Bug 32283 - flac new security issue CVE-2020-22219
Summary: flac new security issue CVE-2020-22219
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-09-13 14:10 CEST by Nicolas Salguero
Modified: 2023-09-30 21:18 CEST (History)
6 users (show)

See Also:
Source RPM: flac-1.3.3-3.1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-09-13 14:10:59 CEST 
Ubuntu has issued an advisory on September 12:
https://ubuntu.com/security/notices/USN-6360-1
Nicolas Salguero 2023-09-13 14:25:44 CEST

CC: (none) => nicolas.salguero

Comment 1 Lewis Smith 2023-09-13 19:58:44 CEST 
Not sure that the SRPM version is right. Got it from Sophie - but it is similr to that for the fix, apparently. Our version 1.3.3 is years old. (1.3.4 18m ago).

Various packagers involved, so assigning globaly.

Source RPM: (none) => flac-1.3.3-3.1.mga8.src.rpm
Assignee: bugsquad => pkg-bugs
Status comment: (none) => Fix 1.3.3-2 ?

Comment 2 Nicolas Salguero 2023-09-14 14:30:05 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Buffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via crafted input to the encoder. (CVE-2020-22219)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22219
https://ubuntu.com/security/notices/USN-6360-1
========================

Updated packages in core/updates_testing:
========================
flac-1.3.3-3.2.mga8
lib(64)flac++6-1.3.3-3.2.mga8
lib(64)flac++-devel-1.3.3-3.2.mga8
lib(64)flac8-1.3.3-3.2.mga8
lib(64)flac-devel-1.3.3-3.2.mga8

from SRPM:
flac-1.3.3-3.2.mga8.src.rpm

Status: NEW => ASSIGNED
Status comment: Fix 1.3.3-2 ? => (none)
Assignee: pkg-bugs => nicolas.salguero

Nicolas Salguero 2023-09-18 09:24:27 CEST

Assignee: nicolas.salguero => qa-bugs

PC LX 2023-09-20 17:53:18 CEST

CC: (none) => mageia

Comment 3 Herman Viaene 2023-09-21 15:10:41 CEST 
MGA8-64 Xfce on Acer Aspire 5253
No installation issues.
Ref bug 30098 Comment 3, testing some features of the flac command
$ flac 01Blauwe\ geschelpte.wav 02Chop-soy\ fighting.wav

flac 1.3.3
Copyright (C) 2000-2009  Josh Coalson, 2011-2016  Xiph.Org Foundation
flac comes with ABSOLUTELY NO WARRANTY.  This is free software, and you are
welcome to redistribute it under certain conditions.  Type `flac' for details.

01Blauwe geschelpte.wav: WARNING: skipping unknown chunk 'LIST' (use --keep-foreign-metadata to keep)
01Blauwe geschelpte.wav: wrote 20857943 bytes, ratio=0.552
02Chop-soy fighting.wav: WARNING: skipping unknown chunk 'LIST' (use --keep-foreign-metadata to keep)
02Chop-soy fighting.wav: wrote 17349669 bytes, ratio=0.543
Compared the wav and flac file as far as can be done on the speakers of an old laptop, no difference to my ears.
$ flac --ogg 01Blauwe\ geschelpte.flac 

flac 1.3.3
Copyright (C) 2000-2009  Josh Coalson, 2011-2016  Xiph.Org Foundation
flac comes with ABSOLUTELY NO WARRANTY.  This is free software, and you are
welcome to redistribute it under certain conditions.  Type `flac' for details.

01Blauwe geschelpte.flac: wrote 20858343 bytes, ratio=1.000
ogg sounds the same
$ flac -a 01Blauwe\ geschelpte.flac 

flac 1.3.3
Copyright (C) 2000-2009  Josh Coalson, 2011-2016  Xiph.Org Foundation
flac comes with ABSOLUTELY NO WARRANTY.  This is free software, and you are
welcome to redistribute it under certain conditions.  Type `flac' for details.

01Blauwe geschelpte.flac: done             
Result is in an .ana file, opened it with mousepad:
frame=0	offset=486	bits=123240	blocksize=4096	sample_rate=44100	channels=2	channel_assignment=INDEPENDENT
	subframe=0	wasted_bits=0	type=LPC	order=8	qlp_coeff_precision=12	quantization_level=10	residual_type=RICE	partition_order=0
		qlp_coeff[0]=1203
		qlp_coeff[1]=-1389
etc..... 110613 lines long.

As in bug 30098, problems with kwave
$ kwave 01Blauwe\ geschelpte.flac 
Benchmarking memcpy methods (smaller is better):
	libc : 77926470
	linux kernel : 118099809
	MMX  : 115288422
	MMXEXT : 80255538
	SSE : 80618001
using -> 'libc'
kf.coreaddons.kaboutdata: QCoreApplication::applicationName "kwave" is out-of-sync with KAboutData::applicationData().componentName "Kwave"
kf.coreaddons.kaboutdata: QCoreApplication::applicationName "kwave" is out-of-sync with KAboutData::applicationData().componentName "Kwave"
MenuNode 'Previous Page': icon 'kwave_player_start' not found !
MenuNode 'Next Page': icon 'kwave_player_end' not found !
MenuNode 'Scroll Right': icon 'kwave_player_fwd' not found !
Nothing opened in the kwave window
flac opens OK and I could up the tempo so the music plays (at the same pitch) in 1'4" i.s.o. 3'34"

All looks OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2023-09-24 02:45:28 CEST 
Validating. Advisory in comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Marja Van Waes 2023-09-30 16:17:20 CEST

Keywords: (none) => advisory
CC: (none) => marja11

Comment 5 Mageia Robot 2023-09-30 21:18:40 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0277.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.