Mandriva has issued this advisory today (April 3): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:052 Cauldron is not affected. Patched package for Mageia 1 is uploaded. Advisory: ======================== Updated libvorbis packages fix security vulnerability: If a specially-crafted Ogg Vorbis media file was opened by an application using libvorbis, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application (CVE-2012-0444). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0444 https://bugzilla.redhat.com/show_bug.cgi?id=786026 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:052 ======================== Updated packages in core/updates_testing: ======================== libvorbis0-1.3.2-1.1.mga1 libvorbis-devel-1.3.2-1.1.mga1 libvorbisenc2-1.3.2-1.1.mga1 libvorbisfile3-1.3.2-1.1.mga1 from libvorbis-1.3.2-1.1.mga1.src.rpm
Testing complete on i586 for the srpm libvorbis-1.3.2-1.1.mga1.src.rpm $ strace -f -ostrace.txt play /usr/share/sounds/KDE-Window-Maximize.ogg >/dev/null 2>&1 $ grep libvorbis strace.txt 1739 open("/usr/lib/libvorbisfile.so.3", O_RDONLY) = 3 1739 open("/usr/lib/libvorbisenc.so.2", O_RDONLY) = 3 1739 open("/usr/lib/libvorbis.so.0", O_RDONLY) = 3
CC: (none) => davidwhodgins
Also tested using audacity to convert an mp3 to ogg, to ensure the enc library was tested.
Testing with the test case of dave, works fine. Suggested Advisory: ------------- Updated libvorbis packages fix security vulnerability: If a specially-crafted Ogg Vorbis media file was opened by an application using libvorbis, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application (CVE-2012-0444). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0444 https://bugzilla.redhat.com/show_bug.cgi?id=786026 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:052 https://bugs.mageia.org/show_bug.cgi?id=5217 ------------- SRPM: libvorbis-1.3.2-1.1.mga1.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED