openSUSE has issued an advisory today (June 24): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Y7ZOGH7UAC6Q7OJHR62KOMWS64YF4G73/ The newer issue is fixed upstream in 2021.03.16: http://live555.com/liveMedia/public/changelog.txt Mageia 7 and Mageia 8 are also affected. In Mageia 8, live is built as a shared library, but in Mageia 7 it's statically compiled into mplayer and vlc, which would need to be rebuilt against the update (and VLC is pending an update in Bug 29100). CVE-2019-15232 only affects Mageia 7, as it was fixed upstream in 2019.08.16. It looks like the vulnerabilities only affect the server code, which I don't think mplayer uses, and I doubt vlc does (but I'm not sure).
Various people have maintained this SRPM, so necessarily assigning the bug globally.
Assignee: bugsquad => pkg-bugs
For some libraries, the major number was incremented so mplayer and vlc needed to be rebuilt in Mageia 8 and Cauldron too.
CC: (none) => nicolas.salguero
For Mageia 7, vlc failed to build (see: http://pkgsubmit.mageia.org/uploads/failure/7/core/updates_testing/20210629122826.ns80.duvel.11799/). All the other builds succeeded: - live-2021.06.25-1.mga{7|8|9} - vlc-3.0.16-1.mga{8|9}(.tainted) - mplayer-1.4-{1.1.mga7|9.3.mga8|15.mga9}(.tainted)
Note that there are core and tainted builds for mplayer (and vlc in Bug 29100). Advisory: ======================== Updated live packages fix security vulnerabilities: Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors (CVE-2019-15232). Vulnerability in the AC3AudioFileServerMediaSubsession, ADTSAudioFileServerMediaSubsession, and AMRAudioFileServerMediaSubsessionLive OnDemandServerMediaSubsession subclasses in Networks LIVE555 Streaming Media before 2021.3.16 (CVE-2021-28899). The mplayer package has been rebuilt against the updated live package. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15232 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28889 http://lists.live555.com/pipermail/live-devel/2021-March/021891.html http://live555.com/liveMedia/public/changelog.txt https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Y7ZOGH7UAC6Q7OJHR62KOMWS64YF4G73/ ======================== Updated packages in core/updates_testing: ======================== live-2021.06.25-1.mga7 live-devel-2021.06.25-1.mga7 liblivemedia94-2021.06.25-1.mga8 live-debuginfo-2021.06.25-1.mga8 live-2021.06.25-1.mga8 liblive-devel-2021.06.25-1.mga8 libgroupsock30-2021.06.25-1.mga8 libbasicusageenvironment1-2021.06.25-1.mga8 libusageenvironment3-2021.06.25-1.mga8 from SRPMS: live-2021.06.25-1.mga7.src.rpm live-2021.06.25-1.mga8.src.rpm Updated packages in {core,tainted}/updates_testing: ======================== mplayer-1.4-1.1.mga7 mplayer-doc-1.4-1.1.mga7 mplayer-gui-1.4-1.1.mga7 mencoder-1.4-1.1.mga7 mplayer-1.4-9.3.mga8 mplayer-doc-1.4-9.3.mga8 mplayer-gui-1.4-9.3.mga8 mencoder-1.4-9.3.mga8 from SRPMS: mplayer-1.4-1.1.mga7.src.rpm mplayer-1.4-9.3.mga8.src.rpm
Whiteboard: (none) => MGA7TOOAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 8
Blocks: (none) => 29100
Updated these with vlc at the same time, first with non-tainted, then switched to tainted. No installation issues. Played videos with both versions of vlc, with no problems. Didn't think to install mplayer-gui untill after I had installed the tainted packages. Used that to play some videos, with no issues. However, I did not do any live streaming, so my test is probably inadequate for this bug.
CC: (none) => andrewsfarm
Looked back to previous updates and found Bug 13705 Comment 4, with several streaming urls that were still valid. (Thanks, wilcal) Tried one each in the tainted versions of vlc and mplayer-gui, and both played as they should. So, I would say the mga8 tainted version of mplayer is OK, as is live555. Need to try non-tainted versions on another system.
Tested vlc and these packages together, both core and tainted, in a 64-bit mga7 Plasma system. Also tested the core mga8 packages on the same hardware. No installation issues on any packages. Each time, tested both vlc an mplayer with wilcal's streaming video, a podcast of the latest tech news from seven years ago. All played the stream as expected. Also, played some video files with mplayer, and they looked good, too. This looks OK for both mga7 and mga8. Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateWhiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OKCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0313.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED