SUSE has issued an advisory on December 24: https://lists.suse.com/pipermail/sle-security-updates/2020-December/008120.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
From debian , CVE-2020-0487 is a dupplicate of CVE-2017-6888. src: flac-1.3.2-3.1.mga7
CC: (none) => mageiaVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)
(In reply to Nicolas Lécureuil from comment #1) > From debian , CVE-2020-0487 is a dupplicate of CVE-2017-6888. Indeed it is. Noting that in Bug 22984.
Summary: flac new security issues CVE-2020-0487 and CVE-2020-0499 => flac new security issue CVE-2020-0499
Advisory: ======================== Updated flac packages fix security vulnerability: In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation (CVE-2020-0499). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0499 https://lists.suse.com/pipermail/sle-security-updates/2020-December/008120.html ======================== Updated packages in core/updates_testing: ======================== flac-1.3.2-3.1.mga7 libflac8-1.3.2-3.1.mga7 libflac-devel-1.3.2-3.1.mga7 libflac++6-1.3.2-3.1.mga7 libflac++-devel-1.3.2-3.1.mga7 from flac-1.3.2-3.1.mga7.src.rpm
Assignee: bugsquad => qa-bugs
mga7, x64 Not able to find any way to reproduce the issues reported. Ran flac before updating using a shell script (flactest) from PC LX. Updated all five packages. Produced an ogg file from an input flac file. $ flac --ogg test2.flac flac 1.3.2 [...] test2.flac: WARNING, lead-out offset of cuesheet in input FLAC file does not match input length, dropping existing cuesheet... test2.flac: wrote 37343868 bytes, ratio=1.000 $ ll test2.* -rw-r--r-- 1 lcl lcl 37356262 Dec 28 11:44 test2.flac -rw-r--r-- 1 lcl lcl 37534861 Dec 28 11:44 test2.oga mplayer could handle test2.oga OK. $ flac -d --delete-input-file test2.flac Created test2.wav which played without loss of fidelity. $ flac -a locke.flac Created an analysis of the input file. $ ll locke.ana -rw-r--r-- 1 lcl lcl 6216461 Dec 28 11:40 locke.ana $ less locke.ana frame=0 offset=2412 bits=9776 blocksize=4608 sample_rate=44100 channels=2 channel_assignment=INDEPENDENT subframe=0 wasted_bits=0 type=FIXED order=0 residual_type=RICE partition_order=3 parameter[0]=0 ..... There is a lot more to this application but that is as far as I am taking it.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
openSUSE has issued an advisory for this today (December 28): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3IU5K7DTVB7RH7VVIUTMX4XFQDWSHYUS/
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory pushed to SVN.
Keywords: (none) => advisoryCC: (none) => ouaurelienCVE: (none) => CVE-2020-0499
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0480.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED