Ubuntu has issued an advisory on June 10: https://usn.ubuntu.com/4013-1/ The last fix (in Bug 24752) was incomplete. Mageia 6 and Mageia 7 are also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing two submitters.
CC: (none) => geiger.david68210, marja11, mramboAssignee: bugsquad => pkg-bugs
Patched package uploaded for cauldron and Mageia 7. Advisory: ======================== Updated libsndfile package fixes security vulnerability: It was discovered that libsndfile incorrectly handled certain malformed files. A remote attacker could use this issue to cause libsndfile to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2019-3832). References: https://www.cvedetails.com/cve/CVE-2019-3832/ https://usn.ubuntu.com/4013-1/ ======================== Updated packages in core/updates_testing: ======================== lib64sndfile1-1.0.28-8.1.mga7.x86_64.rpm lib64sndfile-devel-1.0.28-8.1.mga7.x86_64.rpm libsndfile-progs-1.0.28-8.1.mga7.x86_64.rpm from libsndfile-1.0.28-8.1.mga7.src.rpm Test procedure: https://bugs.mageia.org/show_bug.cgi?id=21138#c3
Assignee: pkg-bugs => qa-bugsWhiteboard: MGA7TOO, MGA6TOO => (none)Version: Cauldron => 7Keywords: (none) => has_procedure
Mageia 7, x86_64 There is a PoC for this but the result does not confirm the issue for the pre-update software so it may have been fixed already. Some of the discussion hints that the PoC may or may not work. CVE-2018-19758 https://github.com/erikd/libsndfile/issues/456 Before update: $ sndfile-convert ./incomplete-fix-CVE-2018-19758 out.wav No errors and an output file was produced. Nor were any errors reported under valgrind. $ file out.wav out.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 22001 Hz Updated the three packages. Ran the PoC. New output file generated. Referred to earlier bug for tests. $ sndfile-info LaProcession.mp3 Error : Not able to open input file LaProcession.mp3. File : LaProcession.mp3 Length : 5172869 File contains data in an unknown format. sndfile-info JoyToTheWorld.ogg ======================================== File : JoyToTheWorld.ogg Length : 1569245 Ogg stream data : Vorbis Stream serialno : 446343195 Vorbis library version : Xiph.Org libVorbis 1.3.6 Bitstream is 2 channel, 44100 Hz Encoded by : Xiph.Org libVorbis I 20070622 End ---------------------------------------- Sample Rate : 44100 Frames : 4050732 Channels : 2 Format : 0x00200060 Sections : 1 Seekable : TRUE Duration : 00:01:31.853 Signal Max : 0.359192 (-99.20 dB) Similar good data returned for flac and wav files. Conversions: $ sndfile-convert RedRedWine.ogg RedRedWine.aif Error : output file format is invalid. The 'AIFF' container does not support 'Vorbis' codec data. Run 'sndfile-convert --help' for clues. $ sndfile-convert LammasTide.wav LammasTide.flac The conversion worked and the output flac file played perfectly. wav to ogg conversions fail - The 'OGG' container does not support '16 bit PCM' codec data. The -pcm16 switch does not help. $ sndfile-convert LongLankin.wav LongLankin.aif That works - output plays fine. $ sndfile-convert --help That lists all the supported encodings and output formats. $ sndfile-convert -vorbis 'Bad Moon Rising.wav' BadMoonRising.ogg $ sndfile-play BadMoonRising.wav That worked fine so did a MAT4 formatted file. It all works well. 64-bit OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Garrh! Comment #3 should have said CVE-2019-3832. Cut and paste error - the earlier CVE was refferred to.
Keywords: (none) => advisory, validated_updateCC: (none) => tmb, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0300.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED