RedHat has issued an advisory today (April 28): https://access.redhat.com/errata/RHSA-2020:1636 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
No registered maintainer nor obvious committer, so assigning this globally.
Assignee: bugsquad => pkg-bugs
Done for Cauldron and mga7! Also note that I used a single upstream patch that fixes #429 (CVE-2018-19661 and CVE-2018-19662) and fixes #344 (CVE-2017-17456 and CVE-2017-17457).
CC: (none) => geiger.david68210
For reference: https://github.com/erikd/libsndfile/commit/585cc28a93be27d6938f276af0011401b9f7c0ca
That's very odd. We already fixed the 2017 CVEs. I don't understand how I missed the 19661 one when Ubuntu had an advisory for it in June. Advisory: ======================== Updated libsndfile packages fix security vulnerabilities: An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2ulaw_array in ulaw.c that will lead to a denial of service (CVE-2018-19661). An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2alaw_array in alaw.c that will lead to a denial of service (CVE-2018-19662). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19661 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19662 ======================== Updated packages in core/updates_testing: ======================== libsndfile1-1.0.28-8.2.mga7 libsndfile-devel-1.0.28-8.2.mga7 libsndfile-progs-1.0.28-8.2.mga7 from libsndfile-1.0.28-8.2.mga7.src.rpm
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Assignee: pkg-bugs => qa-bugs
mga7, x86_64 CVE-2018-1966{1,2} https://github.com/erikd/libsndfile/issues/429 $ tar tf poc.tar global-buffer-overflow__i2alaw_array $ sndfile-convert -alaw global-buffer-overflow__i2alaw_array out.raw $ sndfile-convert -ulaw global-buffer-overflow__i2alaw_array out.raw $ ll out*.raw -rw-r--r-- 1 lcl lcl 24320 Apr 30 17:34 out2.raw -rw-r--r-- 1 lcl lcl 24320 Apr 30 17:33 out.raw Don't know what this tells us. The tests were intended to be run with asan. valgrind gave the two commands a clean bill of health which could mean that the fix had already been applied. Ran the updates. $ sndfile-play ASuiteOfTheatreMusic.wav pavucontrol reports ALSA Playback. It sounds fine. $ sndfile-play CherryOhBaby.ogg $ sndfile-metadata-get --str-artist CherryOhBaby.ogg Artist : UB40 $ sndfile-play MatthewLocke.flac Playing MatthewLocke.flac $ sndfile-info MatthewLocke.flac ======================================== File : MatthewLocke.flac Length : 37356262 FLAC Stream Metadata Channels : 2 Sample rate : 44100 .... $ sndfile-convert LaGazzaLadra.flac LaGazzaLadra.aif Playing LaGazzaLadra.aif $ sndfile-convert TheElfKnight.paf TheElfKnight.aif $ sndfile-play TheElfKnight.aif Playing TheElfKnight.aif $ sndfile-convert LongLankin.wav LongLankin.mat $ sndfile-play LongLankin.mat Playing LongLankin.mat $ sndfile-convert LaDansereye-TielmanSusato.flac LaDanserye.snd $ sndfile-play LaDanserye.snd Playing LaDanserye.snd No problems with any of this.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0197.html
Status: NEW => RESOLVEDResolution: (none) => FIXED