Bug 26883

Summary:	matio new security issue CVE-2019-17533
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs, tarazed25
Version:	7	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7-64-OK
Source RPM:	matio-1.5.16-1.mga7.src.rpm	CVE:	CVE-2019-17533
Status comment:

Description David Walser 2020-07-01 21:20:04 CEST

Debian-LTS has issued an advisory on June 30:
https://www.debian.org/lts/security/2020/dla-2267

Mageia 7 is also affected.

David Walser 2020-07-01 21:20:11 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-07-01 22:00:58 CEST

Yet another update for an SRPM with no evident maintainer, so have to assign it globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2020-07-07 09:57:45 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed. (CVE-2019-17533)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17533
https://www.debian.org/lts/security/2020/dla-2267
========================

Updated packages in core/updates_testing:
========================
matio-1.5.16-1.1.mga7
lib(64)matio9-1.5.16-1.1.mga7
lib(64)matio-devel-1.5.16-1.1.mga7

from SRPMS:
matio-1.5.16-1.1.mga7.src.rpm

CVE: (none) => CVE-2019-17533
CC: (none) => nicolas.salguero
Version: Cauldron => 7
Source RPM: matio-1.5.17-2.mga8.src.rpm => matio-1.5.16-1.mga7.src.rpm
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 3 Len Lawrence 2020-07-11 18:07:54 CEST

Mageia7, x86_64

CVE-2019-17533
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16856
PoC: clusterfuzz-testcase-minimized-matio_fuzzer-5650719150964736
https://google.github.io/oss-fuzz/advanced-topics/reproducing/

This is another case of needing to compile the application to integrate a fuzz target so out of QA's remit.

Had a look at the examples on GitHub https://github.com/fordicus/matio-examples/blob/master/README.md
Created 3d.c from the 3-D example but could not compile it.
$ cat 3d.c
#include <stdio.h>
#include <matio.h>
#include <matio_pubconf.h>

int main()
{
const int first = 2, second = 4, third = 5;
int array3d[2][4][5] = { 0 };

// fill 3d array
for (int i = 0; i < first; i++)
	for (int j = 0; j < second; j++)
		for (int k = 0; k < third; k++)
			array3d[i][j][k] = (i + 1) * (j + 1) * (k + 1);

// write
char* fieldname3d = "array3d";
size_t dim3d[3] = { first, second, third };
matvar_t *variable3d = Mat_VarCreate(fieldname3d, MAT_C_INT32, MAT_T_INT32, 3, dim3d, &array3d, 0); //rank 3
Mat_VarWrite(matfp, variable3d, MAT_COMPRESSION_NONE);
Mat_VarFree(variable3d);
}

$ gcc -o 3d $(pkg-config --libs --cflags matio) 3d.c
3d.c: In function ‘main’:
3d.c:20:14: error: ‘matfp’ undeclared (first use in this function); did you mean ‘mat_t’?
 Mat_VarWrite(matfp, variable3d, MAT_COMPRESSION_NONE);
              ^~~~~
              mat_t
3d.c:20:14: note: each undeclared identifier is reported only once for each function it appears in

$ grep -i matfp /usr/include/*.h
$
$ cat /usr/lib64/pkgconfig/matio.pc
prefix=/usr
exec_prefix=/usr
libdir=/usr/lib64
includedir=/usr/include

Name: MATIO
Description: MATIO Library
Version: 1.5.16
Libs: -L${libdir} -lmatio -lhdf5 -lz
Cflags: -I${includedir}  

matfp is used in all of the examples.  ??

$ urpmq --whatrequires lib64matio9
lib64matio-devel
lib64matio9
matio
scilab

Installed scilab and looked for documentation.  All the tutorials seem to be videos, no use to me, being too deaf and slow to follow them.
Launched scilab but could not figure out how to import 3d.c.  Clicking on it simply showed it in an emacs popup so abandoned that.  Trying to type it in line by line in the console raised errors on every line.  Goodbye scilab.

Giving up - handing over to the experts.  Note that all this was done before trying the updates.

CC: (none) => tarazed25

Comment 4 Herman Viaene 2020-07-24 14:39:37 CEST

MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug 26061 for testing, I won't thread where Len has been.
$  matdump --version
matdump 1.5.16
Written by Christopher Hulbert

Copyright(C) 2006-2019, Christopher C. Hulbert

$ matdump --help

Usage: matdump [OPTIONS] mat_file [var1 var2 ...]

Runs various test on the Matlab I/O library libmatio

OPTIONS
-d,--data         Print data with header information
-f,--format whos  Turn on 'whos' display mode
-h,--human        Human readable sizes in 'whos' display mode
-v,--verbose      Turn on verbose messages
-H,--help         This output
-V,--version      version information

mat_file          name of the MAT file to dump
var1 var2 ...     If specified, dumps only listed variables

Report bugs to <t-beu@users.sourceforge.net>.

As scilab has dependencies on lib64matio9, started scilab and did a few simple calculations: works OK.
Bug 26061 has been OK'ed on this, but I leave the last word on this to Len.

CC: (none) => herman.viaene

Comment 5 Len Lawrence 2020-07-24 15:45:00 CEST

No, you are the expert on this one Herman.  We need to get it out the door, so...

Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-07-25 15:02:41 CEST

Excellent cooperation, Gentlemen. No prima donnas here.

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2020-07-31 09:24:37 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-08-01 01:27:49 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0299.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED