Bug 25962

Patched packages uploaded by David Geiger.

Advisory:
========================

Updated libmp4v2 packages fix security vulnerabilities:

The libmp4v2 library through version 2.1.0 is vulnerable to an integer
underflow when parsing an MP4Atom in mp4atom.cpp. An attacker could exploit
this to cause a denial of service via crafted MP4 file (CVE-2018-14325).

The libmp4v2 library through version 2.1.0 is vulnerable to an integer
overflow and resultant heap-based buffer overflow when resizing an MP4Array
for the ftyp atom in mp4array.h. An attacker could exploit this to cause a
denial of service via crafted MP4 file (CVE-2018-14326).

MP4Atom::factory in mp4atom.cpp in MP4v2 2.0.0 incorrectly uses the
MP4ItemAtom data type in a certain case where MP4DataAtom is required, which
allows remote attackers to cause a denial of service (memory corruption) or
possibly have unspecified other impact via a crafted MP4 file, because access
to the data structure has different expectations about layout as a result of
this type confusion (CVE-2018-14379).

MP4NameFirstMatches in mp4util.cpp in MP4v2 2.0.0 mishandles substrings of
atom names, leading to use of an inappropriate data type for associated atoms.
The resulting type confusion can cause out-of-bounds memory access
(CVE-2018-14403).

MP4Integer32Property::Read in atom_avcC.cpp in MP4v2 2.1.0 allows remote
attackers to cause a denial of service (heap-based buffer overflow and
application crash) or possibly have unspecified other impact via a crafted MP4
file (CVE-2018-14446).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14325
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14326
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14379
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14403
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14446
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6YCHVOYPIBGM5HYUMQ77KZH2IHSITKVE/
========================

Updated packages in core/updates_testing:
========================
libmp4v2_2-2.1.0-0.4.mga7
libmp4v2-devel-2.1.0-0.4.mga7
libmp4v2-utils-2.1.0-0.4.mga7

from libmp4v2-2.1.0-0.4.mga7.src.rpm

Version: Cauldron => 7
Status comment: Patches available from Fedora => (none)
Whiteboard: MGA7TOO => (none)
Assignee: guichard.adrien => qa-bugs
CC: (none) => geiger.david68210, guichard.adrien

Mageia7, x86_64

Before updating:

CVE-2018-14446
Heap overflow
https://github.com/TechSmith/mp4v2/issues/20
Goto
https://gitee.com/hac425/fuzz_data/blob/master/mp4v2_vtable_poc.mp4
and right-click on Download -> select 'save link as'
$ mp4info mp4v2_vtable_poc.mp4 
mp4info version -r
mp4v2_vtable_poc.mp4:
ReadAtom: "mp4v2_vtable_poc.mp4": invalid atom size, extends outside parent atom - skipping to end of "" "moov" 38914 vs 38894
ReadAtom: "mp4v2_vtable_poc.mp4": invalid atom size, extends outside parent atom - skipping to end of "trak" "
" 168662627 vs 37260
ReadAtom: "mp4v2_vtable_poc.mp4": atom type 
 is suspect
ReadChildAtoms: "mp4v2_vtable_poc.mp4": In atom trak missing child atom mdia
Segmentation fault (core dumped)

Found another PoC file at gitee.com but don't know which issue it relates to.
https://gitee.com/hac425/fuzz_data/blob/master/poc.mp4
$ mp4info poc.mp4
mp4info version -r
poc.mp4:
ReadAtom: "poc.mp4": invalid atom size, extends outside parent atom - skipping to end of "mdia" "����" 69070 vs 37260
ReadAtom: "poc.mp4": atom type ���� is suspect
ReadChildAtoms: "poc.mp4": In atom mdia missing child atom minf
Read: "poc.mp4": dref inconsistency with number of entries
ReadAtom: "poc.mp4": invalid atom size, extends outside parent atom - skipping to end of "stsd" "�E�
" 2183169230 vs 37652
[...]
ReadAtom: "poc.mp4": invalid atom size, extends outside parent atom - skipping to end of "udta" "meta" 268474370 vs 38914
ReadChildAtoms: "poc.mp4": In atom meta missing child atom hdlr
MP4Track: invalid track (src/mp4track.cpp,235)
MP4Track: invalid track (src/mp4track.cpp,235)
 Encoded with: Lavf57.25.100
<Looks like this had been fixed, whatever it was>

Updated the packages.

Tested the two PoC files.
$ mp4info mp4v2_vtable_poc.mp4
<generated similar errors as before bu no segfault>
Resize: requested array size exceeds 4GB: errno: 34 (src/mp4array.h,130)
mp4info: can't open mp4v2_vtable_poc.mp4
$ mp4info poc.mp4
<same information as before>

Those two give us some confidence.

$ urpmq --whatrequires-recursive lib64mp4v2_2 | sort -u
avidemux-plugins
cmus
enjoy
kid3
kid3-cli
kid3-core
kid3-qt
lib64mp4v2_2
lib64mp4v2-devel
libmp4v2-utils
lightmediascanner
zoneminder

Installed kid3 components and launched the gui.  Blundered about in it, selecting MP4 files and trying to create a playlist.  Could not find it but no errors reported.  Looked at the handbook.
The cli command supports 40 or more options echoing functions in the gui.

lcl@difda:Youtube $ kid3-cli -c playlist .
$ ls *.m3u
Youtube.m3u
$ cat Youtube.m3u
AllThroughTheNight.mp4
AngelOfTheMorning.mp4
[...]
UnaVocePocoFa_ElinaGaranca.mp4
UnaVocePocoFa_JoyceDiDonato.mp4

Could not figure out the play command, e.g.
$ kid3-cli -c play *.mp3
$
Nothing happened.
$ ps aux | grep kid3
lcl      27205  0.0  0.0   9044   828 pts/5    S+   00:05   0:00 grep --color kid3

Reverted to the gui and selected a file and played it without any trouble.
Tried the command line at the same time...
$ kid3-cli -c play pause SallysPigeons.mp3
pause, SallysPigeons.mp3 does not exist

However, as far as the gui is concerned everything is in working order so the mp4v2 libraries can be moved along.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0062.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED