Bug 20644

Summary: ming new security issue CVE-2017-7578 (incomplete fix for CVE-2016-9831)
Product: Mageia Reporter: Marja Van Waes <marja11>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, luigiwalser, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7578
Whiteboard: has_procedure advisory MGA5-64-OK MGA5-32-OK
Source RPM: CVE:
Status comment:
Attachments: Extended description of update test

Description Marja Van Waes 2017-04-10 07:53:43 CEST 
Nicolas Salguero pushed ming-0.4.5-8.2.mga5 to 5 core/updates_testing last Friday.

Suggested Advisory:

======================================

The update fixes CVE-2017-7578:

Multiple heap-based buffer overflows in parser.c in libming 0.4.7 allow remote attackers to cause a denial of service (listswf application crash) or possibly have unspecified other impact via a crafted SWF file. NOTE: this issue exists because of an incomplete fix for CVE-2016-9831. 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7578

========================================

Updated packages in core/updates_testing:

========================================

    libming-devel-0.4.5-8.2.mga5.i586
    libming1-0.4.5-8.2.mga5.i586
    ming-utils-0.4.5-8.2.mga5.i586
    perl-SWF-0.4.5-8.2.mga5.i586
    python-SWF-0.4.5-8.2.mga5.i586

    lib64ming-devel-0.4.5-8.2.mga5.x86_64
    lib64ming1-0.4.5-8.2.mga5.x86_64
    ming-utils-0.4.5-8.2.mga5.x86_64
    perl-SWF-0.4.5-8.2.mga5.x86_64
    python-SWF-0.4.5-8.2.mga5.x86_64

from SRPM: 

    ming-0.4.5-8.2.mga5
Dave Hodgins 2017-04-15 00:45:35 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 1 Len Lawrence 2017-04-15 10:28:50 CEST 
Testing this on real x86_64 and i586 virtualbox.

The report is rather long so it is provided as an attachment.

Summary: libming was already installed on the 64-bit machine.  Downloaded a reproducer image (SWF) and found that listing its contents causes the script to hang.  After the update, listing runs to completion, with an acknowledgement that the file contains trailing garbage.  Installed clash, a drawing and animation program which uses libming.  At a primitive level it works. 

OK for 64-bits.

CC: (none) => tarazed25

Len Lawrence 2017-04-15 10:29:12 CEST

Whiteboard: advisory => advisory MGA5-64-OK

Comment 2 Len Lawrence 2017-04-15 10:32:09 CEST 
Created attachment 9201 [details]
Extended description of update test
Comment 3 Len Lawrence 2017-04-15 11:48:04 CEST 
i586 virtualbox

Obtained the reproducer file and ran the pre and post update listswf tests as detailed for x86_64 and found identical results.  listaction used to analyze an existing NASA animation; it showed the actions and the placing of various objects.  Installed clash and played with it.  Looks OK.

OK for 32-bits.
Len Lawrence 2017-04-15 11:50:30 CEST

Whiteboard: advisory MGA5-64-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 4 Dave Hodgins 2017-04-16 00:07:39 CEST 
Validating the update.

Len, feel free to validate updates that have been tested on both arches.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-04-16 00:23:30 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0108.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 6 David Walser 2017-04-29 23:02:08 CEST 
Several issues were announced as having been fixed in 0.4.8:
http://openwall.com/lists/oss-security/2017/04/29/

CC: (none) => luigiwalser