stable

libid3tag-0.15.1b-26.fc27

FEDORA-2018-e06468b832 created by amigadave 7 years ago for Fedora 27

Security fix for CVE-2004-2779 and CVE-2017-11550

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2018-e06468b832

This update has been submitted for testing by amigadave.

7 years ago

This update has been pushed to testing.

7 years ago
User Icon sassam commented & provided feedback 6 years ago
karma

Looks good to me.

User Icon hreindl commented & provided feedback 6 years ago
karma

are you kidding me?

[root@srv-rhsoft:~]$ /usr/bin/mpd --no-daemon --stderr /usr/bin/mpd: symbol lookup error: /lib64/libid3tag.so.0: undefined symbol: id3_compat_fixup

2018-03-30T10:57:03Z INFO Upgraded: kid3-common-3.6.0-1.fc27.x86_64 2018-03-30T10:57:03Z INFO Upgraded: kid3-3.6.0-1.fc27.x86_64 2018-03-30T10:57:05Z INFO Upgraded: libid3tag-0.15.1b-25.fc27.x86_64

i even re-compiled "mpd", stil don't work [root@srv-rhsoft:~]$ /usr/bin/mpd --no-daemon --stderr /usr/bin/mpd: symbol lookup error: /lib64/libid3tag.so.0: undefined symbol: id3_compat_fixup

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

6 years ago
User Icon tmz commented & provided feedback 6 years ago
karma

It looks to me like gperf is not a build requirement and with the patch to compat.gperf, the Makefile tries to use it to rebuild compat.c. This fails and creates an empty compat.c. Here's a snip from the build.log:

config.status: executing depfiles commands
+ make -j48 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables'
cd . &&  \
gperf -tCcTonD -K id -N id3_compat_lookup -s -3 -k '*'  \
    compat.gperf |  \
sed -e 's/\(struct id3_compat\);/\1/' |  \
sed -e '/\$''Id: /s/\$//g' >compat.c
/bin/sh: line 1: gperf: command not found
make  all-recursive

Unfortuantely, adding gperf causes the build to fail:

compat.gperf:116:1: error: conflicting types for 'id3_compat_lookup'
 TSIZ, OBSOLETE  /* Size [obsolete] */
 ^~~~~~~~~~~~~~~~~
In file included from compat.gperf:37:0:
compat.h:36:26: note: previous declaration of 'id3_compat_lookup' was here
 struct id3_compat const *id3_compat_lookup(register char const *,
                          ^~~~~~~~~~~~~~~~~

I haven't looked any further at how to resolve this yet, but thought I'd post what I've found in case someone else has time to work on this.

amigadave edited this update.

New build(s):

  • libid3tag-0.15.1b-26.fc27

Removed build(s):

  • libid3tag-0.15.1b-25.fc27

Karma has been reset.

6 years ago

This update has been submitted for testing by amigadave.

6 years ago

This update has been pushed to testing.

6 years ago
User Icon pwalter commented & provided feedback 6 years ago
karma

Works

User Icon filiperosset commented & provided feedback 6 years ago
karma

no regressions noted

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

6 years ago

This update has been submitted for batched by amigadave.

6 years ago

This update has been submitted for stable by bodhi.

6 years ago

This update has been pushed to stable.

6 years ago

Please login to add feedback.

Metadata
Type
security
Severity
low
Karma
2
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
7 years ago
in testing
6 years ago
in stable
6 years ago
modified
6 years ago
BZ#1478934 CVE-2017-11550 libid3tag: NULL Pointer Dereference in id3_ucs4_length function in ucs4.c
0
0
BZ#1561983 CVE-2004-2779 libid3tag: id3_utf16_deserialize() misparses ID3v2 tags with an odd number of bytes resulting in an endless loop
0
0
BZ#1561985 CVE-2004-2779 libid3tag: id3_utf16_deserialize() misparses ID3v2 tags with an odd number of bytes resulting in an endless loop [fedora-all]
0
0

Automated Test Results