Ubuntu has issued an advisory on May 16: https://usn.ubuntu.com/3988-1/
Whiteboard: (none) => MGA7TOO, MGA6TOOCC: (none) => geiger.david68210
openSUSE has issued an advisory for this on June 26: https://lists.opensuse.org/opensuse-updates/2019-06/msg00147.html
Status comment: (none) => Patches available from Ubuntu and openSUSE
Done for mga7 and already fixed in Cauldron with release 19.09!
Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO
Advisory: ======================== Updated libmediainfo packages fix security vulnerabilities: Out-of-bounds read in function MediaInfoLib:File__Tags_Helper:Synched_Test (CVE-2019-11372). Out-of-bounds read in function File__Analyze:Get_L8 (CVE-2019-11373). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11372 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11373 https://lists.opensuse.org/opensuse-updates/2019-06/msg00147.html ======================== Updated packages in core/updates_testing: ======================== libmediainfo0-18.12-1.1.mga7 libmediainfo-devel-18.12-1.1.mga7 from libmediainfo-18.12-1.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Assignee: jani.valimaa => qa-bugsSummary: mediainfo new security issues CVE-2019-1137[23] => libmediainfo new security issues CVE-2019-1137[23]Source RPM: mediainfo-19.07-1.mga8.src.rpm => libmediainfo-18.12-1.mga7.src.rpmCC: (none) => jani.valimaaStatus comment: Patches available from Ubuntu and openSUSE => (none)Version: Cauldron => 7
CVE-2019-11372 CVE-2019-11373 https://sourceforge.net/p/mediainfo/bugs/1101/ $ mediainfo A.avi Segmentation fault (core dumped) $ mediainfo T.avi Segmentation fault (core dumped) Updated the packages: 1/1: lib64mediainfo0 1/3 lib64tinyxml2-devel 2/3: lib64zen-devel 3/3: lib64mediainfo-devel $ mediainfo A.avi General Complete name : A.avi Format : AVI Format/Info : Audio Video Interleave File size : 89.0 Bytes IsTruncated : Yes $ mediainfo T.avi General Complete name : T.avi Format : SMPTE ST 337 File size : 21.6 KiB Overall bit rate mode : Constant Audio Format : Dolby E Format settings : Little Bit rate mode : Constant Bit depth : 20 bits That confirms the fixes. Many of the command line options for mediainfo concern security and certification. Passing on those. $ mediainfo --Details 1 'Long as I Can See the Light.wav' 0000000 WAVE (12 bytes) 0000000 Header (12 bytes) 0000000 Name: RIFF 0000004 Size: 18419596 (0x01190F8C) 0000008 Real Name: WAVE 000000C -------------------------- 000000C --- Wave, accepted --- 000000C -------------------------- 000000C -------------------------- 000000C --- Wave, accepted --- 000000C -------------------------- 0000000 Wave (327680 bytes) 000000C Stream format - Audio (24 bytes) $ mediainfo --Full CanzonaPerSonareAQuattro-GiovanniGabrieli.wav General Count : 331 Count of stream of this kind : 1 Kind of stream : General Kind of stream : General Stream identifier : 0 Count of audio streams : 1 Audio_Format_List : PCM Audio_Format_WithHint_List : PCM Audio codecs : PCM Complete name : CanzonaPerSonareAQuattro-GiovanniGabrieli.wav [...] Stream size : 26.66 MiB Stream size : 26.7 MiB (100%) Proportion of this stream : 1.00000 ^C $ mediainfo Element186_pilot.mkv General Unique ID : 337040800397714628811276168872922392768 (0xFD8FB26E5ED851FB64BEC188ACDB28C0) Complete name : Element186_pilot.mkv Format : Matroska ....... Seems OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0047.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED