| Summary: | gpac new security issues CVE-2018-21015, CVE-2018-21016, CVE-2019-13618, CVE-2019-20161, CVE-2019-20162, CVE-2019-20163, CVE-2019-20165, CVE-2019-20170, CVE-2019-20171, CVE-2019-20208 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, herman.viaene, nicolas.salguero, sysadmin-bugs, tarazed25, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | gpac-0.7.1-6.mga7.tainted.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | Summary of PoC tests for gpac | ||
|
Description
David Walser
2020-01-24 18:09:19 CET
David Walser
2020-01-24 18:09:32 CET
Whiteboard:
(none) =>
MGA7TOO
David Walser
2020-01-24 18:20:42 CET
CC:
(none) =>
geiger.david68210 release 0.8.0 fixes CVE-2018-21015, CVE-2018-21016 and CVE-2019-13618 others should be patched in release 0.8.0 So now fixed for Cauldron! For mga7 it is likely difficult to patch all CVEs. Current 0.7.1 code is quite old. I think Debian patched 0.5.0. Version:
Cauldron =>
7 seems not yet. They haven't patched 0.7.1 yet, that would obviously be more helpful. 0.5.0 is what the advisory is for. I don't know how different the code is. 0.5.0: https://packages.debian.org/source/jessie/gpac 0.7.1: https://packages.debian.org/source/experimental/gpac Suggested advisory: ======================== The updated packages fix security vulnerabilities: AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. There is "cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;" but cfg could be NULL. (CVE-2018-21015) audio_sample_entry_AddBox() at isomedia/box_code_base.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. (CVE-2018-21016) In GPAC before 0.8.0, isomedia/isom_read.c in libgpac.a has a heap-based buffer over-read, as demonstrated by a crash in gf_m2ts_sync in media_tools/mpegts.c. (CVE-2019-13618) An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function ReadGF_IPMPX_WatermarkingInit() in odf/ipmpx_code.c. (CVE-2019-20161) An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is heap-based buffer overflow in the function gf_isom_box_parse_ex() in isomedia/box_funcs.c. (CVE-2019-20162) An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function gf_odf_avc_cfg_write_bs() in odf/descriptors.c. (CVE-2019-20163) An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is a NULL pointer dereference in the function ilst_item_Read() in isomedia/box_code_apple.c. (CVE-2019-20165) An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There is an invalid pointer dereference in the function GF_IPMPX_AUTH_Delete() in odf/ipmpx_code.c. (CVE-2019-20170) An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20191109. There are memory leaks in metx_New in isomedia/box_code_base.c and abst_Read in isomedia/box_code_adobe.c. (CVE-2019-20171) dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based buffer overflow. (CVE-2019-20208) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21015 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21016 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13618 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20161 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20162 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20163 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20165 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20170 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20171 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20208 https://www.debian.org/lts/security/2020/dla-2072 ======================== Updated packages in core/updates_testing: ======================== gpac-0.7.1-6.1.mga7.tainted lib(64)gpac7-0.7.1-6.1.mga7.tainted lib(64)gpac-devel-0.7.1-6.1.mga7.tainted from SRPMS: gpac-0.7.1-6.1.mga7.tainted.src.rpm Status:
NEW =>
ASSIGNED
Thomas Backlund
2020-03-06 23:04:03 CET
CC:
(none) =>
tmb Taking this one on for 64-bits. There are 10 CVEs with matching PoC as far as I have checked so this is likely to take some time. CC:
(none) =>
tarazed25 Created attachment 11546 [details]
Summary of PoC tests for gpac
Added the PoC tests as a separate file because they make dull reading. MGA7-64 Plasma on Lenovo B50 No installation issues. At CLI: $ MP4Client circulation.mp4 GPAC config file GPAC.cfg not found in /home/tester7/.gpac - creating new file Using config file in /home/tester7/.gpac directory System info: 7876 MB RAM - 4 cores Modules Found : 34 Loading GPAC Terminal and some more.... file plays OK. Wiil agreewith OK when Len's POC tests run OK. CC:
(none) =>
herman.viaene Thanks Herman. Submitting my rather bitty report. mga7, x86_64 *After updates* Utility tests: N.B. user has no .gpacrc file. man gpac lists configuration parameters. $ MP4Client Using config file in /home/lcl/.gpac directory System info: 32068 MB RAM - 8 cores Modules Found : 34 Loading GPAC Terminal [Core] Plugin GPAC 2D Raster not found in 34 modules. [Compositor] Failed to initialize compositor: I/O Error GF_COMPOSITOR_THREAD_INIT_FAILED : Deleting compositor. [Terminal] Failed to create Compositor. Init error - check you have at least one video out and one rasterizer... Found modules: Available modules: gm_mp3_in.so [...] gm_oss_audio.so $ No gui - maybe a regression - cannot interpret this. MP4Box The -diso option used in the PoC tests is documented under '-h dump'. $ MP4Box -info 233156main_10761.mp4 [iso file] Unknown box type tapt [iso file] Unknown box type clef [iso file] Unknown box type prof [iso file] Unknown box type enof [iso file] Unknown box type alis [iso file] Unknown box type wide * Movie Info * Timescale 2997 - 1 track Computed Duration 00:00:59.592 - Indicated Duration 00:00:59.592 Fragmented File: no File suitable for progressive download (moov before mdat) File Brand qt - version 537199360 Compatible brands: qt Created: GMT Thu May 29 14:33:27 2008 Modified: GMT Thu May 29 14:33:27 2008 File has no MPEG4 IOD/OD Track # 1 Info - TrackID 1 - TimeScale 2997 Media Duration 00:00:59.592 - Indicated Duration 00:00:59.592 Track has 1 edit lists: track duration is 00:00:59.592 Media Info: Language "Undetermined (und)" - Type "vide:mp4v" - 1786 samples Media Data Location: (null) Visual Track layout: x=0 y=0 width=960 height=540 MPEG-4 Config: Visual Stream - ObjectTypeIndication 0x20 MPEG-4 Visual Size 960 x 540 - Advanced Simple Profile @ Level 3 Pixel Aspect Ratio 1:1 - Indicated track size 960 x 540 Self-synchronized RFC6381 Codec Parameters: mp4v.20.f3 Average GOP length: 30 samples $ MP4Box -info media.mp4 [iso file] Unknown box type cces [iso file] Incomplete box UNKN [iso file] Incomplete file while reading for dump - aborting parsing * Movie Info * Timescale 1000 - 4 tracks Computed Duration 00:01:24.700 - Indicated Duration 00:01:24.700 Fragmented File: no File suitable for progressive download (moov before mdat) File Brand mp42 - version 1 Compatible brands: isom iso2 avc1 mp41 mp42 3gp5 Created: GMT Thu Jan 1 00:00:00 1970 Modified: GMT Thu Jan 1 00:00:00 1970 File has root IOD (98 bytes) Scene PL 0x01 - Graphics PL 0x01 - OD PL 0x01 Visual PL: Not part of MPEG-4 Visual profiles (0xfe) Audio PL: AAC Profile @ Level 1 (0x28) iTunes Info: Encoder Software: Lavf52.62.0 1 UDTA types: meta (1) Track # 1 Info - TrackID 201 - TimeScale 30 Media Duration 00:01:24.700 - Indicated Duration 00:01:24.700 Track has 1 edit lists: track duration is 00:01:24.700 [...] $ MP4Box -diso UntsunamisurlelacLéman.mp4 -out test.txt $ head -10 test.txt <?xml version="1.0" encoding="UTF-8"?> <!--MP4Box dump trace--> <IsoMediaFile xmlns="urn:mpeg:isobmff:schema:file:2016" Name="UntsunamisurlelacLéman.mp4"> <FileTypeBox Size="24" Type="ftyp" Specification="p12" Container="file" MajorBrand="mp42" MinorVersion="0"> <BrandEntry AlternateBrand="isom"/> <BrandEntry AlternateBrand="mp42"/> </FileTypeBox> <MovieBox Size="1618829" Type="moov" Specification="p12" Container="file" > <MovieHeaderBox Size="108" Type="mvhd" Version="0" Flags="0" Specification="p12" Container="moov" CreationTime="3624495941" ModificationTime="3624495941" TimeScale="90000" Duration="278600400" NextTrackID="3"> </MovieHeaderBox> $ MP42TS -h GPAC version 0.7.1-revrelease GPAC Copyright (c) Telecom ParisTech 2000-2014 GPAC Configuration: --build=x86_64-mageia-linux-gnu --prefix=/usr --exec-prefix= .... This is all very technical stuff. Taking a guess at simple use: $ MP42TS -src UntsunamisurlelacLéman.mp4 -dst-file tsunami.ts IOD found for program UntsunamisurlelacLéman.mp4 Setting up program ID 1 - send rates: PSI 200 ms PCR 100 ms - PCR offset 0 Done muxing - 3109.59 sec - average bitrate 2891 kbps 5979009 packets written Padding: 0 packets (0 kbps) - 6927241 PES padded bytes (17.8216 kbps) $ ll UntsunamisurlelacLéman.mp4 -rw-r--r-- 1 lcl lcl 1084359274 Nov 18 2018 UntsunamisurlelacLéman.mp4 $ ll tsunami.ts -rw-r--r-- 1 lcl lcl 1124053692 Mar 9 14:44 tsunami.ts The modified file played fine in vlc. This is as far as it goes. gpac will make sense to MP4 developers. Giving this a tentative OK with a disclaimer regarding the failed PoC test. Looks like a .gpac file was generated. $ ls .gpac GPAC.cfg Storage/
Len Lawrence
2020-03-09 16:28:05 CET
Whiteboard:
(none) =>
MGA7-64-OK Validating. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0137.html Status:
ASSIGNED =>
RESOLVED |