Mageia alert MGASA-2017-0046 (audacious-plugins)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2017-0046: Updated audacious-plugins packages fix security vulnerability 
Date:
    	     
 
Sun, 12 Feb 2017 00:47:45 +0100
Message-ID:
    	     
 
<20170211234745.32D729F7CC@duvel.mageia.org>
MGASA-2017-0046 - Updated audacious-plugins packages fix security vulnerability

Publication date: 11 Feb 2017
URL: http://advisories.mageia.org/MGASA-2017-0046.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2016-9957,
     CVE-2016-9958,
     CVE-2016-9959,
     CVE-2016-9960,
     CVE-2016-9961

Description:
Chris Evans discovered that incorrect emulation of the SPC700 audio
co-processor of the Super Nintendo Entertainment System allows the
execution of arbitrary code if a malformed SPC music file is opened
(CVE-2016-9957, CVE-2016-9958, CVE-2016-9959, CVE-2016-9960,
CVE-2016-9961).

These issues were previously fixed in MGASA-2016-0428 in the
game-music-emu library, but audacious-plugins contains a decoder built
with a bundled copy, which has been patched to fix the issues.

References:
- https://bugs.mageia.org/show_bug.cgi?id=20177
- http://advisories.mageia.org/MGASA-2016-0428.html
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9957
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9958
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9959
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9960
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9961

SRPMS:
- 5/core/audacious-plugins-3.5.2-2.1.mga5
- 5/tainted/audacious-plugins-3.5.2-2.1.mga5.tainted