Fedora has issued an advisory on January 31: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7COLX6WFFOI3RIOY2IOXWASU3QKAOWKO/ The issue is fixed upstream in 1.4.1. Freeze push requested for Cauldron. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 1.4.1Whiteboard: (none) => MGA7TOO
libebml-1.4.1-1.mga8 uploaded for Cauldron.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Thanks for doing that already. For M7, different committers makes for global bug assignment.
Assignee: bugsquad => pkg-bugs
new version pushed in mga7 src: - libebml-1.4.2-1.mga7 - mkvtoolnix-32.0.0-2.1.mga7 - libmatroska-1.5.0-2.1.mga7 - vlc-3.0.12.1-1.1.mga7
CC: (none) => mageiaAssignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 1.4.1 => (none)
libmatroska rebuild failed. Built so far: libebml5-1.4.2-1.mga7 libebml-devel-1.4.2-1.mga7 mkvtoolnix-32.0.0-2.1.mga7 mkvtoolnix-gui-32.0.0-2.1.mga7 vlc-3.0.12.1-1.1.mga7 libvlc5-3.0.12.1-1.1.mga7 libvlccore9-3.0.12.1-1.1.mga7 libvlc-devel-3.0.12.1-1.1.mga7 vlc-plugin-common-3.0.12.1-1.1.mga7 vlc-plugin-zvbi-3.0.12.1-1.1.mga7 vlc-plugin-kate-3.0.12.1-1.1.mga7 vlc-plugin-libass-3.0.12.1-1.1.mga7 vlc-plugin-lua-3.0.12.1-1.1.mga7 vlc-plugin-ncurses-3.0.12.1-1.1.mga7 vlc-plugin-lirc-3.0.12.1-1.1.mga7 svlc-3.0.12.1-1.1.mga7 vlc-plugin-aa-3.0.12.1-1.1.mga7 vlc-plugin-sdl-3.0.12.1-1.1.mga7 vlc-plugin-shout-3.0.12.1-1.1.mga7 vlc-plugin-opengl-3.0.12.1-1.1.mga7 vlc-plugin-vdpau-3.0.12.1-1.1.mga7 vlc-plugin-projectm-3.0.12.1-1.1.mga7 vlc-plugin-theora-3.0.12.1-1.1.mga7 vlc-plugin-twolame-3.0.12.1-1.1.mga7 vlc-plugin-fluidsynth-3.0.12.1-1.1.mga7 vlc-plugin-gme-3.0.12.1-1.1.mga7 vlc-plugin-schroedinger-3.0.12.1-1.1.mga7 vlc-plugin-speex-3.0.12.1-1.1.mga7 vlc-plugin-flac-3.0.12.1-1.1.mga7 vlc-plugin-dv-3.0.12.1-1.1.mga7 vlc-plugin-mod-3.0.12.1-1.1.mga7 vlc-plugin-mpc-3.0.12.1-1.1.mga7 vlc-plugin-sid-3.0.12.1-1.1.mga7 vlc-plugin-sndio-3.0.12.1-1.1.mga7 vlc-plugin-pulse-3.0.12.1-1.1.mga7 vlc-plugin-jack-3.0.12.1-1.1.mga7 vlc-plugin-rist-3.0.12.1-1.1.mga7 vlc-plugin-upnp-3.0.12.1-1.1.mga7 vlc-plugin-gnutls-3.0.12.1-1.1.mga7 vlc-plugin-libnotify-3.0.12.1-1.1.mga7 vlc-plugin-chromaprint-3.0.12.1-1.1.mga7 vlc-plugin-samba-3.0.12.1-1.1.mga7
Status comment: (none) => libmatroska needs rebuilt against updated libebmlAssignee: qa-bugs => mageia
build fixed
Assignee: mageia => qa-bugs
(In reply to David Walser from comment #4) > libmatroska rebuild failed. which now produces: libmatroska6-1.5.0-2.1.mga7 libmatroska-devel-1.5.0-2.1.mga7
Status comment: libmatroska needs rebuilt against updated libebml => (none)
Advisory: ======================== Updated libebml packages fix security vulnerability: Heap use-after-free when parsing malformed file. The mkvtoolnix, libmatroska, and vlc packages have been rebuilt for the updated libebml. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7COLX6WFFOI3RIOY2IOXWASU3QKAOWKO/
mga7-64 Plasma Nvidia Sloppy test: I updated all from list in comment 4 & 6 that was installed, Clean update, and i can still play videos, and found a couple dated bugs from mga6 have been fixed and marked them so...
CC: (none) => fri
These install and work OK, but shouldn't there also be tainted versions?
Keywords: (none) => feedbackCC: (none) => andrewsfarm
At least of vlc, yes.
1.4.2, which we're updating to here, also fixes a heap overflow (CVE-2021-3405): https://www.debian.org/lts/security/2021/dla-2629
Summary: libebml new use-after-free security issue => libebml new use-after-free security issue and CVE-2021-3405
(In reply to David Walser from comment #11) > 1.4.2, which we're updating to here, also fixes a heap overflow > (CVE-2021-3405): > https://www.debian.org/lts/security/2021/dla-2629 Fedora has issued an advisory for this on March 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JNHQI6MDOECJ2HT5GCLEX2DMJFEOWPW7/
Blocks: (none) => 28930
VLC update to 3.0.14 pending in Bug 28930, so it needs to be rebuilt anyway. The rest of this bug can be validated (sans the vlc package).
Keywords: feedback => (none)
mga7, x86_64 $ rpm -qa | grep ebml lib64ebml4-1.3.7-1.mga7 Had a look at https://github.com/Matroska-Org/libebml/issues/74 to see if the PoC could be run without debuginfo sources. gdb complains immediately but launches vlc. The upstream test appears to be on a 32-bit system. Updated libebml. $ rpm -qa | grep ebml lib64ebml4-1.3.7-1.mga7 lib64ebml5-1.4.2-1.mga7 Noting comment 13, we can short circuit this bug.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Advisory: ======================== Updated libebml packages fix security vulnerabilities: Heap use-after-free when parsing malformed file. A flaw was found in libebml before 1.4.2. A heap overflow bug exists in the implementation of EbmlString::ReadData and EbmlUnicodeString::ReadData in libebml (CVE-2021-3405). The mkvtoolnix, libmatroska packages have been rebuilt for the updated libebml. (Note in adv: VLC update to 3.0.14 pending in Bug 28930, so it needs to be rebuilt anyway. The rest of this bug can be validated (sans the vlc package)). References: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3405 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7COLX6WFFOI3RIOY2IOXWASU3QKAOWKO/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JNHQI6MDOECJ2HT5GCLEX2DMJFEOWPW7/ - https://www.debian.org/lts/security/2021/dla-2629 ======================== Updated packages in 7/core/updates_testing: ======================== lib(64)ebml5-1.4.2-1.mga7 lib(64)ebml-devel-1.4.2-1.mga7 mkvtoolnix-32.0.0-2.1.mga7 mkvtoolnix-gui-32.0.0-2.1.mga7 lib(64)matroska6-1.5.0-2.1.mga7 lib(64)matroska-devel-1.5.0-2.1.mga7 from SRPM: libebml-1.4.2-1.mga7 mkvtoolnix-32.0.0-2.1.mga7 libmatroska-1.5.0-2.1.mga7
CVE: (none) => CVE-2021-3405Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0226.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED