Fedora has issued an advisory on January 31: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7COLX6WFFOI3RIOY2IOXWASU3QKAOWKO/ The issue is fixed upstream in 1.4.1. Freeze push requested for Cauldron. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 1.4.1Whiteboard: (none) => MGA7TOO
libebml-1.4.1-1.mga8 uploaded for Cauldron.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Thanks for doing that already. For M7, different committers makes for global bug assignment.
Assignee: bugsquad => pkg-bugs
new version pushed in mga7 src: - libebml-1.4.2-1.mga7 - mkvtoolnix-32.0.0-2.1.mga7 - libmatroska-1.5.0-2.1.mga7 - vlc-3.0.12.1-1.1.mga7
Status comment: Fixed upstream in 1.4.1 => (none)Assignee: pkg-bugs => qa-bugsCC: (none) => mageia
libmatroska rebuild failed. Built so far: libebml5-1.4.2-1.mga7 libebml-devel-1.4.2-1.mga7 mkvtoolnix-32.0.0-2.1.mga7 mkvtoolnix-gui-32.0.0-2.1.mga7 vlc-3.0.12.1-1.1.mga7 libvlc5-3.0.12.1-1.1.mga7 libvlccore9-3.0.12.1-1.1.mga7 libvlc-devel-3.0.12.1-1.1.mga7 vlc-plugin-common-3.0.12.1-1.1.mga7 vlc-plugin-zvbi-3.0.12.1-1.1.mga7 vlc-plugin-kate-3.0.12.1-1.1.mga7 vlc-plugin-libass-3.0.12.1-1.1.mga7 vlc-plugin-lua-3.0.12.1-1.1.mga7 vlc-plugin-ncurses-3.0.12.1-1.1.mga7 vlc-plugin-lirc-3.0.12.1-1.1.mga7 svlc-3.0.12.1-1.1.mga7 vlc-plugin-aa-3.0.12.1-1.1.mga7 vlc-plugin-sdl-3.0.12.1-1.1.mga7 vlc-plugin-shout-3.0.12.1-1.1.mga7 vlc-plugin-opengl-3.0.12.1-1.1.mga7 vlc-plugin-vdpau-3.0.12.1-1.1.mga7 vlc-plugin-projectm-3.0.12.1-1.1.mga7 vlc-plugin-theora-3.0.12.1-1.1.mga7 vlc-plugin-twolame-3.0.12.1-1.1.mga7 vlc-plugin-fluidsynth-3.0.12.1-1.1.mga7 vlc-plugin-gme-3.0.12.1-1.1.mga7 vlc-plugin-schroedinger-3.0.12.1-1.1.mga7 vlc-plugin-speex-3.0.12.1-1.1.mga7 vlc-plugin-flac-3.0.12.1-1.1.mga7 vlc-plugin-dv-3.0.12.1-1.1.mga7 vlc-plugin-mod-3.0.12.1-1.1.mga7 vlc-plugin-mpc-3.0.12.1-1.1.mga7 vlc-plugin-sid-3.0.12.1-1.1.mga7 vlc-plugin-sndio-3.0.12.1-1.1.mga7 vlc-plugin-pulse-3.0.12.1-1.1.mga7 vlc-plugin-jack-3.0.12.1-1.1.mga7 vlc-plugin-rist-3.0.12.1-1.1.mga7 vlc-plugin-upnp-3.0.12.1-1.1.mga7 vlc-plugin-gnutls-3.0.12.1-1.1.mga7 vlc-plugin-libnotify-3.0.12.1-1.1.mga7 vlc-plugin-chromaprint-3.0.12.1-1.1.mga7 vlc-plugin-samba-3.0.12.1-1.1.mga7
Assignee: qa-bugs => mageiaStatus comment: (none) => libmatroska needs rebuilt against updated libebml
build fixed
Assignee: mageia => qa-bugs
(In reply to David Walser from comment #4) > libmatroska rebuild failed. which now produces: libmatroska6-1.5.0-2.1.mga7 libmatroska-devel-1.5.0-2.1.mga7
Status comment: libmatroska needs rebuilt against updated libebml => (none)
Advisory: ======================== Updated libebml packages fix security vulnerability: Heap use-after-free when parsing malformed file. The mkvtoolnix, libmatroska, and vlc packages have been rebuilt for the updated libebml. References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7COLX6WFFOI3RIOY2IOXWASU3QKAOWKO/
mga7-64 Plasma Nvidia Sloppy test: I updated all from list in comment 4 & 6 that was installed, Clean update, and i can still play videos, and found a couple dated bugs from mga6 have been fixed and marked them so...
CC: (none) => fri
These install and work OK, but shouldn't there also be tainted versions?
Keywords: (none) => feedbackCC: (none) => andrewsfarm
At least of vlc, yes.