Bug 25753 - clementine new security issue CVE-2018-14332
Summary: clementine new security issue CVE-2018-14332
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-11-26 16:40 CET by David Walser
Modified: 2019-12-13 19:27 CET (History)
5 users (show)

See Also:
Source RPM: clementine-1.3.1-10.git20190423.1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-11-26 16:40:41 CET 
openSUSE has issued an advisory on July 21:
https://lists.opensuse.org/opensuse-updates/2019-07/msg00103.html
Comment 1 David GEIGER 2019-12-06 18:07:52 CET 
Done for mga7!
Comment 2 David Walser 2019-12-07 16:24:45 CET 
Advisory:
========================

Updated clementine package fixes security vulnerability:

NULL ptr dereference (crash) in the moodbar pipeline (CVE-2018-14332).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14332
https://lists.opensuse.org/opensuse-updates/2019-07/msg00103.html
========================

Updated packages in core/updates_testing:
========================
clementine-1.3.1-10.git20191016.1.mga7

from clementine-1.3.1-10.git20191016.1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 3 Herman Viaene 2019-12-10 10:17:53 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Opening clementine the first time on this setup:
$ clementine
10:05:44.170 INFO  main:319                         Clementine-qt5 1.3.1
10:05:44.351 INFO  Database:299                     Creating initial database schema
10:05:44.351 DEBUG Database:465                     Applying database schema update 0 from ":/schema/schema.sql"
10:05:44.438 DEBUG Database:465                     Applying database schema update 1 from ":/schema/schema-1.sql"
more of those, then
10:05:47.089 INFO  Database:545                     Updating "magnatune_songs" for %allsongstables
10:05:47.090 INFO  Database:545                     Updating "spotify_search_songs" for %allsongstables
10:05:47.091 INFO  Database:545                     Updating "jamendo.songs" for %allsongstables
10:05:47.092 INFO  Database:545                     Updating "playlist_items" for %allsongstables
and further10:05:50.493 DEBUG InternetModel:133                Adding internet service: "DigitallyImported"
10:05:50.569 DEBUG InternetModel:133                Adding internet service: "Icecast"
10:05:50.581 DEBUG InternetModel:133                Adding internet service: "Jamendo"
10:05:50.582 INFO  Player:639                       Registered URL handler for "jazzradio"
10:05:50.582 DEBUG InternetModel:133                Adding internet service: "JazzRadio"
10:05:50.588 INFO  Player:639                       Registered URL handler for "magnatune"
10:05:50.590 DEBUG InternetModel:133                Adding internet service: "Magnatune"

Selected a local wav file: plays OK
Selected one of the internet radios: plays OK
Good to go.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Jose Manuel López 2019-12-10 11:20:24 CET 
I've installed in Mageia 7 Plasma Virtualbox x64.

Works fine, play, browse for folders, add reproduction list. Without problems.

Greetings!!

CC: (none) => joselp

Comment 5 Thomas Andrews 2019-12-10 20:13:44 CET 
Thank you, Gentlemen. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Rémi Verschelde 2019-12-13 16:52:56 CET 
Advisory uploaded.

Keywords: (none) => advisory

Comment 7 Mageia Robot 2019-12-13 19:27:12 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0380.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.