Bug 29718 - speex new security issue CVE-2020-23903
Summary: speex new security issue CVE-2020-23903
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-12-01 23:29 CET by David Walser
Modified: 2022-07-18 10:12 CEST (History)
6 users (show)

See Also:
Source RPM: speex-1.2.0-3.mga8.src.rpm
CVE: CVE-2020-23903
Status comment:

Attachments
original file from site mentioned (768.30 KB, audio/x-wav)
2021-12-08 15:22 CET, Herman Viaene 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-12-01 23:29:48 CET 
SUSE has issued an advisory today (December 1):
https://lists.suse.com/pipermail/sle-security-updates/2021-December/009798.html

Mageia 8 is also affected.
David Walser 2021-12-01 23:30:00 CET

Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-12-01 23:32:17 CET 
openSUSE has issued an advisory for this today (December 1):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M3JTMWLYWFOOWVMDAUX2VBB5ZULOV3LY/

Status comment: (none) => Patch available from openSUSE

Comment 2 David Walser 2021-12-01 23:46:23 CET 
Fedora has issued an advisory for this today (December 1):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R3SEV2ZRR47GSD3M7O5PH4XEJMKJJNG2/
Comment 3 Nicolas Salguero 2021-12-03 09:22:17 CET 
Done for Mga8.

For Cauldron, submission to BS fails with:
"""
Submission errors, aborting:
- speex-1.2.0-4.mga9.src:
 - Unresolved dep on autoconf2.5 
 - Unresolved dep on chrpath 
 - Unresolved dep on pkgconfig(ogg) 
 - Unresolved dep on pkgconfig(speexdsp) 
"""

CVE: (none) => CVE-2020-23903
Status comment: Patch available from openSUSE => (none)
CC: (none) => nicolas.salguero

Comment 4 David Walser 2021-12-03 19:50:10 CET 
Temporary build system error I guess.  It submits now.  Thanks.

libspeex-devel-1.2.0-3.1.mga8
libspeex1-1.2.0-3.1.mga8
speex-1.2.0-3.1.mga8

from speex-1.2.0-3.1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 8

Comment 5 Herman Viaene 2021-12-08 15:11:27 CET 
Hmmm, while looking for info, I found this text "—The Speex codec has been obsoleted by Opus. It will continue to be available, but since Opus is better than Speex in all aspects, users are encouraged to switch— " on the page https://www.speex.org/
Continuing searcheing for some test file.

CC: (none) => herman.viaene

Comment 6 Herman Viaene 2021-12-08 15:21:41 CET 
Found some at https://www.signalogic.com/index.pl?page=speech_codec_wav_samples, attaching the file I picked out.
At  CLI:
$ speexenc female.wav femaleenc.spx
Encoding 8000 Hz audio using narrowband mode (mono)
]$ speexdec fe
femaleenc.spx  female.wav     
]$ speexdec femaleenc.spx femaledec.wav
Decoding 8000 Hz audio using narrowband mode (mono)
Encoded with Speex 1.2.0
I play all three files on VLCplayer and any possible difference escapes me.
OK for me.

Whiteboard: (none) => MGA8-64-OK

Comment 7 Herman Viaene 2021-12-08 15:22:18 CET 
Created attachment 13026 [details]
original file from site mentioned
Comment 8 Thomas Andrews 2021-12-09 19:31:07 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-12-10 21:45:19 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2021-12-10 23:20:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0550.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 10 carillon store 2022-07-18 10:12:22 CEST Comment hidden (spam)

CC: (none) => summercurrants
Note You need to log in before you can comment on or make changes to this bug.