Bug 20477

Summary: icoutils new security issues CVE-2017-6009, CVE-2017-6010, CVE-2017-6011
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Source RPM: icoutils-0.31.1-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-03-14 14:50:50 CET 
Debian has issued an advisory on March 12:
https://www.debian.org/security/2017/dsa-3807

Mageia 5 is also affected.
David Walser 2017-03-14 14:51:00 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Rémi Verschelde 2017-03-14 15:08:44 CET 
I'll have a look at it tonight.

Assignee: bugsquad => rverschelde

Comment 2 Rémi Verschelde 2017-03-14 23:04:17 CET 
Submitted 0.31.3 to both Mageia 5 and Cauldron, as it only fixes the security vulnerabilities and a couple other bugs, so it's good for a version bump.

Advisory:
=========

Updated icoutils package fixes security vulnerabilities

  Multiple vulnerabilities were discovered in the icotool (CVE-2017-6010,
  CVE-2017-6011) and wrestool (CVE-2017-6009) tools of icoutils, a set of
  programs that deal with MS Windows icons and cursors, which may result in
  denial of service or the execution of arbitrary code if a malformed .ico or
  .exe file is processed.

References:
- https://www.debian.org/security/2017/dsa-3807
- http://git.savannah.gnu.org/cgit/icoutils.git/tree/NEWS?h=0.31.3


RPMs in core/updates_testing:
=============================

icoutils-0.31.3-1.mga5


SRPMs in core/updates_testing:
==============================

icoutils-0.31.3-1.mga5

Assignee: rverschelde => qa-bugs

Dave Hodgins 2017-03-16 20:36:31 CET

CC: (none) => davidwhodgins
Whiteboard: MGA5TOO => MGA5TOO advisory

Comment 3 Herman Viaene 2017-03-17 14:07:57 CET 
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Did same tests as per bug 20091
$ icotool -l folder.ico
--icon --index=1 --width=48 --height=48 --bit-depth=4 --palette-size=16
--icon --index=2 --width=32 --height=32 --bit-depth=4 --palette-size=16
--icon --index=3 --width=16 --height=16 --bit-depth=4 --palette-size=16
folder.ico: clr_important field in bitmap should be zero
--icon --index=4 --width=48 --height=48 --bit-depth=8 --palette-size=256
folder.ico: clr_important field in bitmap should be zero
--icon --index=5 --width=32 --height=32 --bit-depth=8 --palette-size=256
folder.ico: clr_important field in bitmap should be zero
--icon --index=6 --width=16 --height=16 --bit-depth=8 --palette-size=256
--icon --index=7 --width=256 --height=256 --bit-depth=32 --palette-size=0
--icon --index=8 --width=48 --height=48 --bit-depth=32 --palette-size=0
--icon --index=9 --width=32 --height=32 --bit-depth=32 --palette-size=0
--icon --index=10 --width=16 --height=16 --bit-depth=32 --palette-size=0

and 
$ wrestool -x crashfile
wrestool: ./crashfile: premature end

So seems OK

CC: (none) => herman.viaene
Whiteboard: MGA5TOO advisory => MGA5TOO advisory MGA5-32-OK

David Walser 2017-03-19 21:53:53 CET

Version: Cauldron => 5
Whiteboard: MGA5TOO advisory MGA5-32-OK => advisory MGA5-32-OK

Comment 4 Lewis Smith 2017-03-21 12:12:52 CET 
Testing M5_64: update icoutils-0.31.3-1.mga5

Also using the two attachments from bug 20091 (thanks Herman for the Win10 icons):

1. $ wrestool -x Desktop/crashfile
wrestool: Desktop/crashfile: premature end
which is correct.

2. $ icotool -l eid.ico
eid.ico: clr_important field in bitmap should be zero
--icon --index=1 --width=48 --height=48 --bit-depth=8 --palette-size=256
eid.ico: clr_important field in bitmap should be zero
--icon --index=2 --width=32 --height=32 --bit-depth=8 --palette-size=256
eid.ico: clr_important field in bitmap should be zero
--icon --index=3 --width=16 --height=16 --bit-depth=8 --palette-size=256
--icon --index=1 --width=48 --height=48 --bit-depth=4 --palette-size=16
--icon --index=2 --width=32 --height=32 --bit-depth=4 --palette-size=16
--icon --index=3 --width=16 --height=16 --bit-depth=4 --palette-size=16
Similar output for all the .ico files; the error msg always precedes a 256 palate line for all icons except netfol.ico .

3. $ icotool -x folder.ico
produced 10 (the no. of icons in the file) tiny .png images of varying quality:
folder_1_48x48x4.png
folder_2_32x32x4.png
folder_3_16x16x4.png
folder_4_48x48x8.png
folder_5_32x32x8.png
folder_6_16x16x8.png
folder_7_256x256x32.png
folder_8_48x48x32.png
folder_9_32x32x32.png
folder_10_16x16x32.png

4. $ icotool -c -o tmp/200_s.ico tmp/200_s.png
   $ icotool -l tmp/200_s.ico
--icon --index=1 --width=296 --height=200 --bit-depth=8 --palette-size=256
The output icon file is suspect. It had the same dimensions as the PNG source; it was viewable by some programs but not others (which could display other .ico files). Not to persue here.

Update deemed OK. Validating, advisory there already.

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2017-03-23 08:20:11 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0080.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED