Bug 27933 - flac new security issue CVE-2020-0499
Summary: flac new security issue CVE-2020-0499
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-12-26 17:47 CET by David Walser
Modified: 2020-12-29 12:58 CET (History)
5 users (show)

See Also:
Source RPM: flac-1.3.3-2.mga8.src.rpm
CVE: CVE-2020-0499
Status comment:


Description David Walser 2020-12-26 17:47:15 CET
SUSE has issued an advisory on December 24:

Mageia 7 is also affected.
David Walser 2020-12-26 17:47:21 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Lécureuil 2020-12-26 23:58:27 CET
From debian , CVE-2020-0487 is a dupplicate of CVE-2017-6888.


CC: (none) => mageia
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 2 David Walser 2020-12-27 00:49:18 CET
(In reply to Nicolas Lécureuil from comment #1)
> From debian , CVE-2020-0487 is a dupplicate of CVE-2017-6888.

Indeed it is.  Noting that in Bug 22984.

Summary: flac new security issues CVE-2020-0487 and CVE-2020-0499 => flac new security issue CVE-2020-0499

Comment 3 David Walser 2020-12-27 00:51:16 CET

Updated flac packages fix security vulnerability:

In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a possible
out of bounds read due to a heap buffer overflow. This could lead to remote
information disclosure with no additional execution privileges needed. User
interaction is needed for exploitation (CVE-2020-0499).


Updated packages in core/updates_testing:

from flac-1.3.2-3.1.mga7.src.rpm

Assignee: bugsquad => qa-bugs

Comment 4 Len Lawrence 2020-12-28 13:26:14 CET
mga7, x64

Not able to find any way to reproduce the issues reported.
Ran flac before updating using a shell script (flactest) from PC LX.

Updated all five packages.

Produced an ogg file from an input flac file.
$ flac --ogg test2.flac
flac 1.3.2
test2.flac: WARNING, lead-out offset of cuesheet in input FLAC file does not match input length, dropping existing cuesheet...
test2.flac: wrote 37343868 bytes, ratio=1.000
$ ll test2.*
-rw-r--r-- 1 lcl lcl 37356262 Dec 28 11:44 test2.flac
-rw-r--r-- 1 lcl lcl 37534861 Dec 28 11:44 test2.oga

mplayer could handle test2.oga OK.

$ flac -d --delete-input-file test2.flac
Created test2.wav which played without loss of fidelity.
$ flac -a locke.flac
Created an analysis of the input file.
$ ll locke.ana
-rw-r--r-- 1 lcl lcl 6216461 Dec 28 11:40 locke.ana
$ less locke.ana
frame=0 offset=2412     bits=9776       blocksize=4608  sample_rate=44100       channels=2      channel_assignment=INDEPENDENT
        subframe=0      wasted_bits=0   type=FIXED      order=0 residual_type=RICE      partition_order=3

There is a lot more to this application but that is as far as I am taking it.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 5 David Walser 2020-12-28 16:35:16 CET
openSUSE has issued an advisory for this today (December 28):
Comment 6 Thomas Andrews 2020-12-28 22:09:09 CET
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Aurelien Oudelet 2020-12-29 11:07:46 CET
Advisory pushed to SVN.

Keywords: (none) => advisory
CC: (none) => ouaurelien
CVE: (none) => CVE-2020-0499

Comment 8 Mageia Robot 2020-12-29 12:58:53 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.