Bug 9774

Summary: Updated mad packages fix security vulnerability (CVE-2018-7263)
Product: [ROSA-based products] ROSA Fresh Reporter: Zombie Ryushu <zombie.ryushu>
Component: Packages from MainAssignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: alzim, andrey.bondrov, denis.silakov, mc2374, pastordidi, v.potapov
Version: Plasma5Flags: v.potapov: qa_verified+
andrey.bondrov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://advisories.mageia.org/MGASA-2019-0078.html
Whiteboard:
Platform: 2016.1 ROSA Vulnerability identifier: CVE-2018-7263, CVE-2017-11552
RPM Package: mad-0.15.1b-24.src.rpm ISO-related:
Bad POT generating: Upstream:

Description Zombie Ryushu 2019-02-28 08:52:18 MSK 
The mad_decoder_run function in decoder.c in libmad 0.15.1b allows remote
attackers to cause a denial of service (memory corruption) via a crafted
MP3 file (CVE-2017-11552).

The mad_decoder_run() function in decoder.c in Underbit libmad through
0.15.1b allows attackers to cause a denial of service (SIGABRT because of
double free or corruption) or possibly have unspecified other impact via a
crafted file (CVE-2018-7263).
Comment 1 Giovanni Mariani 2019-08-22 12:21:37 MSK 
According to this Suse bug: https://bugzilla.suse.com/show_bug.cgi?id=1082025,
CVE-2018-7263 is actually an issue in mpg321, while according to the CVE description at mitre.org (see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7263) the above CVE could be hopefully solved by the same fix for CVE-2017-11552...
So let's pick up patches for this one...
Comment 2 Giovanni Mariani 2019-08-22 12:24:24 MSK 
Advisory:
Add and adapt patches from Magiea to fix CVE-2017-11552.
Since this does not change a thing in the public interface of the library, there is no need to rebuild depending packages.

Packages for Rosa 2016.1 / Main:
https://abf.rosalinux.ru/build_lists/3089668
https://abf.rosalinux.ru/build_lists/3089669

The same changes are pushed to the 2019.1 branch.
Comment 3 Dmitry Postnikov 2019-08-22 17:31:27 MSK 
The update is sent to expanded testing
***************************************
Comment 4 Vladimir Potapov 2019-08-27 13:06:37 MSK 
mad-0.15.1b-25
https://abf.rosalinux.ru/build_lists/3089668
https://abf.rosalinux.ru/build_lists/3089669
****************************** Advisory ****************************
Add and adapt patches from Magiea to fix CVE-2017-11552.
Since this does not change a thing in the public interface of the library, there is no need to rebuild depending packages.
********************************************************************
QA Verified