Bug 21196

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Advisory:
========================

Updated libquicktime packages fix security vulnerabilities:

A DoS in quicktime_read_moov function in moov.c via acrafted mp4 file was fixed
(CVE-2017-9122).

An invalid memory read in lqt_frame_duration via a crafted mp4 file was fixed
(CVE-2017-9123).

A NULL pointer dereference in quicktime_match_32 via a crafted mp4 file was
fixed (CVE-2017-9124).

A DoS in lqt_frame_duration function in lqt_quicktime.c via crafted mp4 file
was fixed (CVE-2017-9125).

A heap-based buffer overflow in quicktime_read_dref_table via a crafted mp4
file was fixed (CVE-2017-9126).

A heap-based buffer overflow in quicktime_user_atoms_read_atom via a crafted
mp4 file was fixed (CVE-2017-9127).

A heap-based buffer over-read in quicktime_video_width via a crafted mp4 file
was fixed (CVE-2017-9128).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9122
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9123
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9124
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9127
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9128
https://lists.opensuse.org/opensuse-updates/2017-07/msg00035.html
========================

Updated packages in core/updates_testing:
========================
libquicktime-1.2.4-10.2.mga5
libquicktime0-1.2.4-10.2.mga5
libquicktime-devel-1.2.4-10.2.mga5
libquicktime-dv-1.2.4-10.2.mga5
libquicktime-progs-1.2.4-10.2.mga5

from libquicktime-1.2.4-10.2.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs

$ uname -a
Linux localhost 4.4.74-desktop586-1.mga5 #1 SMP Mon Jun 26 07:48:29 UTC 2017 i686 i686 i686 GNU/Linux


okay - looked up what uses libquicktime utilities.

I found the mjpegtools is listed as using libquicktime.

I pulled up an AVI and edited it with $ glav utility to edit an grand canyon video from my camera.

$ glav CIMG0530.AVI

I did some edits and saved them.

Next I converted it to a new format.

$ lavtrans -o gc.qt -f q edited_grand_canyon.AVI

I was able to view the qc.qt output file.

works as designed from what I can tell.

CC: (none) => brtians1
Whiteboard: (none) => mga5-32-ok

Prior to testing x64.

1. Package query
After updating from Updates Testing, the result is:
 lib64quicktime0-1.2.4-10.2.mga5
 libquicktime-1.2.4-10.2.mga5
 libquicktime-progs-1.2.4-10.2.mga5
 libquicktime-x264-1.2.4-10.1.mga5.tainted
 libquicktime-faad-1.2.4-10.1.mga5.tainted
 libquicktime-lame-1.2.4-10.1.mga5.tainted
Should the x264, faad and lame pkgs remain at their previous version, or be part of this update?

2. This is one of those complicated ensembles:
* libquicktime "is a library for reading and writing QuickTime files".
* lib64quicktime0 [same description].
* libquicktime-progs "Useful tools to operate at QuickTime files"
Ignoring Codec specific pkgs, the heirarchy is:
Whatrequires libquicktime:
 libquicktime-progs
Whatrequires lib64quicktime0:
 dvgrab
 libquicktime
 libquicktime-progs
 mjpegtools
 transcode
=>
libquicktime-progs-|
 |-libquicktime----|
dvgrab-------------|
mjpegtools---------|
transcode----------|
                   |-lib64quicktime0

The programs in 'progs':
 lqtplay - simple quicktime movie player for X11      [has man page]
lqtremux, lqt_transcode, qt2text, qt2text, qtdechunk, qtdump, qtinfo, qtrechunk, qtstreamize, qtyuv4toyuv: have no man pages, command alone shows usage but seldom what it does!

It helps to have a Quicktime movie file to play with (I searched briefly in vain); and have some competence in this field, although 'lqtplay' looks good for anyone.

@Lewis: comment 4
The MOV format was developed by Apple for Quicktime but I am not sure that a MOV file is essential for this test.

I have several lying about (NASA websites often publish short MOV files).  So, I could run this for mga6 and maybe mga5 32bit.

It would probably break copyright if I were to attach any of the MOV files I have here and the links are long gone.

CC: (none) => tarazed25

My mistake.  Does not affect mga6.

In VirtualBox, M5.1, KDE, 64-bit

Canon cameras produce quicktime ( mov ) videos
https://en.wikipedia.org/wiki/QuickTime_File_Format
Probably one of the more popular formats.
canon.mov was shot on my Canon camera.

Attempt to run glav on a quicktime video:

[wilcal@localhost video_test]$ glav canon.mov
++: [codecinfo] Error: Cannot open plugin directory /usr/lib64/libquicktime (forgot make install?)
++: [codecs] Warning: Could not find audio Decoder for fourcc sowt
++: [codecs] Warning: quicktime_decode_audio_stub called
++: [codecs] Warning: Could not find video Decoder for fourcc avc1
++: [codecs] Warning: quicktime_decode_video_stub called
++: [codecs] Warning: quicktime_delete_stub called
++: [codecs] Warning: quicktime_delete_stub called
++: **ERROR: [lavplay] Error opening canon.mov
++: lavtools version 2.0.0

Package(s) installed and under test:
libquicktime libquicktime-dv libquicktime-progs libquicktime0 glibc-devel lib64zlib-devel

[root@localhost wilcal]# urpmi libquicktime
Package libquicktime-1.2.4-10.1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi libquicktime-dv
Package libquicktime-dv-1.2.4-10.1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi libquicktime-progs
Package libquicktime-progs-1.2.4-10.1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi libquicktime0
Package libquicktime0-1.2.4-10.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi glibc-devel
Package glibc-devel-2.20-25.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64zlib-devel
Package lib64zlib-devel-1.2.8-7.1.mga5.x86_64 is already installed

Attempt to run a quicktime video with glav:

[wilcal@localhost video_test]$ glav canon.mov
++: **ERROR: [lavplay] Error opening canon.mov
++: lavtools version 2.0.0

VLC and OpenShot do not need play/edit mov videos.
Running out of time this morning and will get back to this later today.

[root@localhost wilcal]# urpmq --whatrequires libquicktime
libquicktime
libquicktime-dv
libquicktime-dv
libquicktime-dv
libquicktime-dv
libquicktime-dv
libquicktime-dv
libquicktime-faad
libquicktime-faad
libquicktime-lame
libquicktime-lame
libquicktime-progs
libquicktime-progs
libquicktime-progs
libquicktime-progs
libquicktime-progs
libquicktime-progs
libquicktime-x264
libquicktime-x264

Just adding a third opinion for x86_64.  mga5
Installed the updates as listed.
$ rpm -qa | grep quicktime | grep 10.2
libquicktime-progs-1.2.4-10.2.mga5
libquicktime-dv-1.2.4-10.2.mga5
libquicktime-1.2.4-10.2.mga5
lib64quicktime-devel-1.2.4-10.2.mga5
lib64quicktime0-1.2.4-10.2.mga5

There are some tainted packages already, like libquicktime-lame-1.2.4-10.1.mga5.tainted
which are filtered out.  @lewis: we can probably ignore them on this update.

$ lqtplay 150504main_PIA07802.mov
Type: Quicktime
  0 audio tracks.
  1 video tracks.
    760x420, depth 24
..................

lqtplay had no trouble with MOV files from other sources:
PragmaticProgrammers screencast, FrenchMaidTV, NASA/Cassini

It also played MP4 files.

Some of the tools :-

Extract text strings:
$ qt2text rmp-4.mov 
Time: 0 (0.000000 seconds), Duration: 6771 (67.710000 seconds), String:
"Intro"
Time: 6771 (67.710000 seconds), Duration: 42612 (426.120000 seconds), String:
"instance_eval"
Time: 49383 (493.830000 seconds), Duration: 29303 (293.030000 seconds), String:
"class_eval"
..........................
Time: 167107 (1671.070000 seconds), Duration: 6543 (65.430000 seconds), String:
"Wrap Up"

Parse the file contents:
$ qtdump cassini20080814-1280.mov > dump
$ less dump
quicktime_dump
ftyp
 major brand: qt  
 minor version: 20050300
 compatible brands: qt   ^@^@^@^@ ^@^@^@^@ ^@^@^@^@ 
movie data (mdat)
 size 112080970
 start 40
movie (moov)
 movie header (mvhd)
..........................

Provide metadata information about the file:
$ qtinfo HowtoVideoPodcast.mov
Type: Quicktime
    album:     
  1 audio tracks.
    2 channels, 16 bits, sample rate 44100, length 6922240 samples, compressor mp4a.
    Sample format: Floating point.
    Channel setup: Front Left, Front Right
    Language: eng
    supported.
  1 video tracks.
    320x240, depth 24
    rate 29.969999 [2997:100] constant
    length 4704 frames
    compressor avc1.
    Native colormodel:  YUV 4:2:0 planar
    Interlace mode:     None (Progressive)
    Chroma placement: MPEG-2
    No timecodes available
    supported.
  0 text tracks.

Make a movie streamable - places the moov header at the start of the file:
$ qtstreamize 150504main_PIA07802.mov stream.mov
[mjpeg @ 0x6defa0] Changeing bps to 8
[core] Error: quicktime_make_streamable: moov size changed from 2149 to 2061 (Pos: 2061, start: 0)
$ ls -l
total 152724
-rw-r--r-- 1 lcl lcl   2585052 Jul 24 17:43 150504main_PIA07802.mov
-rw-r--r-- 1 lcl lcl   2585060 Jul 24 18:18 stream.mov

Parsed data before:
quicktime_dump
movie data (mdat)
 size 2582895
 start 8
movie (moov)
 movie header (mvhd)

Parsed data for stream file:
movie data (mdat)
 size 0
 start 0
movie (moov)
 movie header (mvhd)

Not my field but this looks OK to me.   Don't know what the [core] error means or if it is significant.  The stream.mov file plays fine with mplayer and  lqtplay.

Enough of the tools.

This has been tested for 64-bits by three testers and there do not seem to be any problems so we should give this an OK.

Validating this as well.  Sysadmins please push to updates.
Thanks.

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0220.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED