Bug 22200

Summary: wildmidi new security issues CVE-2017-1166[1-4]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia, rverschelde, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: wildmidi-0.4.1-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-12-15 21:09:19 CET 
Fedora has issued an advisory on December 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XGAZHDTXXL3RFRCNGE4XLOHD4MASNLBB/

The issues are fixed upstream in 0.4.2.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-12-15 21:09:26 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David Walser 2017-12-31 00:41:52 CET 
Updating it on Mageia 5 would require rebuilding qmmp and both gstreamer bad plugins packages, so let's not do that.  Upstream patch also doesn't apply.

Updated to 0.4.2 in Cauldron by RĂ©mi.  Synced to Mageia 6 by me.

Advisory:
========================

Updated wildmidi packages fix security vulnerabilities:

The _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI before
0.4.2 can cause a denial of service(invalid memory read and application crash)
via a crafted mid file (CVE-2017-11661).

The _WM_ParseNewMidi function in f_midi.c in WildMIDI before 0.4.2 can cause a
denial of service(invalid memory read and application crash) via a crafted mid
file (CVE-2017-11662).

The _WM_SetupMidiEvent function in internal_midi.c:2315 in WildMIDI before
0.4.2 can cause a denial of service(invalid memory read and application crash)
via a crafted mid file (CVE-2017-11663).

The _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI before
0.4.2 can cause a denial of service(invalid memory read and application crash)
via a crafted mid file (CVE-2017-11664).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11661
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11662
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11663
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11664
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XGAZHDTXXL3RFRCNGE4XLOHD4MASNLBB/
========================

Updated packages in core/updates_testing:
========================
wildmidi-0.4.2-1.mga6
libwildmidi2-0.4.2-1.mga6
libwildmidi-devel-0.4.2-1.mga6

from wildmidi-0.4.2-1.mga6.src.rpm

QA Contact: (none) => security
Assignee: rverschelde => qa-bugs
Component: RPM Packages => Security
Whiteboard: MGA6TOO, MGA5TOO => (none)
CC: (none) => rverschelde
Version: Cauldron => 6

Comment 2 David Walser 2017-12-31 00:59:06 CET 
Debian says 0.3.x isn't affected, so Mageia 5 is OK.  Even better.
Comment 3 PC LX 2018-01-03 17:51:11 CET 
Installed and tested without issues.

Tests:
- Play a test midi (wildmidi -t).
- Play a bunch of midi files (wildmidi *.mid).
- Play a bunch of midi files and output to a wav file (wildmidi -o out.wav *.mid).

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.9.56-desktop-1.mga6 #1 SMP Thu Oct 12 22:55:31 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q wildmidi lib64wildmidi2 timidity-patch-freepats
wildmidi-0.4.2-1.mga6
lib64wildmidi2-0.4.2-1.mga6
timidity-patch-freepats-20060219-20.mga6
$ lspci | grep -i audio
00:1b.0 Audio device: Intel Corporation 82801JI (ICH10 Family) HD Audio Controller
01:00.1 Audio device: NVIDIA Corporation High Definition Audio Controller (rev a1)

CC: (none) => mageia
Whiteboard: (none) => MGA6-64-OK

Comment 4 Lewis Smith 2018-01-04 13:45:36 CET 
Thank you PC_LX for the test. Advisoried, & good for validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2018-01-04 17:49:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0061.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED