One of those packages committed by various people, so having to assign this globally.

Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fixa security vulnerability:

In append_to_verify_fifo_interleaved_ of stream_encoder.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2021-0561)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0561
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EWXBVMPPSL377I7YM55ZYXVKVMYOKES2/
========================

Updated packages in core/updates_testing:
========================
lib(64)flac++6-1.3.3-3.1.mga8
lib(64)flac++-devel-1.3.3-3.1.mga8
lib(64)flac8-1.3.3-3.1.mga8
lib(64)flac-devel-1.3.3-3.1.mga8
flac-1.3.3-3.1.mga8

from SRPM:
flac-1.3.3-3.1.mga8.src.rpm

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2021-0561
Status comment: Fixed upstream in 1.3.4 => (none)
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED

mga8 x86_64
Updated the five packages.

$ flac --ogg MatthewLocke.flac 
flac 1.3.3
Copyright (C) 2000-2009  Josh Coalson, 2011-2016  Xiph.Org Foundation
flac comes with ABSOLUTELY NO WARRANTY.  This is free software, and you are
welcome to redistribute it under certain conditions.  Type `flac' for details.

MatthewLocke.flac: WARNING, lead-out offset of cuesheet in input FLAC file does not match input length, dropping existing cuesheet...
MatthewLocke.flac: wrote 37343868 bytes, ratio=1.000
$ ll *.oga
-rw-r--r-- 1 lcl lcl 37534861 Feb 26 23:34 MatthewLocke.oga

The ogg file played fine with mplayer.
$ cp MatthewLocke.flac test.flac
$ flac -d --delete-input-file test.flac
flac 1.3.3
Copyright (C) 2000-2009  Josh Coalson, 2011-2016  Xiph.Org Foundation
flac comes with ABSOLUTELY NO WARRANTY.  This is free software, and you are
welcome to redistribute it under certain conditions.  Type `flac' for details.

test.flac: WARNING, cannot check MD5 signature since it was unset in the STREAMINFO
done         

The last test decoded the flac file to generate a WAV file which mplayer handled OK.
$ ll *.wav
-rw-r--r-- 1 lcl lcl 103118780 Feb 27 15:15 test.wav

Analyse a flac file:
$ flac -a MatthewLocke.flac
$ less MatthewLocke.flac
frame=0 offset=2412     bits=9776       blocksize=4608  sample_rate=44100       channels=2      channel_assignment=INDEPENDENT
        subframe=0      wasted_bits=0   type=FIXED      order=0 residual_type=RICE      partition_order=3
                parameter[0]=0
                parameter[1]=0
                parameter[2]=0
                parameter[3]=0
                parameter[4]=0
                parameter[5]=0
                parameter[6]=0
                parameter[7]=0
        subframe=1      wasted_bits=0   type=FIXED      order=0 residual_type=RICE      partition_order=3
.......

$ urpmq --whatrequires lib64flac++6-1.3.3 | uniq
audacity
k3b
kid3-core
kwave
lib64flac++-devel
lib64flac++6

Installed kwave.  Launched from the cli, kwave displays a window with all the lower menu options greyed out except record.  Don't know how to access the handbook but found it online.  

$ kwave locke.flac
displayed the same gui and posted lots of things "not found" in the console.
Opened a test WAV file to display two identical audio channels and a summary of the properties like mode, length and number of samples.
No experience of any of this so dropping it.

At entry level flac seems to work.

CC: (none) => tarazed25

Adding the OK for 64-bits.

Whiteboard: (none) => MGA8-64-OK

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0085.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED