Bug 23698 - mad new security issues CVE-2017-11552 and CVE-2018-7263
Summary: mad new security issues CVE-2017-11552 and CVE-2018-7263
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on: 24369
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-15 23:50 CEST by David Walser
Modified: 2019-02-16 13:22 CET (History)
6 users (show)

See Also:
Source RPM: mad-0.15.1b-25.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-10-15 23:50:24 CEST
Fedora has issued an advisory on October 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CCLUAGAEWOQKRY2C6HLTXT5WWTWSTNIP/

Mageia 6 is also affected.
David Walser 2018-10-15 23:50:37 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-16 19:45:34 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

David Walser 2019-02-03 02:22:28 CET

Status comment: (none) => Fedora patch needs to be reconciled with ours

Comment 2 David Walser 2019-02-03 17:45:10 CET
Fixed in mad-0.15.1b-26.mga7 by Shlomi.  Thanks Shlomi!

Patched package also uploaded for Mageia 6.

Advisory:
========================

Updated mad packages fix security vulnerabilities:

The mad_decoder_run function in decoder.c in libmad 0.15.1b allows remote
attackers to cause a denial of service (memory corruption) via a crafted MP3
file (CVE-2017-11552).

The mad_decoder_run() function in decoder.c in Underbit libmad through 0.15.1b
allows attackers to cause a denial of service (SIGABRT because of double free
or corruption) or possibly have unspecified other impact via a crafted file
(CVE-2018-7263).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11552
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7263
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CCLUAGAEWOQKRY2C6HLTXT5WWTWSTNIP/
========================

Updated packages in core/updates_testing:
========================
libmad0-0.15.1b-22.2.mga6
libmad-devel-0.15.1b-22.2.mga6

from mad-0.15.1b-22.2.mga6.src.rpm

Version: Cauldron => 6
CC: (none) => shlomif
Status comment: Fedora patch needs to be reconciled with ours => (none)
Whiteboard: MGA6TOO => (none)
Assignee: shlomif => qa-bugs

Comment 3 Herman Viaene 2019-02-07 10:13:23 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
# urpmq --whatrequires libmad0
gives a long list, I picked mplayer from it, so
$ strace -o libmad.txt mplayer ~/Video\'s/canvas1verkort1.mpg 
Creating config file: /home/tester6/.mplayer/config
MPlayer 1.3.0-13.mga6.tainted-5.5.0 (C) 2000-2016 MPlayer Team
File plays OK.
I stopped the viewing after about 1 min (is about 45 min long) and checked the trace file and found references to libmad.so
OK for me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Dave Hodgins 2019-02-14 07:59:04 CET

CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 4 Mageia Robot 2019-02-14 09:40:16 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0078.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 PC LX 2019-02-15 11:02:48 CET
This update caused a regression in qmmp.
The sound becomes distorted with pops and clicks. The distortion is independent of the output method.

The previous version (lib64mad0-0.15.1b-22.1.mga6.x86_64) works correctly.

I have downgraded the package so there is no problem for me (other than the unlikely security ones).
Will let others decide if it is worth reopening this issue.

System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ journalctl | grep lib64mad
Fev 14 09:01:05 marte [RPM][3031]: erase lib64mad0-0.15.1b-22.1.mga6.x86_64: success
Fev 14 09:01:28 marte [RPM][3031]: install lib64mad0-0.15.1b-22.2.mga6.x86_64: success
Fev 14 09:01:28 marte [RPM][3031]: erase lib64mad0-0.15.1b-22.1.mga6.x86_64: success
Fev 14 09:01:54 marte [RPM][3031]: install lib64mad0-0.15.1b-22.2.mga6.x86_64: success
Fev 14 09:59:28 marte msec[8580]: -   Added packages : lib64mad0-0.15.1b-22.2.mga6
Fev 14 09:59:28 marte msec[8603]: - Removed packages : lib64mad0-0.15.1b-22.1.mga6
Fev 15 09:38:21 marte urpmi[3765]: called with: --downgrade lib64mad0-0.15.1b-22.1.mga6
Fev 15 09:38:30 marte [RPM][3765]: erase lib64mad0-0.15.1b-22.2.mga6.x86_64: success
Fev 15 09:38:31 marte [RPM][3765]: install lib64mad0-0.15.1b-22.1.mga6.x86_64: success
Fev 15 09:38:32 marte [RPM][3765]: erase lib64mad0-0.15.1b-22.2.mga6.x86_64: success
Fev 15 09:38:32 marte [RPM][3765]: install lib64mad0-0.15.1b-22.1.mga6.x86_64: success

CC: (none) => mageia

Comment 6 David Walser 2019-02-15 13:43:17 CET
Please file a new bug and assign it to Shlomi.  Hopefully he can figure it out and fix it.
Philippe Didier 2019-02-16 13:22:22 CET

Depends on: (none) => 24369


Note You need to log in before you can comment on or make changes to this bug.