Fedora has issued an advisory on February 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EWXBVMPPSL377I7YM55ZYXVKVMYOKES2/ The issue is fixed upstream in 1.3.4. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.3.4Whiteboard: (none) => MGA8TOO
One of those packages committed by various people, so having to assign this globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fixa security vulnerability: In append_to_verify_fifo_interleaved_ of stream_encoder.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2021-0561) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0561 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EWXBVMPPSL377I7YM55ZYXVKVMYOKES2/ ======================== Updated packages in core/updates_testing: ======================== lib(64)flac++6-1.3.3-3.1.mga8 lib(64)flac++-devel-1.3.3-3.1.mga8 lib(64)flac8-1.3.3-3.1.mga8 lib(64)flac-devel-1.3.3-3.1.mga8 flac-1.3.3-3.1.mga8 from SRPM: flac-1.3.3-3.1.mga8.src.rpm
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)Assignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2021-0561Status comment: Fixed upstream in 1.3.4 => (none)CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNED
Source RPM: flac-1.3.3-4.mga9.src.rpm => flac-1.3.3-3.mga8.src.rpm
mga8 x86_64 Updated the five packages. $ flac --ogg MatthewLocke.flac flac 1.3.3 Copyright (C) 2000-2009 Josh Coalson, 2011-2016 Xiph.Org Foundation flac comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. Type `flac' for details. MatthewLocke.flac: WARNING, lead-out offset of cuesheet in input FLAC file does not match input length, dropping existing cuesheet... MatthewLocke.flac: wrote 37343868 bytes, ratio=1.000 $ ll *.oga -rw-r--r-- 1 lcl lcl 37534861 Feb 26 23:34 MatthewLocke.oga The ogg file played fine with mplayer. $ cp MatthewLocke.flac test.flac $ flac -d --delete-input-file test.flac flac 1.3.3 Copyright (C) 2000-2009 Josh Coalson, 2011-2016 Xiph.Org Foundation flac comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. Type `flac' for details. test.flac: WARNING, cannot check MD5 signature since it was unset in the STREAMINFO done The last test decoded the flac file to generate a WAV file which mplayer handled OK. $ ll *.wav -rw-r--r-- 1 lcl lcl 103118780 Feb 27 15:15 test.wav Analyse a flac file: $ flac -a MatthewLocke.flac $ less MatthewLocke.flac frame=0 offset=2412 bits=9776 blocksize=4608 sample_rate=44100 channels=2 channel_assignment=INDEPENDENT subframe=0 wasted_bits=0 type=FIXED order=0 residual_type=RICE partition_order=3 parameter[0]=0 parameter[1]=0 parameter[2]=0 parameter[3]=0 parameter[4]=0 parameter[5]=0 parameter[6]=0 parameter[7]=0 subframe=1 wasted_bits=0 type=FIXED order=0 residual_type=RICE partition_order=3 ....... $ urpmq --whatrequires lib64flac++6-1.3.3 | uniq audacity k3b kid3-core kwave lib64flac++-devel lib64flac++6 Installed kwave. Launched from the cli, kwave displays a window with all the lower menu options greyed out except record. Don't know how to access the handbook but found it online. $ kwave locke.flac displayed the same gui and posted lots of things "not found" in the console. Opened a test WAV file to display two identical audio channels and a summary of the properties like mode, length and number of samples. No experience of any of this so dropping it. At entry level flac seems to work.
CC: (none) => tarazed25
Adding the OK for 64-bits.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0085.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED