SUSE has issued an advisory on April 2: http://lists.suse.com/pipermail/sle-security-updates/2019-April/005286.html CVE-2018-19758 fix here: https://bugzilla.suse.com/show_bug.cgi?id=1117954 Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing Mike
Assignee: bugsquad => pkg-bugsCC: (none) => marja11, mrambo
Fixed both mga6 and Cauldron!
CC: (none) => geiger.david68210
Advisory: ======================== Updated libsndfile packages fix security vulnerability: A heap-based buffer over-read at wav.c in wav_write_header that could be used for a denial of service attack (CVE-2018-19758). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19758 http://lists.suse.com/pipermail/sle-security-updates/2019-April/005286.html ======================== Updated packages in core/updates_testing: ======================== libsndfile1-1.0.28-3.4.mga6 libsndfile-devel-1.0.28-3.4.mga6 libsndfile-static-devel-1.0.28-3.4.mga6 libsndfile-progs-1.0.28-3.4.mga6 from libsndfile-1.0.28-3.4.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6Assignee: pkg-bugs => qa-bugs
mga6, x86_64 *before updates* CVE-2018-19758 https://bugzilla.redhat.com/show_bug.cgi?id=1643812 $ unrar e poc0.rar $ sndfile-convert poc0 a.wav Segmentation fault (core dumped) *after updates* $ sndfile-convert poc0 a.wav $ Tested libsndfile-progs: $ sndfile-play WachetAuf.wav Playing WachetAuf.wav $ sndfile-play AnElizabethanSuite.flac Playing AnElizabethanSuite.flac $ sndfile-play TheEarthDiesScreaming.ogg Playing TheEarthDiesScreaming.ogg mp3 files are not recognized. Not all of the many file formats upported by libsndfile can be inter-converted. Tried a few and found some that worked. $ sndfile-convert TheWifeOfUshersWell.wav TheWifeOfUshersWell.aif $ sndfile-play TheWifeOfUshersWell.aif Playing TheWifeOfUshersWell.aif $ sndfile-convert LongLankin.wav LongLankin.snd lcl@difda:steeleyespan $ sndfile-play LongLankin.snd Playing LongLankin.snd $ sndfile-convert LammasTide.wav LammasTide.mat4 $ sndfile-play LammasTide.mat4 Playing LammasTide.mat4 $ sndfile-metadata-get --str-artist CherryOhBaby.ogg Artist : UB40 $ sndfile-info Brandenburg-1-minuetto.wav ======================================== File : Brandenburg-1-minuetto.wav Length : 88552844 RIFF : 88552836 [...] $ sndfile-deinterleave SingSingAllTheEarth.wav Input file : SingSingAllTheEarth Output files : SingSingAllTheEarth_00.wav SingSingAllTheEarth_01.wav Passing this for 64-bits.
CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK
Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0182.html
Status: NEW => RESOLVEDResolution: (none) => FIXED