openSUSE has issued an advisory on April 15: https://lists.opensuse.org/opensuse-updates/2020-04/msg00085.html The CVE-2017-12911 issue was fixed upstream in 1.6.2. The CVE-2019-18359 issue was fixed by adding this patch: https://build.opensuse.org/package/view_file/openSUSE:Leap:15.1:Update/mp3gain/0001-fix-security-bugs.patch?expand=1 Mageia 7 is also affected.
Status comment: (none) => Patch available from openSUSEWhiteboard: (none) => MGA7TOO
No registered or evident maintainer for this, so having to assign it globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: A buffer over-read was discovered in ReadMP3APETag in apetag.c in MP3Gain 1.6.2. The vulnerability causes an application crash, which leads to remote denial of service. (CVE-2019-18359) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18359 https://lists.opensuse.org/opensuse-updates/2020-04/msg00085.html ======================== Updated package in core/updates_testing: ======================== mp3gain-1.6.2-2.1.mga7 from SRPM: mp3gain-1.6.2-2.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)CVE: (none) => CVE-2019-18359Status comment: Patch available from openSUSE => (none)Version: Cauldron => 7Status: NEW => ASSIGNEDSource RPM: mp3gain-1.6.2-3.mga8.src.rpm => mp3gain-1.6.2-2.mga7.src.rpmAssignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salguero
$ uname -a Linux localhost 5.5.15-desktop-3.mga7 #1 SMP Sat Apr 4 20:17:59 UTC 2020 i686 i686 i386 GNU/Linux installed - mp3gain-1.6.2-2.1.mga7.i586 ---- Ran a basic mp3gain -r *.mp3 test It seemed to work.
CC: (none) => brtians1Whiteboard: (none) => MGA7-32-OK
mga7, x86_64 CVE-2019-18359 https://sourceforge.net/p/mp3gain/bugs/46/ $ mp3gain mp3gain_poc1 ... [src/libmpg123/layer3.c:2039] error: dequantization failed! Note: broken frame 7, filling up with 9216 zeroes, from 0 ... Recommended "Album" dB change for all files: -0.670000 Recommended "Album" mp3 gain change for all files: 0 $ mp3gain mp3gain_poc2 mp3gain_poc2 Delaying a frame in decoding with old libmpg123. Recommended "Track" dB change: -12.470000 Recommended "Track" mp3 gain change: -8 Max PCM sample at current gain: 86720.132812 Max mp3 global gain field: 183 Min mp3 global gain field: 170 Recommended "Album" dB change for all files: -12.470000 Recommended "Album" mp3 gain change for all files: -8 Updated the package. Ran the PoC again: The same result for both files but without error messages. Not too convincing but it does no damage. $ mp3gain -r LongLankin.mp3 LongLankin.mp3 Delaying a frame in decoding with old libmpg123. Applying mp3 gain change of -2 to LongLankin.mp3... $ mp3gain -g 10 ItsMagic.mp3 Applying gain change of 10 to ItsMagic.mp3... Definitely louder. Good to go for 64-bits.
Whiteboard: MGA7-32-OK => MGA7-32-OK MGA7-64-OKCC: (none) => tarazed25
Thank you, Brian and Len. I am not against validating on just a 32-bit test, but I do like to have at least a clean 64-bit install to go with it. And, of course, tests on both arches are *always* best. Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0179.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED