| Summary: | ming new security issues CVE-2018-6358, CVE-2018-786[78], CVE-2018-787[0125], CVE-2018-9165 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, guillomovitch, herman.viaene, mageia, marja11, nicolas.salguero, pterjan, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK | ||
| Source RPM: | ming-0.4.5-14.1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2019-03-13 19:16:34 CET
David Walser
2019-03-13 19:16:39 CET
Whiteboard:
(none) =>
MGA6TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers. CC:
(none) =>
guillomovitch, mageia, marja11, nicolas.salguero, pterjan Suggested advisory: ======================== The updated packages fix security vulnerabilities: The printDefineFont2 function (util/listfdb.c) in libming through 0.4.8 is vulnerable to a heap-based buffer overflow, which may allow attackers to cause a denial of service or unspecified other impact via a crafted FDB file. (CVE-2018-6358) There is a heap-based buffer overflow in the getString function of util/decompile.c in libming 0.4.8 during a RegisterNumber sprintf. A Crafted input will lead to a denial of service attack. (CVE-2018-7867) There is a heap-based buffer over-read in the getName function of util/decompile.c in libming 0.4.8 for CONSTANT8 data. A Crafted input will lead to a denial of service attack. (CVE-2018-7868) An invalid memory address dereference was discovered in getString in util/decompile.c in libming 0.4.8 for CONSTANT16 data. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. (CVE-2018-7870) There is a heap-based buffer over-read in the getName function of util/decompile.c in libming 0.4.8 for CONSTANT16 data. A crafted input will lead to a denial of service or possibly unspecified other impact. (CVE-2018-7871) An invalid memory address dereference was discovered in the function getName in libming 0.4.8 for CONSTANT16 data. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. (CVE-2018-7872) There is a heap-based buffer over-read in the getString function of util/decompile.c in libming 0.4.8 for CONSTANT8 data. A Crafted input will lead to a denial of service attack. (CVE-2018-7875) The pushdup function in util/decompile.c in libming through 0.4.8 does not recognize the need for ActionPushDuplicate to perform a deep copy when a String is at the top of the stack, making the library vulnerable to a util/decompile.c getName NULL pointer dereference, which may allow attackers to cause a denial of service via a crafted SWF file. (CVE-2018-9165) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6358 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7867 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7868 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7870 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7871 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7872 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7875 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9165 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DCVKRTMEAJTXCYXNA53WZFPDF67TN7NC/ ======================== Updated packages in core/updates_testing: ======================== lib(64)ming1-0.4.9-0.git20181112.1.mga6 lib(64)ming-devel-0.4.9-0.git20181112.1.mga6 perl-SWF-0.4.9-0.git20181112.1.mga6 python-SWF-0.4.9-0.git20181112.1.mga6 ming-utils-0.4.9-0.git20181112.1.mga6 from SRPMS: ming-0.4.9-0.git20181112.1.mga6.src.rpm Status:
NEW =>
ASSIGNED MGA6-32 MATE on IBM Thinkpad R50e No installation issues, skipped the devel pack Ref to bug 22815 Comment 7, using an swf file created by some other test. $ swftopython output.swf > testming.py $ head testming.py #!/usr/bin/python from ming import * m = SWFMovie(); Ming_setScale(1.0); # Note: using v5+ syntax for script blocks (original SWF file version was 4)! m.setRate(1.000000); $ swftophp output.swf > testming.php $ head testming.php <?php $m = new SWFMovie(); ming_setscale(1.0); /* Note: using v5+ syntax for script blocks (original SWF file version was 4)! */ $m->setRate(1.000000); $m->setDimension(65280, 48960); $m->setFrames(14); $ swftoperl output.swf > testming.pl $ head testming.pl #!/usr/bin/perl -w # Generated by swftoperl converter included with ming. Have fun. # Change this to your needs. If you installed perl-ming global you don't need this. #use lib("/home/peter/mystuff/lib/site_perl"); # We import all because our converter is not so clever to select only needed. ;-) use SWF qw(:ALL); # Just copy from a sample, needed to use Constants like SWFFILL_RADIAL_GRADIENT use SWF::Constants qw(:Text :Button :DisplayItem :Fill); $ swftocxx output.swf > testming.c++ $ head testming.c++ #include <mingpp.h> main(){ SWFMovie* m = new SWFMovie(); Ming_setScale(1.0); // Note: using v5+ syntax for script blocks (original SWF file version was 4)! This all looks quite similar, so relying on Len's reputation, OK for me Whiteboard:
(none) =>
MGA6-32-OK No 64-bit installation issues. Validating. Suggested advisory in Comment 2. Keywords:
(none) =>
validated_update
Dave Hodgins
2019-04-10 21:02:45 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0137.html Resolution:
(none) =>
FIXED |