Bug 19537

Summary: libass new security issues CVE-2016-7969, CVE-2016-7970, CVE-2016-7972
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/703461/
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Source RPM: libass-0.12.1-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-10-05 13:38:43 CEST 
CVEs have been assigned for security issues fixed in libass 0.13.4:
http://www.openwall.com/lists/oss-security/2016/10/05/2
https://github.com/libass/libass/releases/tag/0.13.4

Freeze push requested for Cauldron.  Update checked into Mageia 5 SVN.
Comment 1 David Walser 2016-10-05 19:01:03 CEST 
Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated libass packages fixes security vulnerabilities:

Amount of memory allocated during memory reallocation in the shaper wasn't
tracked, possibly resulting in undefined behavior (CVE-2016-7972).

Illegal read in Gaussian blur coefficient calculations (CVE-2016-7970).

Mode 0/3 line wrapping equalization in specific cases could result in illegal
reads while laying out and shaping text. (CVE-2016-7969)

The libass package has been updated to version 0.13.4, fixing this issue and
several other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7969
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7970
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7972
https://github.com/libass/libass/releases
========================

Updated packages in core/updates_testing:
========================
libass5-0.13.4-1.mga5
libass-devel-0.13.4-1.mga5

from libass-0.13.4-1.mga5.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 Len Lawrence 2016-10-11 14:50:53 CEST 
Testing on x86_64, real hardware.

libass is used in subtitle rendering by multimedia applications like mpv, vlc, mplayer, kodi, bino and mythtv so running any of these may be a sufficient test.  In the case od mythtv and vlc certain plugins should be installed, such as vlc-plugin-libass.  There is no obvious help upstream for the various CVEs.

Installed the updates.

Played a film from arteFetcher using mplayer, French subtitles packaged with the film.  They were rendered OK.  Installed the vlc plugin and watched another French subtitled film.  No problem there.  mpv handled subtitles OK as well.

OK for 64 bits.

CC: (none) => tarazed25

Len Lawrence 2016-10-11 14:51:13 CEST

Whiteboard: (none) => MGA5-64-OK

Nicolas Lécureuil 2016-10-12 11:08:27 CEST

CC: (none) => mageia
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 3 Len Lawrence 2016-10-12 16:46:51 CEST 
i586 on virtualbox

Before and after the updates mplayer handled the subtitles in a documentary MP4 file with merged subtitles.
Len Lawrence 2016-10-12 16:47:54 CEST

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2016-10-12 17:10:21 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0341.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-10-13 19:57:11 CEST

URL: (none) => http://lwn.net/Vulnerabilities/703461/