Bug 22651

Summary: TiMidity++ new security issues CVE-2017-11546 and CVE-2017-11547
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, marja11, smelror, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Source RPM: TiMidity++-2.14.0-9.mga6.src.rpm CVE: CVE-2017-11546 CVE-2017-11547
Status comment:
Attachments: 3 PoCs

Description David Walser 2018-02-24 23:38:55 CET 
openSUSE has issued an advisory today (February 24):
https://lists.opensuse.org/opensuse-updates/2018-02/msg00099.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-02-24 23:39:15 CET

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Patches available from openSUSE

Comment 1 Marja Van Waes 2018-02-25 09:07:42 CET 
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Stig-Ørjan Smelror 2018-02-25 11:05:51 CET

CC: (none) => smelror
CVE: (none) => CVE-2017-11546 CVE-2017-11547
Assignee: shlomif => smelror

Comment 2 Stig-Ørjan Smelror 2018-02-25 11:22:02 CET 
Advisory
========

This update fixes 2 security issues.

CVE-2017-11546: The insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted mid file. NOTE: a crash might be relevant when using the --background option.

CVE-2017-11547: The resample_gauss function in resample.c in TiMidity++ 2.14.0 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted mid file. NOTE: a crash might be relevant when using the --background option. NOTE: the TiMidity++ README.alsaseq documentation suggests a setuid-root installation.


References
==========
https://lists.opensuse.org/opensuse-updates/2018-02/msg00099.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11546
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11547

Files
=====

The following has been uploaded to core/updates_testing

TiMidity++-2.14.0-9.1.mga6
TiMidity++-interfaces-extra-2.14.0-9.1.mga6

from TiMidity++-2.14.0-9.1.mga6.src.rpm
Comment 3 Stig-Ørjan Smelror 2018-02-25 11:22:42 CET 
An update has also been pushed to Cauldron.

The openSUSE advisory contains a PoC.

Cheers,
Stig
Stig-Ørjan Smelror 2018-02-25 11:23:21 CET

Assignee: smelror => qa-bugs

Stig-Ørjan Smelror 2018-02-25 11:28:48 CET

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 4 David Walser 2018-02-25 15:28:43 CET 
Thanks!  I added a Mageia 5 build and tested it.  Reformatting advisory.

Advisory:
========================

Updated TiMidity++ packages fix security vulnerabilities:

The insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 allows remote
attackers to cause a denial of service (divide-by-zero error and application
crash) via a crafted mid file. NOTE: a crash might be relevant when using the
--background option (CVE-2017-11546).

The resample_gauss function in resample.c in TiMidity++ 2.14.0 allows remote
attackers to cause a denial of service (heap-based buffer over-read) via a
crafted mid file. NOTE: a crash might be relevant when using the --background
option. NOTE: the TiMidity++ README.alsaseq documentation suggests a setuid-root
installation (CVE-2017-11547).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11546
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11547
https://lists.opensuse.org/opensuse-updates/2018-02/msg00099.html
========================

Updated packages in core/updates_testing:
========================
TiMidity++-2.14.0-6.1.mga5
TiMidity++-interfaces-extra-2.14.0-6.1.mga5
TiMidity++-2.14.0-9.1.mga6
TiMidity++-interfaces-extra-2.14.0-9.1.mga6

from SRPMS:
TiMidity++-2.14.0-6.1.mga5.src.rpm
TiMidity++-2.14.0-9.1.mga6.src.rpm


I tested the two relevant PoC's (Mageia 5 x86_64).  The second played the MIDI file and didn't appear to crash, even before the update.

Before:
$ timidity timidity++_2.14.0_divide_by_zero_error.mid 
Playing timidity++_2.14.0_divide_by_zero_error.mid
MIDI file: timidity++_2.14.0_divide_by_zero_error.mid
Format: 1  Tracks: 8  Divisions: 120
Floating point exception
$ timidity timidity++_2.14.0_heap_buffer_overflow.mid 
Playing timidity++_2.14.0_heap_buffer_overflow.mid
MIDI file: timidity++_2.14.0_heap_buffer_overflow.mid
Format: 1  Tracks: 8  Divisions: 120
Warning: timidity++_2.14.0_heap_buffer_overflow.mid: Too shorten midi file.
Last 31 MIDI events are ignored
Playing time: ~6 seconds
Notes cut: 0
Notes lost totally: 0

After (both MIDIs play fine):
$ timidity timidity++_2.14.0_divide_by_zero_error.mid 
Playing timidity++_2.14.0_divide_by_zero_error.mid
MIDI file: timidity++_2.14.0_divide_by_zero_error.mid
Format: 1  Tracks: 8  Divisions: 120
Last 13 MIDI events are ignored
Playing time: ~8 seconds
Notes cut: 0
Notes lost totally: 0
$ timidity timidity++_2.14.0_heap_buffer_overflow.mid 
Playing timidity++_2.14.0_heap_buffer_overflow.mid
MIDI file: timidity++_2.14.0_heap_buffer_overflow.mid
Format: 1  Tracks: 8  Divisions: 120
Warning: timidity++_2.14.0_heap_buffer_overflow.mid: Too shorten midi file.
Last 31 MIDI events are ignored
Playing time: ~6 seconds
Notes cut: 0
Notes lost totally: 0

Status comment: Patches available from openSUSE => (none)
Whiteboard: (none) => MGA5TOO MGA5-64-OK

Comment 5 Lewis Smith 2018-02-27 09:12:45 CET 
Advisory from comment 4.

Keywords: (none) => advisory

Comment 6 Lewis Smith 2018-02-27 09:33:24 CET 
Created attachment 10006 [details]
3 PoCs

(In reply to Stig-Ørjan Smelror from comment #3)
> The openSUSE advisory contains a PoC.
Leads to, eventually!
Attached here. The zip file contains:
 poc/
 poc/timidity++_2.14.0_divide_by_zero_error.mid
 poc/timidity++_2.14.0_heap_buffer_overflow.mid
 poc/timidity++_2.14.0_large_loop.mid
to be run:
 $ timidity <filename>
Comment 7 Lewis Smith 2018-02-27 11:07:05 CET 
Testing M6 x64

BEFORE the update:
 TiMidity++-2.14.0-9.mga6
 TiMidity++-interfaces-extra-2.14.0-9.mga6

 $ timidity timidity++_2.14.0_divide_by_zero_error.mid
Playing timidity++_2.14.0_divide_by_zero_error.mid
MIDI file: timidity++_2.14.0_divide_by_zero_error.mid
Format: 1  Tracks: 8  Divisions: 120
Floating point exception (core dumped)

 $ timidity timidity++_2.14.0_large_loop.mid
Playing timidity++_2.14.0_large_loop.mid
MIDI file: timidity++_2.14.0_large_loop.mid
Format: 1  Tracks: 8  Divisions: 120
timidity++_2.14.0_large_loop.mid: Illigal Variable-length quantity format.
No instrument mapped to drum set 0, program 0 - this instrument will not be heard
No instrument mapped to drum set 0, program 30 - this instrument will not be heard
^C

 $ timidity timidity++_2.14.0_heap_buffer_overflow.mid
Playing timidity++_2.14.0_heap_buffer_overflow.mid
MIDI file: timidity++_2.14.0_heap_buffer_overflow.mid
Format: 1  Tracks: 8  Divisions: 120
Warning: timidity++_2.14.0_heap_buffer_overflow.mid: Too shorten midi file.
No instrument mapped to drum set 0, program 35 - this instrument will not be heard
Last 31 MIDI events are ignored
Playing time: ~6 seconds
Notes cut: 0
Notes lost totally: 0
 As David found, no crash.

AFTER update:
 TiMidity++-2.14.0-9.1.mga6
 TiMidity++-interfaces-extra-2.14.0-9.1.mga6

 $ timidity timidity++_2.14.0_divide_by_zero_error.mid
Playing timidity++_2.14.0_divide_by_zero_error.mid
MIDI file: timidity++_2.14.0_divide_by_zero_error.mid
Format: 1  Tracks: 8  Divisions: 120
No instrument mapped to drum set 0, program 35 - this instrument will not be heard
Last 13 MIDI events are ignored
Playing time: ~8 seconds
Notes cut: 0
Notes lost totally: 0
 NO core dump, OK.

 $ timidity timidity++_2.14.0_large_loop.mid
O/P identical to before, no regression.

 $ timidity timidity++_2.14.0_heap_buffer_overflow.mid
O/P identical to before, no crash, regression.

OKing this update. Validating.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 8 Mageia Robot 2018-02-28 14:56:24 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0152.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED