Bug 24175

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing the only committers from the past two years.

CC: (none) => cjw, marja11, smelror
Assignee: bugsquad => pkg-bugs

I try to take care of this CVE. 

According to 

https://www.openwall.com/lists/oss-security/2018/07/13/1

> ========= Fix =========
> 
> One way to fix the bug is to clear the dangling pointer after the the first free.

So, we need to set to null pAtom before launching the exception in src/mp4atom.cpp.

I will write a patch and test it before sharing.

CC: (none) => guichard.adrien

Created attachment 10669 [details]
corrupted mp4 file

Created attachment 10670 [details]
Sane mp4 file

Valgrind on corrupted file ()showing the double free :
$ valgrind .libs/mp4info ../../c1.mp4      
==32083== Memcheck, a memory error detector
==32083== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==32083== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==32083== Command: .libs/mp4info ../../c1.mp4
==32083== 
.libs/mp4info version trunk-r507
../../c1.mp4:
==32083== Invalid free() / delete / delete[] / realloc()
==32083==    at 0x4835900: free (vg_replace_malloc.c:540)
==32083==    by 0x48D72DC: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:338)
==32083==    by 0x48D7308: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:340)
==32083==    by 0x48BCDD7: mp4v2::impl::MP4Atom::~MP4Atom() (mp4atom.cpp:66)
==32083==    by 0x489A732: ~MP4Mp4vAtom (atoms.h:264)
==32083==    by 0x489A732: mp4v2::impl::MP4Mp4vAtom::~MP4Mp4vAtom() (atoms.h:264)
==32083==    by 0x4870797: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) [clone .cold.82] (mp4atom.cpp:199)
==32083==    by 0x48BFA90: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:430)
==32083==    by 0x48C1287: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:236)
==32083==    by 0x48C9D8C: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==32083==    by 0x48CD428: mp4v2::impl::MP4File::Read(char const*, MP4FileProvider_s const*) (mp4file.cpp:96)
==32083==    by 0x48B94A7: MP4Read (mp4.cpp:102)
==32083==    by 0x48D63CC: MP4FileInfo (mp4info.cpp:614)
==32083==  Address 0x4ee1b90 is 0 bytes inside a block of size 33 free'd
==32083==    at 0x4835900: free (vg_replace_malloc.c:540)
==32083==    by 0x48D86ED: Read (mp4property.cpp:395)
==32083==    by 0x48D86ED: mp4v2::impl::MP4StringProperty::Read(mp4v2::impl::MP4File&, unsigned int) (mp4property.cpp:377)
==32083==    by 0x48C0108: mp4v2::impl::MP4Atom::ReadProperties(unsigned int, unsigned int) (mp4atom.cpp:378)
==32083==    by 0x48C1262: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:232)
==32083==    by 0x48BF7E5: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:195)
==32083==    by 0x48BFA90: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:430)
==32083==    by 0x48C1287: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:236)
==32083==    by 0x48C9D8C: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==32083==    by 0x48CD428: mp4v2::impl::MP4File::Read(char const*, MP4FileProvider_s const*) (mp4file.cpp:96)
==32083==    by 0x48B94A7: MP4Read (mp4.cpp:102)
==32083==    by 0x48D63CC: MP4FileInfo (mp4info.cpp:614)
==32083==    by 0x40239C: main (mp4info.cpp:77)
==32083==  Block was alloc'd at
==32083==    at 0x48369A2: calloc (vg_replace_malloc.c:762)
==32083==    by 0x48DB01F: MP4Malloc (mp4util.h:56)
==32083==    by 0x48DB01F: MP4Calloc (mp4util.h:65)
==32083==    by 0x48DB01F: mp4v2::impl::MP4StringProperty::SetValue(char const*, unsigned int) (mp4property.cpp:364)
==32083==    by 0x489A3DE: mp4v2::impl::MP4Mp4vAtom::MP4Mp4vAtom(mp4v2::impl::MP4File&) (atom_mp4v.cpp:50)
==32083==    by 0x48BE6B9: mp4v2::impl::MP4Atom::factory(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) (mp4atom.cpp:916)
==32083==    by 0x48BF57E: mp4v2::impl::MP4Atom::CreateAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) (mp4atom.cpp:78)
==32083==    by 0x48BF74A: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:168)
==32083==    by 0x48BFA90: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:430)
==32083==    by 0x48C1287: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:236)
==32083==    by 0x48C9D8C: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==32083==    by 0x48CD428: mp4v2::impl::MP4File::Read(char const*, MP4FileProvider_s const*) (mp4file.cpp:96)
==32083==    by 0x48B94A7: MP4Read (mp4.cpp:102)
==32083==    by 0x48D63CC: MP4FileInfo (mp4info.cpp:614)
==32083== 
ReadBytes: read failed: errno: 0 (src/mp4file_io.cpp,94)
.libs/mp4info: can't open ../../c1.mp4
==32083== 
==32083== HEAP SUMMARY:
==32083==     in use at exit: 27 bytes in 1 blocks
==32083==   total heap usage: 1,529 allocs, 1,529 frees, 175,272 bytes allocated
==32083== 
==32083== LEAK SUMMARY:
==32083==    definitely lost: 27 bytes in 1 blocks
==32083==    indirectly lost: 0 bytes in 0 blocks
==32083==      possibly lost: 0 bytes in 0 blocks
==32083==    still reachable: 0 bytes in 0 blocks
==32083==         suppressed: 0 bytes in 0 blocks
==32083== Rerun with --leak-check=full to see details of leaked memory
==32083== 
==32083== For counts of detected and suppressed errors, rerun with: -v
==32083== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

If I add value = NULL line 396 in mp4property.cpp
$ valgrind .libs/mp4info ../../c1.mp4 
==354== Memcheck, a memory error detector
==354== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==354== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==354== Command: .libs/mp4info ../../c1.mp4
==354== 
.libs/mp4info version trunk-r507
../../c1.mp4:
ReadBytes: read failed: errno: 0 (src/mp4file_io.cpp,94)
.libs/mp4info: can't open ../../c1.mp4
==354== 
==354== HEAP SUMMARY:
==354==     in use at exit: 27 bytes in 1 blocks
==354==   total heap usage: 1,529 allocs, 1,528 frees, 175,272 bytes allocated
==354== 
==354== LEAK SUMMARY:
==354==    definitely lost: 27 bytes in 1 blocks
==354==    indirectly lost: 0 bytes in 0 blocks
==354==      possibly lost: 0 bytes in 0 blocks
==354==    still reachable: 0 bytes in 0 blocks
==354==         suppressed: 0 bytes in 0 blocks
==354== Rerun with --leak-check=full to see details of leaked memory
==354== 
==354== For counts of detected and suppressed errors, rerun with: -v
==354== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)


I do not use the script mp4info, but directly mp4info binary file :
$ ldd .libs/mp4info 
        linux-vdso.so.1 (0x00007ffd6c36b000)
        libmp4v2.so.2 => /home/auo/mgarepo3/libmp4v2/BUILD/mp4v2-trunk/.libs/libmp4v2.so.2 (0x00007f080e143000)
        libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f080df75000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f080df5b000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f080dd92000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f080dc11000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f080e269000)

Created attachment 10671 [details]
SPEC patch

Created attachment 10672 [details]
source patch

(In reply to Adrien Guichard from comment #7)
> Created attachment 10672 [details]
> source patch

Applies in cauldron, so fixed  in libmp4v2-2.1.0-0.2.mga7.src.rpm.

CC: (none) => lists.jjorge
Status: NEW => ASSIGNED

Created attachment 10675 [details]
spec file patch for mga6

Created attachment 10676 [details]
spec file patch for mga6 fixed

Attachment 10675 is obsolete: 0 => 1

libmp4v2_2-2.0.0-9.1.mga6
libmp4v2-devel-2.0.0-9.1.mga6
libmp4v2-utils-2.0.0-9.1.mga6

from libmp4v2-2.0.0-9.1.mga6.src.rpm

We applied a patch to libmp4v2 to avoid a double free when parsing a corrupted file. A sample file is attached to this BR


Suggested advisory:
========================

This release address a potential security issue in libmp4v2 for Mageia 6: CVE-2018-14054:
libmp4v2: Double free in the MP4StringProperty class in mp4property.cpp

References: https://www.openwall.com/lists/oss-security/2019/01/09/2
========================

Updated packages in {core}/updates_testing:
========================
libmp4v2_2-2.0.0-9.1.mga6
libmp4v2-devel-2.0.0-9.1.mga6
libmp4v2-utils-2.0.0-9.1.mga6

from libmp4v2-2.0.0-9.1.mga6.src.rpm

Assignee: guichard.adrien => qa-bugs

Installed and tested without issues.

Tested using the attached corrupted mp4 file. The old version makes an invalid free() call that is fixed in the new version.

System: Mageia 6, x86_64, Intel CPU.

Before the update:

$ uname -a
Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep mp4v2 | sort -u
lib64mp4v2_2-2.0.0-9.mga6
libmp4v2-utils-2.0.0-9.mga6
$ valgrind mp4info c1.mp4
==13869== Memcheck, a memory error detector
==13869== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==13869== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==13869== Command: mp4info c1.mp4
==13869== 
mp4info version 2.0.0
c1.mp4:
==13869== Invalid free() / delete / delete[] / realloc()
==13869==    at 0x4C29060: free (vg_replace_malloc.c:530)
==13869==    by 0x4EB3819: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EB3858: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E991F7: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E6D842: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CA2B: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CC77: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CF21: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EA0D50: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EA1858: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E90A97: MP4Read (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EB2D3C: MP4FileInfo (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==  Address 0x5dcd730 is 0 bytes inside a block of size 33 free'd
==13869==    at 0x4C29060: free (vg_replace_malloc.c:530)
==13869==    by 0x4EB3CC9: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E99853: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CF12: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9C882: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CC77: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CF21: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EA0D50: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EA1858: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E90A97: MP4Read (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EB2D3C: MP4FileInfo (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x401EF7: ??? (in /usr/bin/mp4info)
==13869==  Block was alloc'd at
==13869==    at 0x4C29CF8: calloc (vg_replace_malloc.c:711)
==13869==    by 0x4EB631F: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E6D44B: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9BA99: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9C5BE: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9C7C7: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CC77: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CF21: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EA0D50: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EA1858: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E90A97: MP4Read (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EB2D3C: MP4FileInfo (in /usr/lib64/libmp4v2.so.2.0.0)
==13869== 
ReadBytes: read failed: errno: 0 (src/mp4file_io.cpp,94)
mp4info: can't open c1.mp4
==13869== 
==13869== HEAP SUMMARY:
==13869==     in use at exit: 72,731 bytes in 2 blocks
==13869==   total heap usage: 1,529 allocs, 1,528 frees, 174,273 bytes allocated
==13869== 
==13869== LEAK SUMMARY:
==13869==    definitely lost: 27 bytes in 1 blocks
==13869==    indirectly lost: 0 bytes in 0 blocks
==13869==      possibly lost: 0 bytes in 0 blocks
==13869==    still reachable: 72,704 bytes in 1 blocks
==13869==         suppressed: 0 bytes in 0 blocks
==13869== Rerun with --leak-check=full to see details of leaked memory
==13869== 
==13869== For counts of detected and suppressed errors, rerun with: -v
==13869== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

-------------------------------------

After the update.

$ rpm -qa | grep mp4v2 | sort -u
lib64mp4v2_2-2.0.0-9.1.mga6
libmp4v2-utils-2.0.0-9.1.mga6
$ valgrind mp4info c1.mp4
==14482== Memcheck, a memory error detector
==14482== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==14482== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==14482== Command: mp4info c1.mp4
==14482== 
mp4info version 2.0.0
c1.mp4:
ReadBytes: read failed: errno: 0 (src/mp4file_io.cpp,94)
mp4info: can't open c1.mp4
==14482== 
==14482== HEAP SUMMARY:
==14482==     in use at exit: 72,731 bytes in 2 blocks
==14482==   total heap usage: 1,529 allocs, 1,527 frees, 174,273 bytes allocated
==14482== 
==14482== LEAK SUMMARY:
==14482==    definitely lost: 27 bytes in 1 blocks
==14482==    indirectly lost: 0 bytes in 0 blocks
==14482==      possibly lost: 0 bytes in 0 blocks
==14482==    still reachable: 72,704 bytes in 1 blocks
==14482==         suppressed: 0 bytes in 0 blocks
==14482== Rerun with --leak-check=full to see details of leaked memory
==14482== 
==14482== For counts of detected and suppressed errors, rerun with: -v
==14482== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

CC: (none) => mageia

(In reply to PC LX from comment #13)
> Tested using the attached corrupted mp4 file.
1st attachment, "corrupted mp4 file":
 https://bugs.mageia.org/attachment.cgi?id=10669

> The old version makes an
> invalid free() call that is fixed in the new version.
= MGA6-64-OK + validation. Super test, thank you.
Doing advisory from comment 12.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0048.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED