32480 – libsndfile new security issue CVE-2022-33065

Bug 32480 - libsndfile new security issue CVE-2022-33065

Summary: libsndfile new security issue CVE-2022-33065

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-11-02 15:31 CET by Nicolas Salguero
Modified:	2023-11-07 01:10 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	libsndfile-1.2.0-2.mga9
CVE:
Status comment:	Patches available from openSUSE

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-11-02 15:31:50 CET

Hi,

CVE-2022-33065 was announced here:
https://lwn.net/Articles/949598/

Mageia 8 and 9 are also affected.

Best regards,

Nico.

Nicolas Salguero 2023-11-02 15:32:38 CET

Whiteboard: (none) => MGA9TOO, MGA8TOO
CC: (none) => nicolas.salguero
Status comment: (none) => Patches available from openSUSE
Source RPM: (none) => libsndfile-1.2.0-2.mga9.src.rpm

Comment 1 Lewis Smith 2023-11-02 18:29:34 CET

Attention: This bug was raised quoting:
 libsndfile-1.2.0-2.mga9.src.rpm
but I see it has recently been updated to v.1.2.2 (so I updated the SRPM field).
The new version might already incorporate the openSUSE patch cited.
This may help, from https://bugzilla.suse.com/show_bug.cgi?id=1213451:
"The fix provided in the upstream commit
https://github.com/libsndfile/libsndfile/commit/0754562e13d2e63a248a1c82f90b30bc0ffe307c
I backported to TW (together with the version update to 1.2.2)"

Assigning to DavidG who did our version update.

Source RPM: libsndfile-1.2.0-2.mga9.src.rpm => libsndfile-1.2.2-1.mga9.src.rpm
Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2023-11-03 06:17:58 CET

Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
libsndfile-devel-1.2.0-3.1.mga9
lib64sndfile-devel-1.2.0-3.1.mga9
libsndfile-progs-1.2.0-3.1.mga9
libsndfile1-1.2.0-3.1.mga9
lib64sndfile1-1.2.0-3.1.mga9

Packages in 8/Core/Updates_testing:
======================
libsndfile-progs-1.0.31-1.3.mga8
libsndfile-devel-1.0.31-1.3.mga8
lib64sndfile-devel-1.0.31-1.3.mga8
libsndfile1-1.0.31-1.3.mga8
lib64sndfile1-1.0.31-1.3.mga8


From SRPMS:
libsndfile-1.2.0-3.1.mga9.src.rpm
libsndfile-1.0.31-1.3.mga8.src.rpm

Version: Cauldron => 9
Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO

PC LX 2023-11-03 09:19:10 CET

CC: (none) => mageia

Comment 3 Marja Van Waes 2023-11-03 10:22:37 CET

(In reply to Lewis Smith from comment #1)
> Attention: This bug was raised quoting:
>  libsndfile-1.2.0-2.mga9.src.rpm
> but I see it has recently been updated to v.1.2.2 (so I updated the SRPM
> field).

That was only in cauldron, Mageia 9 did not get v. 1.2.2

CC: (none) => marja11
Source RPM: libsndfile-1.2.2-1.mga9.src.rpm => libsndfile-1.2.0-2.mga9

Comment 4 Marja Van Waes 2023-11-03 10:33:17 CET

Advisory based on comment 2 and the changelog mail added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Comment 5 Len Lawrence 2023-11-05 22:00:39 CET

mga8 x86_64
Pre-update: could not find a usable PoC.

Updated the three packages:
lib64sndfile-devel-1.0.31-1.3.mga8.x86_64.rpm
lib64sndfile1-1.0.31-1.3.mga8.x86_64.rpm
libsndfile-progs-1.0.31-1.3.mga8.x86_64.rpm

Exercised the libraries by using
$ sndfile-info Semiramis.wav========================================
File : Semiramis.wav
Length : 82362380
RIFF : 82362372
WAVE
fmt  : 16
  Format        : 0x1 => WAVE_FORMAT_PCM
  Channels      : 2
  Sample Rate   : 44100
  Block Align   : 4
  Bit Width     : 16
  Bytes/sec     : 176400
data : 82362336
End

----------------------------------------
Sample Rate : 44100
Frames      : 20590584
Channels    : 2
Format      : 0x00010002
Sections    : 1
Seekable    : TRUE
Duration    : 00:07:46.907
Signal Max  : 22236 (-3.37 dB)

$ sndfile-play Semiramis.wav
Playing Semiramis.wav

using PulseAudioVolumeControl.

CC: (none) => tarazed25
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 6 Len Lawrence 2023-11-05 22:47:59 CET

Mageia9, x86_64
Starting with version 1.2.0-2, which works.

$ sndfile-info Non_più_andrai.mp4
Error : Not able to open input file Non_più_andrai.mp4.
File : Non_più_andrai.mp4
Length : 18419514
$ sndfile-info 'Long as I Can See the Light.wav'
========================================
File : Long as I Can See the Light.wav
Length : 18419604
RIFF : 18419596
.............

$ sndfile-play 'Long as I Can See the Light.wav'
Playing Long as I Can See the Light.wav
$ sndfile-play MatthewLocke.flac
Playing MatthewLocke.flac

Updated the packages.
$ sndfile-info IGotYouBabe_ChrissieHynde.ogg
========================================
File : IGotYouBabe_ChrissieHynde.ogg
Length : 4039295
Ogg stream data : Vorbis
Stream serialno : 1632469135
Vorbis library version : Xiph.Org libVorbis 1.3.7
Bitstream is 2 channel, 44100 Hz
Encoded by : Xiph.Org libVorbis I 20070622
PCM offset  : 0
PCM end     : 8382528
Metadata :
  Title      : I Got You Babe (feat. Chrissie Hynde)
  Artist     : UB40
.................

$ sndfile-play MatthewLocke.flac
Playing MatthewLocke.flac
$ sndfile-play LaDansereye-TielmanSusato.wav
Playing LaDansereye-TielmanSusato.wav

Looks OK.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK

Comment 7 Thomas Andrews 2023-11-06 02:41:45 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Mageia Robot 2023-11-07 01:10:31 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0310.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.