Bug 20157

Summary: opus new security issue CVE-2017-0381
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: lewyssmith, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/712298/
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Source RPM: opus-1.1-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-01-22 02:58:31 CET 
Fedora has issued an advisory on January 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZKHZKWBC6F5SBYVTHQOQ5ZQURSZSNQ36/

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated opus packages fix security vulnerability:

A remote code execution vulnerability in silk/NLSF_stabilize.c in libopus could
enable an attacker using a specially crafted file to cause memory corruption
during media file and data processing (CVE-2017-0381).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0381
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZKHZKWBC6F5SBYVTHQOQ5ZQURSZSNQ36/
========================

Updated packages in core/updates_testing:
========================
libopus0-1.1-3.1.mga5
libopus-devel-1.1-3.1.mga5

from opus-1.1-3.1.mga5.src.rpm
David Walser 2017-01-24 02:40:20 CET

URL: (none) => https://lwn.net/Vulnerabilities/712298/

Comment 1 Lewis Smith 2017-01-26 20:46:24 CET 
Testing Mageia 5 x64

Preamble
--------
Opus: This package provides the library that implements the Opus codec. The Opus codec is designed for interactive speech and audio transmission over the Internet.

These are programs (not libraries) using lib[64]opus0:
 # urpmq --whatrequires lib64opus0 | sort | uniq
asterisk
chromium-browser-stable
easytag
gstreamer0.10-plugins-bad
gstreamer1.0-plugins-bad
iceape
idjc
kwave
mpd
mumble
opus-tools
vlc-plugin-common

idjc: A graphical shoutcast/icecast client with two media players... Supports playing of mp3, ogg, flac, wma, wav, m4a, files.
mpd: Music Player Daemon (MPD) allows remote access for playing music (MP3, Ogg Vorbis, FLAC, Mod, and wave files) and managing playlists... it is also makes a great desktop music player

I got neither of these to work! Of more precise interest is *opus-tools*; worth installing for this test:
- opusdec   decode audio from Opus format to WAV (or simple audio output)
- opusenc   encode audio [WAV, AIFF, FLAC, Ogg/FLAC, raw] into the Opus format
- opusinfo  gives information about Opus files and does extensive validation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Testing the update: lib64opus0-1.1-3.1.mga5
with opus-tools-0.1.8-3.mga5, starting with a known .wav file converted to .opus then back again to .wav.

1. Encode .wav -> .opus file:
 $ opusenc track1.wav track1.opus
Encoding using libopus 1.1 (audio)
-----------------------------------------------------
   Input: 44.1kHz 2 channels
  Output: 2 channels (2 coupled)
          20ms packets, 96kbit/sec VBR
 Preskip: 356

[\] 00:03:30.92 10.5x realtime,  86.2kbit/s                                     Encoding complete                                    
-----------------------------------------------------
       Encoded: 3 minutes and 42.74 seconds
       Runtime: 20 seconds
                (11.14x realtime)
         Wrote: 2410124 bytes, 11137 packets, 225 pages
       Bitrate: 85.8685kbit/s (without overhead)
 Instant rates: 1.2kbit/s to 191.6kbit/s
                (3 to 479 bytes per packet)
      Overhead: 0.802% (container+metadata)

2. Get info on the opus file:
 $ opusinfo track1.opus
Processing file "track1.opus"...
New logical stream (#1, serial: 51fbce1f): type opus
Encoded with libopus 1.1
[Lots o sensible looking O/P]
Opus stream 1:
[Lots o sensible looking O/P]
Logical stream 1 ended

3. Decode .opus -> .wav file:
 $ opusdec track1.opus track1.wav
Decoding to 44100 Hz (2 channels)
Encoded with libopus 1.1
ENCODER=opusenc from opus-tools 0.1.8
...
Decoding complete.

Played the resulting wav file, it seemed fine.

Update OK.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA5-64-OK

Lewis Smith 2017-01-27 10:57:04 CET

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 2 Len Lawrence 2017-01-27 19:54:02 CET 
Taking this up on a 32bit vbox.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2017-01-27 21:51:49 CET 
i586 in virtualbox
Installed opus-tools and libopus0
$ ls tracks
CherryOhBaby.ogg  LaDanserye.flac  LammasTide.wav  Padstow.mp3
$ opusenc CherryOhBaby.ogg cherryohbaby.opus
Error parsing input file: CherryOhBaby.ogg
$ opusenc Padstow.mp3 padstow.opus
Error parsing input file: Padstow.mp3
$ opusenc LammasTide.wav lammastide.opus
Encoding using libopus 1.1 (audio)
-----------------------------------------------------

       Encoded: 2 minutes and 52.76 seconds
       Runtime: 3 seconds
                (57.59x realtime)
         Wrote: 1645340 bytes, 8638 packets, 175 pages
       Bitrate: 75.5123kbit/s (without overhead)
 Instant rates: 1.2kbit/s to 190.4kbit/s
                (3 to 476 bytes per packet)
      Overhead: 0.891% (container+metadata)

$ opusinfo lammastide.opus
Processing file "lammastide.opus"...
New logical stream (#1, serial: 398b09fe): type opus
Encoded with libopus 1.1
User comments section follows...
	ENCODER=opusenc from opus-tools 0.1.8
Opus stream 1:
	Pre-skip: 356
	Playback gain: 0 dB
	Channels: 2
	Original sample rate: 44100Hz
	Packet duration:   20.0ms (max),   20.0ms (avg),   20.0ms (min)
	Page duration:   1000.0ms (max),  998.6ms (avg),  760.0ms (min)
	Total data length: 1645340 bytes (overhead: 0.891%)
	Playback length: 2m:52.733s
	Average bitrate: 76.2 kb/s, w/o overhead: 75.52 kb/s
Logical stream 1 ended

*** Updated to libopus0-1.1-3.1.mga5 and libopus-devel-1.1-3.1.mga5. ***

$ opusenc LaDanserye.flac ladanserye.opus
Encoding using libopus 1.1 (audio)
-----------------------------------------------------
   Input: 44.1kHz 2 channels
  Output: 2 channels (2 coupled)
          20ms packets, 96kbit/sec VBR
 Preskip: 356

[/] 00:07:10.39   43x realtime,   109kbit/s                                     Encoding complete                                    
-----------------------------------------------------
       Encoded: 7 minutes and 28.8 seconds
       Runtime: 10 seconds
                (44.88x realtime)
         Wrote: 6107692 bytes, 22440 packets, 451 pages
       Bitrate: 108.025kbit/s (without overhead)
 Instant rates: 1.2kbit/s to 192.8kbit/s
                (3 to 482 bytes per packet)
      Overhead: 0.778% (container+metadata)

$ opusinfo lammastide.opus 
Processing file "lammastide.opus"...
New logical stream (#1, serial: 398b09fe): type opus
Encoded with libopus 1.1
User comments section follows...
	ENCODER=opusenc from opus-tools 0.1.8
Opus stream 1:
	Pre-skip: 356
	Playback gain: 0 dB
	Channels: 2
	Original sample rate: 44100Hz
	Packet duration:   20.0ms (max),   20.0ms (avg),   20.0ms (min)
	Page duration:   1000.0ms (max),  998.6ms (avg),  760.0ms (min)
	Total data length: 1645340 bytes (overhead: 0.891%)
	Playback length: 2m:52.733s
	Average bitrate: 76.2 kb/s, w/o overhead: 75.52 kb/s
Logical stream 1 ended

mplayer had a bit of a problem getting started on lammastide.opus because pulseaudio was
not running.  Started pulseaudio and it ran fine.  Also installed sox (for play).

$ opusdec ladanserye.opus ladanserye.wav
Decoding to 44100 Hz (2 channels)
Encoded with libopus 1.1
ENCODER=opusenc from opus-tools 0.1.8
TITLE=Track 1
ARTIST=Unknown Artist
TRACKNUMBER=1
TRACKTOTAL=13
ALBUM=Unknown Title
ALBUMARTIST=Unknown Artist
DISCID=c1111f0d
MUSICBRAINZ_DISCID=Skhvg016kE6VTSzxMnz48x1tvKE-
Decoding complete.        

$ play ladanserye.wav
ladanserye.wav:
 File Size: 79.2M     Bit Rate: 1.41M
  Encoding: Signed PCM    
  Channels: 2 @ 16-bit   
Samplerate: 44100Hz      
Replaygain: off         
  Duration: 00:07:28.77  

In:3.41% 00:00:15.33 [00:07:13.45] Out:676k  [-=====|====- ] Hd:2.1 Clip:0    

Also tried idjc but since it is aimed at playing streams it did not recognize static
files.

That all looks OK.
Len Lawrence 2017-01-27 21:52:07 CET

Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK

Lewis Smith 2017-01-27 22:05:23 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2017-01-29 21:53:49 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0029.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED