Hi, CVE-2023-43361 was announced here: https://lwn.net/Articles/949233/ Mageia 8 and 9 are also affected. Best regards, Nico.
Source RPM: (none) => vorbis-tools-1.4.2-3.mga9.src.rpmWhiteboard: (none) => MGA9TOO, MGA8TOOCC: (none) => nicolas.salguero
Status comment: (none) => Patches available from openSUSE
Suse 'Fixed package version(s)' cite v1.4.0; perhaps our 1.4.2 is already OK. Assigning globally, no evident packager for this.
Assignee: bugsquad => pkg-bugs
Assigning to QA, Packages in 9/Core/Updates_testing: ====================== vorbis-tools-1.4.2-3.1.mga9 Packages in 8/Core/Updates_testing: ====================== vorbis-tools-1.4.0-15.1.mga8 From SRPMS: vorbis-tools-1.4.2-3.1.mga9.src.rpm vorbis-tools-1.4.0-15.1.mga8.src.rpm
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOOAssignee: pkg-bugs => qa-bugsCC: (none) => geiger.david68210Version: Cauldron => 9
CC: (none) => mageia
Advisory based on comment 2 and the changelog mail added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
CC: (none) => marja11Keywords: (none) => advisory
MGA8-64 Xfce on Acer Aspire 5253 No installation issues Ref bug 16677 for testing. $ ogg123 01Blauwe\ geschelptesnel.ogg Audio Device: PulseAudio Output Playing: 01Blauwe geschelptesnel.ogg Ogg Vorbis stream: 2 channel, 44100 Hz Done. plays OK $ oggenc -L blauw.txt 01Blauwe\ geschelpte.wav WARNING: Kate support not compiled in; lyrics will not be included. Skipping chunk of type "LIST", length 52 Opening with wav module: WAV file reader Encoding "01Blauwe geschelpte.wav" to "01Blauwe geschelpte.ogg" at quality 3.00 [ 99.6%] [ 0m00s remaining] / Done encoding file "01Blauwe geschelpte.ogg" File length: 3m 34.0s Elapsed time: 0m 21.6s Rate: 9.9147 Average bitrate: 117.0 kb/s The "Skipping chunk of type "LIST", length 52" which seems to refer to the text file lets me suppose that this file is not processed (see further below) $ ogg123 01Blauwe\ geschelpte.ogg Audio Device: PulseAudio Output Playing: 01Blauwe geschelpte.ogg Ogg Vorbis stream: 2 channel, 44100 Hz Done. File plays OK. $ oggdec 01Blauwe\ geschelptesnel.ogg oggdec from vorbis-tools 1.4.0 Decoding "01Blauwe geschelptesnel.ogg" to "01Blauwe geschelptesnel.wav" [100.0%] File plays OK [tester8@mach7 Music]$ ogginfo 01Blauwe\ geschelptesnel.ogg Processing file "01Blauwe geschelptesnel.ogg"... New logical stream (#1, serial: 07895ce1): type vorbis Vorbis headers parsed for stream 1, information follows... Version: 0 Vendor: Xiph.Org libVorbis I 20200704 (Reducing Environment) Channels: 2 Rate: 44100 Nominal bitrate: 499.821000 kb/s Upper bitrate not set Lower bitrate not set Vorbis stream 1: Total data length: 3687608 bytes Playback length: 1m:04.344s Average bitrate: 458.486537 kb/s Logical stream 1 ended $ vcut 01Blauwe\ geschelpte.ogg blauw1.ogg blauw2.ogg +60 Processing: Cutting at 60.000000 seconds Segmentation fault (core dumped) This is the same as with the previous vorbis-tools-1.4.0-15.mga8 package, so no regression $ vorbiscomment 01Blauwe\ geschelpte.ogg No comment displayed which is consistent with the message frop the oggenc command above. Good to go.
CC: (none) => herman.viaeneWhiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
MGA9-64 Xfce on Acer Aspire 5253 No installation issues. Using the same files as above Comment 4, getting exact the same results, with the exception that the vcut command ends OK (no feedback) and generates two expected files, which play Ok with parole. Good to go for me.
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0316.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED