| Summary: | mad new security issues CVE-2017-837[2-4] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, lewyssmith, marja11, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-64-OK MGA6-64-OK | ||
| Source RPM: | mad-0.15.1b-17.3.mga5.src.rpm | CVE: | |
| Status comment: | Old 2008 Debian patch supposed to fix those before they were redescovered and attributed a CVE - need rediff and checking that PoC no longer apply | ||
|
Description
David Walser
2017-05-02 02:26:46 CEST
David Walser
2017-05-02 02:26:57 CEST
Whiteboard:
(none) =>
MGA5TOO Assigning to the registered maintainer. Assignee:
bugsquad =>
shlomif Checked the Debian CVE tracker, apparently they consider those three CVEs fixed by a patch they included in 2008: https://security-tracker.debian.org/tracker/CVE-2017-8372 https://security-tracker.debian.org/tracker/CVE-2017-8373 https://security-tracker.debian.org/tracker/CVE-2017-8374 The 2008 bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133 The patch: https://sources.debian.net/src/libmad/0.15.1b-8/debian/patches/frame_length.diff/ Would have to check the PoCs to be sure the patch is enough, but that should be a start. No activity whatsoever upstream otherwise. Note that the patch would need to be rediffed as it won't apply on top of our own contrib_src_mad_check-bitstream-length--mod2.patch.
Rémi Verschelde
2017-06-11 13:42:32 CEST
Status comment:
(none) =>
Old 2008 Debian patch supposed to fix those before they were redescovered and attributed a CVE - need rediff and checking that PoC no longer apply
David Walser
2017-07-07 04:24:31 CEST
Whiteboard:
MGA5TOO =>
MGA6TOO, MGA5TOO Advisory: ======================== Updated mad packages fix security vulnerabilities: The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file (CVE-2017-8373). The mad_bit_skip function in bit.c in Underbit MAD libmad 0.15.1b allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file (CVE-2017-8374). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8374 http://openwall.com/lists/oss-security/2017/05/01/8 http://openwall.com/lists/oss-security/2017/05/01/9 https://security-tracker.debian.org/tracker/CVE-2017-8373 https://security-tracker.debian.org/tracker/CVE-2017-8374 ======================== Updated packages in core/updates_testing: ======================== libmad0-0.15.1b-17.4.mga5 libmad-devel-0.15.1b-17.4.mga5 libmad0-0.15.1b-22.1.mga6 libmad-devel-0.15.1b-22.1.mga6 from SRPMS: mad-0.15.1b-17.4.mga5.src.rpm mad-0.15.1b-22.1.mga6.src.rpm Version:
Cauldron =>
6 To test normally.
Dave Hodgins
2017-12-31 12:35:06 CET
CC:
(none) =>
davidwhodgins Installed lib64mad0-0.15.1b-17.4.mga5 on real hardware, then played mp3 files with Audacity, vlc, and xine. No problems noted. Giving the 64-bit OK for MGA5. CC:
(none) =>
andrewsfarm Installed lib64mad0-0.15.1b-22.1.mga6 on real hardware, then played mp3 files with Kmplayer, vlc, and Dragon Player. No problems noted. Giving the 64-bit OK for MGA6. Whiteboard:
MGA5TOO MGA5-64-OK =>
MGA5TOO MGA5-64-OK MGA6-64-OK Confirming M6/64 *after* update: lib64mad0-0.15.1b-22.1.mga6
Thanks TJ for the spread of tests.
Because this is a library-only update, confirmed its employment.
Mplayer:
$ strace mplayer /mnt/common/Mageia/BachSomething.mp3 2>&1 | grep libmad
open("/lib64/libmad.so.0", O_RDONLY|O_CLOEXEC) = 3
write(1, "Trying to force audio codec driv"..., 52Trying to force audio codec driver family libmad...
write(1, "Opening audio decoder: [libmad] "..., 58Opening audio decoder: [libmad] libmad mpeg audio decoder
write(1, "Selected audio codec: [mad] afm:"..., 66Selected audio codec: [mad] afm: libmad (libMAD MPEG layer 1-2-3)
shows the library is well used, the music played OK.
VLC:
$ strace vlc 2>&1 | grep libmad
stat("/usr/lib64/vlc/plugins/audio_filter/libmad_plugin.so", {st_mode=S_IFREG|0755, st_size=11208, ...}) = 0
Played fine.
Audacity:
$ strace audacity 2>&1 | grep libmad
open("/lib64/libmad.so.0", O_RDONLY|O_CLOEXEC) = 3
Made it obvious it was importing an .mp3 file, played & displayed fine.Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0019.html Resolution:
(none) =>
FIXED |