33789 – libsndfile new security issue CVE-2024-50612

Bug 33789 - libsndfile new security issue CVE-2024-50612

Summary: libsndfile new security issue CVE-2024-50612

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-11-22 16:21 CET by Nicolas Salguero
Modified:	2024-11-27 21:00 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	libsndfile-1.2.0-3.1.mga9.src.rpm
CVE:	CVE-2024-50612
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-11-22 16:21:53 CET

Fedora has issued an advisory on November 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PYXWUCWTDAITTQHM72BGA2ENVXC7G5M/

The problem was already fixed in Cauldron so it only affects Mageia 9.

Fix: https://github.com/libsndfile/libsndfile/commit/4755f5bd7854611d92ad0f1295587b439f9950ba

Nicolas Salguero 2024-11-22 16:22:20 CET

CVE: (none) => CVE-2024-50612
Status comment: (none) => Patch available from Fedora and upstream
Source RPM: (none) => libsndfile-1.2.0-3.1.mga9.src.rpm

Comment 1 Lewis Smith 2024-11-24 20:03:28 CET

In Cauldron already: Nov 18 2024 by daviddavid
- fix crash in in ogg vorbis (CVE-2024-50612)
The CVE matches, this looks like the correction referred to.

Assigning globally to apply the update for Mageia 9. Advisory etc.

Status comment: Patch available from Fedora and upstream => Patch available from Fedora and upstream (applied)
Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2024-11-24 21:28:09 CET

Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
libsndfile-devel-1.2.0-3.2.mga9
libsndfile1-1.2.0-3.2.mga9
lib64sndfile-devel-1.2.0-3.2.mga9
lib64sndfile1-1.2.0-3.2.mga9
libsndfile-progs-1.2.0-3.2.mga9

From SRPMS
libsndfile-1.2.0-3.2.mga9.src.rpm

CC: (none) => geiger.david68210

Nicolas Salguero 2024-11-26 09:16:47 CET

Status comment: Patch available from Fedora and upstream (applied) => (none)
Assignee: pkg-bugs => qa-bugs

katnatek 2024-11-26 18:37:27 CET

Keywords: (none) => advisory

Comment 3 katnatek 2024-11-26 18:45:50 CET

RH x86_64

sndfile-convert poc-libsndfile a.ogg
Violación de segmento (`core' generado)

LC_ALL=C urpmi --auto --auto-update
adding 3 new rpms not available in existing hdlist
replacing /var/cache/urpmi/partial/synthesis.hdlist.cz with synthesis.hdlist.cz.tmp
updating /var/cache/urpmi/partial/MD5SUM
updated medium "QA Testing (64-bit)"
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing libsndfile-progs-1.2.0-3.2.mga9.x86_64.rpm lib64sndfile1-1.2.0-3.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64sndfile1         ##################################################################################################
      2/2: libsndfile-progs      ##################################################################################################
      1/2: removing libsndfile-progs-1.2.0-3.1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64sndfile1-1.2.0-3.1.mga9.x86_64
                                 ##################################################################################################

sndfile-convert poc-libsndfile a.ogg

produce empty output

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 4 katnatek 2024-11-26 18:51:26 CET

RH x86_64 additional test

 sndfile-info 01\ -\ \ -\ Mozart\ Piano\ Concierto\ Num\ 21.flac 
========================================
File : 01 -  - Mozart Piano Concierto Num 21.flac
Length : 14429000
FLAC Stream Metadata
  Channels    : 2
  Sample rate : 44100
  Frames      : 6804924
  Bit width   : 16
Seektable Metadata
Vorbis Comment Metadata
  title        : Mozart Piano Concierto Num 21
  album        : La Musica mas Hermosa del Mundo
  tracknumber  : 1
  genre        : Unknown
Padding Metadata
End

----------------------------------------
Sample Rate : 44100
Frames      : 6804924
Channels    : 2
Format      : 0x00170002
Sections    : 1
Seekable    : TRUE
Duration    : 00:02:34.307
Signal Max  : 32380 (-0.10 dB)

sndfile-play 01\ -\ \ -\ Mozart\ Piano\ Concierto\ Num\ 21.flac 
Playing 01 -  - Mozart Piano Concierto Num 21.flac

OK

Comment 5 Thomas Andrews 2024-11-27 01:31:18 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2024-11-27 21:00:09 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0373.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.