| Summary: | game-music-emu new security issues CVE-2016-995[789], CVE-2016-996[01] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, lewyssmith, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/709663/ | ||
| Whiteboard: | has_procedure MGA5-64-OK mga5-32-ok advisory | ||
| Source RPM: | game-music-emu-0.6.0-5.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-12-15 15:39:07 CET
David Walser
2016-12-15 15:39:14 CET
Whiteboard:
(none) =>
MGA5TOO
David Walser
2016-12-15 17:08:48 CET
URL:
(none) =>
https://lwn.net/Vulnerabilities/709341/ Fixed in Cauldron with game-music-emu-0.6.1-1.mga6. Pushing the same version to Mageia 5, as it's only a couple commits ahead of 0.6.0 and contains only bugfixes (including this security bugfix). Suggested advisory: =================== Updated game-music-emu packages fix security vulnerabilities Chris Evans discovered that incorrect emulation of the SPC700 audio co-processor of the Super Nintendo Entertainment System allows the execution of arbitrary code if a malformed SPC music file is opened (CVE-2016-9957, CVE-2016-9958, CVE-2016-9959, CVE-2016-9960, CVE-2016-9961). References: - http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html - https://www.debian.org/security/2016/dsa-3735 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9957 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9958 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9959 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9960 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9961 SRPM in core/updates_testing: ============================= game-music-emu-0.6.1-1.mga5 RPMs in core/updates_testing: ============================= lib(64)gme0-0.6.1-1.mga5 lib(64)gme-devel-0.6.1-1.mga5 Version:
Cauldron =>
5 Unless the DSA adds the CVEs, please include the CVE assignment in the refs: http://openwall.com/lists/oss-security/2016/12/15/11 Thanks. Testing procedure: ================== libgme is used in some media players to decode audio formats specific to some console games: vlc, love (would need a love game that uses it, not that easy to find), qmmp, gstreamer1.0-plugins-bad, gstreamer0.10-plugins-bad. An easy way to reproduce the bug and test the fix, without going too much into the detail, would be: - Install gstreamer1.0-gme - Download those two files from the original security vulnerability description: https://security.appspot.com/security/spc/gnome_calc_fedora_25_libc_2.24-3.spc https://security.appspot.com/security/spc/xcalc_ubuntu_16.04_libc_2.23-0ubuntu3.spc - Try to run them, e.g. with: $ gst-play-1.0 ~/Downloads/gnome_calc_fedora_25_libc_2.24-3.spc $ gst-play-1.0 ~/Downloads/xcalc_ubuntu_16.04_libc_2.23-0ubuntu3.spc Before the update, they should trigger a segmentation fault, or if you're lucky, open gnome-calculator (that part of the original report doesn't work for me, but I guess it's distro dependent). After the update, it should actually play those files for 2:30 minutes, though they don't have any sound, but that's normal. To test the actual playback of valid music, you can e.g. download this archive and try gst-play-1.0 on some of the files: http://www.zophar.net/soundfiles/nintendo-snes-spc/final-fantasy-vi/Final%20Fantasy%20VI%20(EMU).zophar.zip Note that those music files are copyrighted material extracted from a game, so unless you posess the original game, it's best if you delete those files after the test ;)
Rémi Verschelde
2016-12-15 19:18:14 CET
Whiteboard:
(none) =>
has_procedure You can also play such files with VLC if you install the vlc-plugin-gme package.
Rémi Verschelde
2016-12-15 19:25:33 CET
Assignee:
rverschelde =>
qa-bugs Confirmed the segfaults and the lack thereof after the update. I was also able to play an SPC file I have of Aquatic Ambiance from Donkey Kong Country :D. Whiteboard:
has_procedure =>
has_procedure MGA5-64-OK Full details on these vulnerabilities: https://scarybeastsecurity.blogspot.com/2016/12/redux-compromising-linux-using-snes.html
David Walser
2016-12-22 16:12:07 CET
URL:
https://lwn.net/Vulnerabilities/709341/ =>
https://lwn.net/Vulnerabilities/709663/ Installed this on i686 machine. Tried file. $ uname -a Linux localhost 4.4.36-desktop-2.mga5 #1 SMP Tue Dec 6 17:31:54 UTC 2016 i686 i686 i686 GNU/Linux Seems to work properly. Brian CC:
(none) =>
brtians1 Validated; advisoried from Comment 1. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0428.html Status:
NEW =>
RESOLVED |