SUSE has issued an advisory today (August 20): https://lists.suse.com/pipermail/sle-security-updates/2021-August/009325.html The issue is fixed upstream in 0.15.1. Advisory: ======================== Updated libass packages fix security vulnerability: libass 0.15.x before 0.15.1 has a heap-based buffer overflow in decode_chars (called from decode_font and process_text) because the wrong integer data type is used for subtraction (CVE-2020-36430). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36430 https://lists.suse.com/pipermail/sle-security-updates/2021-August/009325.html ======================== Updated packages in core/updates_testing: ======================== libass9-0.15.1-1.mga8 libass-devel-0.15.1-1.mga8 from libass-0.15.1-1.mga8.src.rpm
openSUSE has issued an advisory for this today (August 20): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TQ4DQBQAAUJIVKVW7IIROTEKRYDSFT2S/ We can use that reference in the advisory instead.
mga8, x64 Poked around to see if there was any way to test the overflow issue but as is fairly usual these days the PoC are part of a cluster-fuzz framework. Not only do we not want to get into a rebuilding situation but the final product differs from the release candidate. Installed the vlc-plugin-libass and ran a trace on vlc while playing a film with subtitles enabled. That showed that liblibass_plugin.so was being opened. The plugin requires lib64ass9. Updated the two packages. Ran the vlc test to confirm that the libass plugin was opened. The requires list indicates that mplayer uses the library directly. Verified that by running mplayer under strace. $ grep libass mplayer.trace openat(AT_FDCWD, "/lib64/libass.so.9", O_RDONLY|O_CLOEXEC) = 3 This looks OK for 64-bits.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating. Advisory in Comment 0.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0413.html
Status: NEW => RESOLVEDResolution: (none) => FIXED