marte [RPM]: erase lib64mad0-0.15.1b-22.1.mga6.x86_64: success
Fev 14 09:01:28 marte [RPM]: install lib64mad0-0.15.1b-22.2.mga6.x86_64: success
Fev 14 09:01:28 marte [RPM]: erase lib64mad0-0.15.1b-22.1.mga6.x86_64: success
Fev 14 09:01:54 marte [RPM]: install lib64mad0-0.15.1b-22.2.mga6.x86_64: success
Fev 14 09:59:28 marte msec: - Added packages : lib64mad0-0.15.1b-22.2.mga6
Fev 14 09:59:28 marte msec: - Removed packages : lib64mad0-0.15.1b-22.1.mga6
Fev 15 09:38:21 marte urpmi: called with: --downgrade lib64mad0-0.15.1b-22.1.mga6
Fev 15 09:38:30 marte [RPM]: erase lib64mad0-0.15.1b-22.2.mga6.x86_64: success
Fev 15 09:38:31 marte [RPM]: install lib64mad0-0.15.1b-22.1.mga6.x86_64: success
Fev 15 09:38:32 marte [RPM]: erase lib64mad0-0.15.1b-22.2.mga6.x86_64: success
Fev 15 09:38:32 marte [RPM]: install lib64mad0-0.15.1b-22.1.mga6.x86_64: success
Please file a new bug and assign it to Shlomi. Hopefully he can figure it out and fix it.