Bug 13842

Summary:	[CVE 21] flac 1.3.4 CVEs found
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Yury <y.tumanov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	VERIFIED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	critical
Priority:	Highest	CC:	a.proklov, e.kosachev, s.matveev, v.potapov, victorr2007, y.tumanov
Version:	All	Flags:	v.potapov: qa_verified+ y.tumanov: secteam_verified+ a.proklov: published+
Target Milestone:	2021.1 Fresh R12
Hardware:	All
OS:	Linux
URL:	CVE-2020-22219,
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Yury 2023-10-18 20:25:25 MSK

Please patch CVEs for package flac version 1.3.4
  
INFO (CVEs are): flac 1.3.4
 cves found
CVE-2020-22219
Desc: Buffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via crafted input to the encoder.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-22219
Severity: HIGH

Comment 1 VictorR2007 2023-10-20 03:31:11 MSK

Обновлено до версии 1.4.3.

Сборки 
https://abf.rosalinux.ru/build_lists/4759100
https://abf.rosalinux.ru/build_lists/4759101
https://abf.rosalinux.ru/build_lists/4759102
https://abf.rosalinux.ru/build_lists/4759103
https://abf.rosalinux.ru/build_lists/4759104

Comment 2 Dmitry Postnikov 2023-10-22 21:08:23 MSK

*** Bug 13710 has been marked as a duplicate of this bug. ***

Comment 3 Vladimir Potapov 2023-10-24 16:08:01 MSK

Мажорное обновление... ABI бы посмотреть?

Comment 4 Vladimir Potapov 2023-10-24 16:19:06 MSK

Увы, ABI изменено, причем есть руководство по переносу
https://www.xiph.org/flac/changelog.html
https://xiph.org/flac/api/group__porting__1__3__4__to__1__4__0.html

Comment 5 Vladimir Potapov 2023-10-24 16:19:30 MSK

Нужно искать патчи

Comment 6 Vladimir Potapov 2023-10-24 16:21:39 MSK

есть, например, у сентов исправление такой CVE
https://centos.pkgs.org/9-stream/centos-crb-x86_64/flac-1.3.3-12.el9.x86_64.rpm.html

Comment 7 Svyatoslav Matveev 2023-10-24 17:36:22 MSK

(In reply to Vladimir Potapov from comment #6)
> есть, например, у сентов исправление такой CVE
> https://centos.pkgs.org/9-stream/centos-crb-x86_64/flac-1.3.3-12.el9.x86_64.
> rpm.html

Версию 1.4.3 откатил,
CVE исправлено патчем.

*** flac
**  1.3.4 release +1

https://abf.io/build_lists/4761109
https://abf.io/build_lists/4761108
https://abf.io/build_lists/4761110
https://abf.io/build_lists/4761111
https://abf.io/build_lists/4761112

Comment 8 Vladimir Potapov 2023-10-25 13:06:18 MSK

**************************************************
The update sent to testings

Comment 9 Vladimir Potapov 2023-11-01 16:44:17 MSK

flac-1.3.4-2
https://abf.io/build_lists/4761109
https://abf.io/build_lists/4761108
https://abf.io/build_lists/4761110
https://abf.io/build_lists/4761111
https://abf.io/build_lists/4761112
************************ Advisory ************************
CVE-2020-22219 fix
**********************************************************
QA Verified

Comment 10 Yury 2023-11-07 10:59:35 MSK

secteam_verified