Bug 26555

Summary: dolphin-emu new security issues due to bundled soundtouch
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, rverschelde, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: dolphin-emu-5.0-14.9599.1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-04-28 03:31:40 CEST 
Fedora has issued an advisory on April 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SDQZQAOSX73JCMVEKYFIRL37T76ELFYH/

Mageia 7 is also affected.
David Walser 2020-04-28 03:31:47 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Rémi Verschelde 2020-04-28 10:52:59 CEST 
I'll wait a bit for the upstream PR to be merged, so that I can simply update to latest master HEAD: https://github.com/dolphin-emu/dolphin/pull/8725
Comment 2 David Walser 2020-04-28 12:22:07 CEST 
Could you work with upstream to fix it so that we can use the system soundtouch instead of bundling it, so this doesn't happen again?
Comment 3 Rémi Verschelde 2020-04-28 13:01:12 CEST 
They need soundtouch compiled with specific pre-processor defines to use short instead of float and disable exceptions, so we'd need to ship a soundtouch-short-nothrow or similar if we want to link against a system version.
Comment 4 Rémi Verschelde 2020-04-28 13:48:21 CEST 
I'm pushing an update with latest beta snapshot and PR 8725 cherry-picked. I'll make sure that it ends up properly merged upstream, but until then I can use a local cherry-pick like Fedora.

Looking over advisories.mageia.org, this update should fix 9 CVEs.

Fixed in dolphin-emu-5.0.11824-1.mga8.

Note to QA: RPMs are in tained/updates_testing.


Mageia 7 advisory:
==================

Updated dolphin-emu package fixes security vulnerabilities

  Dolphin Emulator includes a modified copy of the SoundTouch library at version
  1.9.2. That version is subject to the following security issues:

  - The TDStretch::processSamples function in source/SoundTouch/TDStretch.cpp
    in SoundTouch 1.9.2 allows remote attackers to cause a denial of service
    (infinite loop and CPU consumption) via a crafted wav file (CVE-2017-9258).
  - The TDStretch::acceptNewOverlapLength function in source/SoundTouch/
    TDStretch.cpp in SoundTouch 1.9.2 allows remote attackers to cause a denial
    of service (memory allocation error and application crash) via a crafted
    wav file (CVE-2017-9259).
  - The TDStretchSSE::calcCrossCorr function in source/SoundTouch/
    sse_optimized.cpp in SoundTouch 1.9.2 allows remote attackers to cause a
    denial of service (heap-based buffer over-read and application crash) via
    a crafted wav file (CVE-2017-9260).
  - Reachable assertion in RateTransposer::setChannels() causing denial of
    service (CVE-2018-14044).
  - Reachable assertion in FIRFilter.cpp causing denial of service
    (CVE-2018-14045).
  - Heap-based buffer overflow in SoundStretch/WavFile.cpp:WavInFile
    ::readHeaderBlock() potentially leading to code execution
    (CVE-2018-1000223).
  - Assertion failure in BPMDetect class in BPMDetect.cpp (CVE-2018-17096).
  - Out-of-bounds heap write in WavOutFile::write() (CVE-2018-17097).
  - Heap corruption in WavFileBase class in WavFile.cpp (CVE-2018-17098).

  The bundled copy of SoundTouch was updated to version 2.1.2, thereby solving
  theses issues in Dolphin Emulator.

References:

 - http://advisories.mageia.org/MGASA-2018-0331.html
 - http://advisories.mageia.org/MGASA-2018-0385.html
 - http://advisories.mageia.org/MGASA-2018-0462.html
 - https://github.com/dolphin-emu/dolphin/pull/8725

SRPM in tainted/updates_testing:
================================

dolphin-emu-5.0.11824-1.mga7

RPM in tainted/updates_testing:
===============================

dolphin-emu-5.0.11824-1.mga7

Version: Cauldron => 7
Assignee: rverschelde => qa-bugs
Whiteboard: MGA7TOO => (none)
CC: (none) => rverschelde

Comment 5 Herman Viaene 2020-05-01 15:18:29 CEST 
"dolphin-emu-5.0.11824-1.mga7 not found in the remote repository" from QARepo, tainted option is on.

CC: (none) => herman.viaene

Comment 6 Herman Viaene 2020-05-01 15:28:41 CEST 
I did switch 3 days ago QARepo to tuxinator mirror from my usual BE mirror belnet, because of synch issues, but now it seems the other way around. Got the update from belnet now.
Comment 7 Herman Viaene 2020-05-01 16:56:05 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 17934 for testing. Downloaded "Need for speed" from the site and got that one started.
The demo played and made a lot of noise, but I have no idea how to control it by keyboard So that's as far
Comment 8 Herman Viaene 2020-05-01 16:58:21 CEST 
Continuing: That's as far as I go.
OK unless someone feels more at  home with those things
BTW: the download took around 45 min. Crazy!!!

Whiteboard: (none) => MGA7-64-OK

Comment 9 Thomas Andrews 2020-05-02 14:19:47 CEST 
Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-05-05 11:56:07 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 10 Mageia Robot 2020-05-05 14:22:41 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0193.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED