Debian has issued an advisory for this on November 2: https://lwn.net/Articles/950049/ Cauldron already contains VLC 3.0.20 so it is not affected. Mageia 8 is also affected.
CC: (none) => nicolas.salgueroSource RPM: (none) => vlc-3.0.18-5.mga9(.tainted).src.rpmWhiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 3.0.20
We already have thanks to Stig v3.0.20 in Cauldron. It looks sensible to assign this to you for M8 & M9.
Assignee: bugsquad => smelror
Suggested advisory: ======================== The updated packages fix a security vulnerability: An out-of-bounds write was discovered in the MMS demuxer of the VLC media player. References: https://lwn.net/Articles/950049/ ======================== Updated packages in core/updates_testing: ======================== lib(64)vlc-devel-3.0.20-1.mga9 lib(64)vlc5-3.0.20-1.mga9 lib(64)vlccore9-3.0.20-1.mga9 svlc-3.0.20-1.mga9 vlc-3.0.20-1.mga9 vlc-plugin-aa-3.0.20-1.mga9 vlc-plugin-chromaprint-3.0.20-1.mga9 vlc-plugin-common-3.0.20-1.mga9 vlc-plugin-dv-3.0.20-1.mga9 vlc-plugin-flac-3.0.20-1.mga9 vlc-plugin-fluidsynth-3.0.20-1.mga9 vlc-plugin-gme-3.0.20-1.mga9 vlc-plugin-gnutls-3.0.20-1.mga9 vlc-plugin-jack-3.0.20-1.mga9 vlc-plugin-kate-3.0.20-1.mga9 vlc-plugin-libass-3.0.20-1.mga9 vlc-plugin-libnotify-3.0.20-1.mga9 vlc-plugin-lirc-3.0.20-1.mga9 vlc-plugin-lua-3.0.20-1.mga9 vlc-plugin-mod-3.0.20-1.mga9 vlc-plugin-mpc-3.0.20-1.mga9 vlc-plugin-ncurses-3.0.20-1.mga9 vlc-plugin-opengl-3.0.20-1.mga9 vlc-plugin-projectm-3.0.20-1.mga9 vlc-plugin-pulse-3.0.20-1.mga9 vlc-plugin-rist-3.0.20-1.mga9 vlc-plugin-samba-3.0.20-1.mga9 vlc-plugin-schroedinger-3.0.20-1.mga9 vlc-plugin-sdl-3.0.20-1.mga9 vlc-plugin-shout-3.0.20-1.mga9 vlc-plugin-sid-3.0.20-1.mga9 vlc-plugin-sndio-3.0.20-1.mga9 vlc-plugin-speex-3.0.20-1.mga9 vlc-plugin-theora-3.0.20-1.mga9 vlc-plugin-twolame-3.0.20-1.mga9 vlc-plugin-upnp-3.0.20-1.mga9 vlc-plugin-vdpau-3.0.20-1.mga9 vlc-plugin-zvbi-3.0.20-1.mga9 from SRPM: vlc-3.0.20-1.mga9.src.rpm Updated packages in tainted/updates_testing: ======================== lib(64)vlc-devel-3.0.20-1.mga9.tainted lib(64)vlc5-3.0.20-1.mga9.tainted lib(64)vlccore9-3.0.20-1.mga9.tainted svlc-3.0.20-1.mga9.tainted vlc-3.0.20-1.mga9.tainted vlc-plugin-aa-3.0.20-1.mga9.tainted vlc-plugin-chromaprint-3.0.20-1.mga9.tainted vlc-plugin-common-3.0.20-1.mga9.tainted vlc-plugin-dv-3.0.20-1.mga9.tainted vlc-plugin-fdkaac-3.0.20-1.mga9.tainted vlc-plugin-flac-3.0.20-1.mga9.tainted vlc-plugin-fluidsynth-3.0.20-1.mga9.tainted vlc-plugin-gme-3.0.20-1.mga9.tainted vlc-plugin-gnutls-3.0.20-1.mga9.tainted vlc-plugin-jack-3.0.20-1.mga9.tainted vlc-plugin-kate-3.0.20-1.mga9.tainted vlc-plugin-libass-3.0.20-1.mga9.tainted vlc-plugin-libnotify-3.0.20-1.mga9.tainted vlc-plugin-lirc-3.0.20-1.mga9.tainted vlc-plugin-lua-3.0.20-1.mga9.tainted vlc-plugin-mod-3.0.20-1.mga9.tainted vlc-plugin-mpc-3.0.20-1.mga9.tainted vlc-plugin-ncurses-3.0.20-1.mga9.tainted vlc-plugin-opengl-3.0.20-1.mga9.tainted vlc-plugin-projectm-3.0.20-1.mga9.tainted vlc-plugin-pulse-3.0.20-1.mga9.tainted vlc-plugin-rist-3.0.20-1.mga9.tainted vlc-plugin-samba-3.0.20-1.mga9.tainted vlc-plugin-schroedinger-3.0.20-1.mga9.tainted vlc-plugin-sdl-3.0.20-1.mga9.tainted vlc-plugin-shout-3.0.20-1.mga9.tainted vlc-plugin-sid-3.0.20-1.mga9.tainted vlc-plugin-sndio-3.0.20-1.mga9.tainted vlc-plugin-speex-3.0.20-1.mga9.tainted vlc-plugin-theora-3.0.20-1.mga9.tainted vlc-plugin-twolame-3.0.20-1.mga9.tainted vlc-plugin-upnp-3.0.20-1.mga9.tainted vlc-plugin-vdpau-3.0.20-1.mga9.tainted vlc-plugin-zvbi-3.0.20-1.mga9.tainted from SRPM: vlc-3.0.20-1.mga9.tainted.src.rpm
Whiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDAssignee: smelror => qa-bugsStatus comment: Fixed upstream in 3.0.20 => (none)
CC: (none) => mageia
(In reply to Nicolas Salguero from comment #0) > Debian has issued an advisory for this on November 2: > https://lwn.net/Articles/950049/ That is DSA 5545-1 which is said to be CVE-2023-47359 and CVE-2023-47360 here: https://security-tracker.debian.org/tracker/DSA-5545-1 So addihg those to the CVE: field
CVE: (none) => CVE-2023-47359, CVE-2023-47360CC: (none) => marja11
Advisory from comment 2 adjusted and added to SVN. https://svnweb.mageia.org/advisories/32487.adv?view=markup&pathrev=15494 Nicolas, if it was wrong to adjust it, then please remove the "advisory" keyword. Also remove it, if it needs to be changed for a different reason. It helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisory
Tested on Real Hardware Maheia 9 x86_64 The vlc packages in my system were updated without issues Play some videos without issues
Installed and tested tainted packages without issues. Tested on a variety of files with no issues. No regressions noticed. System: Mageia 9, x86_65, Plasma DE, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver. $ uname -a Linux jupiter 6.5.13-desktop-6.mga9 #1 SMP PREEMPT_DYNAMIC Sun Dec 17 22:42:25 UTC 2023 x86_64 GNU/Linux $ rpm -qa | grep vlc | sort lib64vlc5-3.0.20-1.mga9.tainted lib64vlccore9-3.0.20-1.mga9.tainted phonon4qt5-vlc-0.11.3-2.mga9 vlc-3.0.20-1.mga9.tainted vlc-plugin-common-3.0.20-1.mga9.tainted vlc-plugin-lua-3.0.20-1.mga9.tainted vlc-plugin-opengl-3.0.20-1.mga9.tainted vlc-plugin-pulse-3.0.20-1.mga9.tainted vlc-plugin-samba-3.0.20-1.mga9.tainted vlc-plugin-theora-3.0.20-1.mga9.tainted vlc-plugin-upnp-3.0.20-1.mga9.tainted vlc-plugin-vdpau-3.0.20-1.mga9.tainted
MGA9-64 Plasma Wayland on HP Pavillion First installed the regular Core packages and tested those, then installed the tainted packages over them. Both sets tested with sound files wav and mp3, and video files mkv, avi and mp.. No problems whatsoever. In view of the other tests from katnatek and PC-LX, giving the OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
Tested on real hardware Mageia 9 i586 lxqt Play a video with subtitles it complains about subtitles format VLC no puede decodificar el formato "ssa " (SubStation Alpha subtitles) After install vlc-libass, and try again I can see the subtitles so that was a "the chair" issue
Keywords: (none) => validated_updateWhiteboard: MGA9-64-OK => MGA9-64-OK,MGA9-32-OKCC: (none) => sysadmin-bugs
(In reply to katnatek from comment #8) > After install vlc-libass, and try again I can see the subtitles so that was > a "the chair" issue I mean vlc-plugin-libass
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0007.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED