Bug 25270

Summary: libmediainfo new security issues CVE-2019-1137[23]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, jani.valimaa, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libmediainfo-18.12-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-08-11 21:31:31 CEST 
Ubuntu has issued an advisory on May 16:
https://usn.ubuntu.com/3988-1/
David Walser 2019-08-11 21:31:42 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO
CC: (none) => geiger.david68210

Comment 1 David Walser 2019-11-25 23:24:28 CET 
openSUSE has issued an advisory for this on June 26:
https://lists.opensuse.org/opensuse-updates/2019-06/msg00147.html
David Walser 2020-01-14 18:05:08 CET

Status comment: (none) => Patches available from Ubuntu and openSUSE

Comment 2 David GEIGER 2020-01-23 12:35:56 CET 
Done for mga7 and already fixed in Cauldron with release 19.09!

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO

Comment 3 David Walser 2020-01-23 12:49:36 CET 
Advisory:
========================

Updated libmediainfo packages fix security vulnerabilities:

Out-of-bounds read in function MediaInfoLib:File__Tags_Helper:Synched_Test
(CVE-2019-11372).

Out-of-bounds read in function File__Analyze:Get_L8 (CVE-2019-11373).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11372
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11373
https://lists.opensuse.org/opensuse-updates/2019-06/msg00147.html
========================

Updated packages in core/updates_testing:
========================
libmediainfo0-18.12-1.1.mga7
libmediainfo-devel-18.12-1.1.mga7

from libmediainfo-18.12-1.1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Assignee: jani.valimaa => qa-bugs
Summary: mediainfo new security issues CVE-2019-1137[23] => libmediainfo new security issues CVE-2019-1137[23]
Source RPM: mediainfo-19.07-1.mga8.src.rpm => libmediainfo-18.12-1.mga7.src.rpm
CC: (none) => jani.valimaa
Status comment: Patches available from Ubuntu and openSUSE => (none)
Version: Cauldron => 7

Comment 4 Len Lawrence 2020-01-23 16:38:31 CET 
CVE-2019-11372
CVE-2019-11373
https://sourceforge.net/p/mediainfo/bugs/1101/

$ mediainfo A.avi
Segmentation fault (core dumped)
$ mediainfo T.avi
Segmentation fault (core dumped)

Updated the packages:
1/1: lib64mediainfo0
1/3  lib64tinyxml2-devel
2/3: lib64zen-devel
3/3: lib64mediainfo-devel 

$ mediainfo A.avi
General
Complete name                            : A.avi
Format                                   : AVI
Format/Info                              : Audio Video Interleave
File size                                : 89.0 Bytes
IsTruncated                              : Yes
$ mediainfo T.avi
General
Complete name                            : T.avi
Format                                   : SMPTE ST 337
File size                                : 21.6 KiB
Overall bit rate mode                    : Constant
Audio
Format                                   : Dolby E
Format settings                          : Little
Bit rate mode                            : Constant
Bit depth                                : 20 bits

That confirms the fixes.

Many of the command line options for mediainfo concern security and certification.  Passing on those.

$ mediainfo --Details 1 'Long as I Can See the Light.wav'
0000000 WAVE (12 bytes)
0000000  Header (12 bytes)
0000000   Name:                                 RIFF
0000004   Size:                                 18419596 (0x01190F8C)
0000008   Real Name:                            WAVE
000000C  --------------------------
000000C  ---   Wave, accepted   ---
000000C  --------------------------
000000C --------------------------
000000C ---   Wave, accepted   ---
000000C --------------------------
0000000 Wave (327680 bytes)
000000C  Stream format - Audio (24 bytes)

$ mediainfo --Full CanzonaPerSonareAQuattro-GiovanniGabrieli.wav
General
Count                                    : 331
Count of stream of this kind             : 1
Kind of stream                           : General
Kind of stream                           : General
Stream identifier                        : 0
Count of audio streams                   : 1
Audio_Format_List                        : PCM
Audio_Format_WithHint_List               : PCM
Audio codecs                             : PCM
Complete name                            : CanzonaPerSonareAQuattro-GiovanniGabrieli.wav
[...]
Stream size                              : 26.66 MiB
Stream size                              : 26.7 MiB (100%)
Proportion of this stream                : 1.00000

^C

$ mediainfo Element186_pilot.mkv
General
Unique ID                                : 337040800397714628811276168872922392768 (0xFD8FB26E5ED851FB64BEC188ACDB28C0)
Complete name                            : Element186_pilot.mkv
Format                                   : Matroska
.......

Seems OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 5 Thomas Andrews 2020-01-23 20:45:35 CET 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Lewis Smith 2020-01-27 18:53:57 CET

Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-01-28 08:54:14 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0047.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED