OK, this didn't get pushed before releasing 2, so I had to build an update for it as well.  Updated package for Mageia 2 uploaded.  Updating the advisory.

Note to QA: the Mageia 2 update has already been tested on x86_64 by rindolf:
http://article.gmane.org/gmane.linux.mageia.devel/15552

Advisory:
========================

Updated taglib packages fix security vulnerabilities:

taglib before 1.7.2 allows remote attackers to cause a denial of
service (divide-by-zero error and application crash) via a crafted
MP4 file (CVE-2012-2396).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2396
http://lists.opensuse.org/opensuse-updates/2012-05/msg00017.html
========================

Updated packages in core/updates_testing:
========================
libtaglib1-1.6.3-2.2.mga1
libtaglib_c0-1.6.3-2.2.mga1
libtaglib-devel-1.6.3-2.2.mga1
libtaglib1-1.7.2-1.mga2.i586.rpm
libtaglib_c0-1.7.2-1.mga2.i586.rpm
libtaglib-devel-1.7.2-1.mga2.i586.rpm

from SRPMS:
taglib-1.6.3-2.2.mga1.src.rpm
taglib-1.7.2-1.mga2.src.rpm

I installed theses packages on Mageia 2 64-bits and I did not observe any regression. Is there a particular thing to check?

CC: (none) => olivier.delaune

(In reply to comment #2)
> I installed theses packages on Mageia 2 64-bits and I did not observe any
> regression. Is there a particular thing to check?

One good way to check it is to test an application that uses this library.  You can get a list with urpmq --whatrequires lib64taglib1, and that list will include, for example, Amarok, which uses this library for reading the metadata (artist, song name, track length, etc) from songs.  If you don't see any regressions with that metadata information or the app itself, it should be good.  For this update specifically, it is the section of the code that calculates the track length of mp4 files that was modified, so pay special attention to that.

Testing i586, MGA2

CC: (none) => stephan.wassipaul

Testing finished successfully on i586, MGA2.
Source RPM  : taglib-1.7.2-1.mga2.src.rpm

What was tested:
Metadata loading in Amarok and Clementine, no metadata information was lost (checked about 5 songs) or displayed incorrectly.
Adding Metadata to a song, opening a different music player, reloading library -> added metadata is shown.

In short: everything worked.

Olivier, did you test it fully? If so, could you please add the "mga2-64-OK" keyword to the Whiteboard?

In fact, I have not found any change in amarok with my current audio files but I have not mp4 file to check in detail. So I do not know if I can consider that I tested.

I found a sample mp4 file here if you'd like to test further Olivier

https://bugs.maemo.org/attachment.cgi?id=2702

Thanks Claire,
I test with this mp4 with amarok and clementine and I did not note any regression. It is ok for me.

Whiteboard: mga2-i586-OK => mga2-i586-OK ; mga2-64-OK

Testing complete on Mageia 1 i586 for the srpm
taglib-1.6.3-2.2.mga1.src.rpm

Tested using parole and amarok.

CC: (none) => davidwhodgins
Whiteboard: mga2-i586-OK ; mga2-64-OK => mga2-i586-OK, mga2-64-OK, mga1-i586-OK

Testing complete Mageia 1 x86_64

Validating

This bug contains updates for both mga1 and mga2.

See comment 1 for advisory and srpms

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All
Whiteboard: mga2-32-OK, mga2-64-OK, mga1-32-OK => mga2-32-OK, mga2-64-OK, mga1-32-OK, mga1-64-OK

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0116

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED