Bug 24351 - [taglib] Bugfixes: New possible Ogg packet losses
Summary: [taglib] Bugfixes: New possible Ogg packet losses
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-02-12 05:46 CET by David GEIGER
Modified: 2019-03-14 22:41 CET (History)
3 users (show)

See Also:
Source RPM: taglib-1.11.1-1.2.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David GEIGER 2019-02-12 05:46:13 CET 
Since taglib release 1.11.1 a critical regression was found that randomly corrupting Ogg Vorbis Files.

An upstream patch can be found here:

https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4

There is no CVE attributed to fix this issue but it should really be fixed.

https://github.com/taglib/taglib/issues/864


Cauldron is already fixed!
Comment 1 David GEIGER 2019-02-12 06:00:53 CET 
Assigning to QA,


Advisory:
========================

Since taglib release 1.11.1 a critical regression was found that randomly corrupting Ogg Vorbis Files.
So this update fixes this issue.

Reference:
https://github.com/taglib/taglib/issues/864

========================

Packages in 6/core/updates_testing:
========================
lib64taglib1-1.11.1-1.3.mga6.x86_64.rpm
lib64taglib_c0-1.11.1-1.3.mga6.x86_64.rpm
lib64taglib-devel-1.11.1-1.3.mga6.x86_64.rpm

libtaglib1-1.11.1-1.3.mga6.i586.rpm
libtaglib_c0-1.11.1-1.3.mga6.i586.rpm
libtaglib-devel-1.11.1-1.3.mga6.i586.rpm

Source RPM: 
========================
taglib-1.11.1-1.3.mga6.src.rpm


For QA:

To test if this update fixes this issue we have an open bug report about easytag

bug 22382

Assignee: bugsquad => qa-bugs

David GEIGER 2019-02-12 06:04:42 CET

Blocks: (none) => 22382

Comment 2 Herman Viaene 2019-02-12 14:31:45 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bugs 23178 and 22382 for tests:
Checked contents of metadata of an .ogg file in audacity.
Run easytag with strace and change a data item in the tags. Libtag found in trace file.
Checked contents of metadata again of this .ogg file in audacity. Found change made. Seems OK.
BUT: resulting ogg file does not play anymore in parole. Gives "Internal data stream error"
The file opens and plays OK in audacity. When I export it from audacity to ogg again overwriting the file, parole is happy again. But using easytag again causes the same corruption for parole.
Not good.

CC: (none) => herman.viaene

Comment 3 David GEIGER 2019-02-12 15:06:31 CET 
So maybe easytag issue come not from taglib it is another one!
Comment 4 Herman Viaene 2019-02-12 16:12:52 CET 
@ David
Provided the libtaglib handles only the tags and nothing else, you're most probably right.
Traced clementine which can update tags, it calls libtag and does not corrupt the file.
Strangely, I also traced audacity and there I see refs to easytag.
So, if you agree, I would propose to OK the libtag update.
Comment 5 David GEIGER 2019-02-12 17:22:19 CET 
I'm agree :)
David GEIGER 2019-02-12 17:23:12 CET

Blocks: 22382 => (none)

Comment 6 David GEIGER 2019-02-26 07:48:16 CET 
Ping? What's for? For me taglib fixes should be validated!
Herman Viaene 2019-03-07 11:41:34 CET

Whiteboard: (none) => MGA6-32-OK

Dave Hodgins 2019-03-14 22:07:10 CET

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 7 Mageia Robot 2019-03-14 22:41:08 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2019-0022.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.