| Summary: | libass new integer overflow security issue (CVE-2020-26682) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | libass-0.14.0-2.mga7.src.rpm | CVE: | CVE-2020-26682 |
| Status comment: | |||
|
Description
David Walser
2020-10-11 18:06:43 CEST
David Walser
2020-10-11 18:06:50 CEST
Whiteboard:
(none) =>
MGA7TOO Hi, thanks reporting this. No registred maintainer. Assigning globally. CC'd recent commiter. (Please set the status to 'assigned' if you are working on it) CC:
(none) =>
geiger.david68210
Nicolas Salguero
2020-10-20 15:42:36 CEST
CVE:
(none) =>
CVE-2020-26682 Reference for the CVE assignment: https://www.openwall.com/lists/oss-security/2020/11/19/7 Fixed upstream in 0.15.0, updated in Cauldron by me on November 17. https://github.com/libass/libass/releases/tag/0.15.0 Upstream patch for the CVE does not apply cleanly to 0.14.0. Perhaps best to update it for Mageia 7. Whiteboard:
MGA7TOO =>
(none)
David Walser
2020-12-28 19:00:12 CET
Status comment:
(none) =>
Fixed upstream in 0.15.0 Suggested advisory: ======================== The updated packages fix a security vulnerability: In libass 0.14.0, the `ass_outline_construct`'s call to `outline_stroke` causes a signed integer overflow. (CVE-2020-26682) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26682 https://www.openwall.com/lists/oss-security/2020/09/29/2 https://www.openwall.com/lists/oss-security/2020/11/19/7 ======================== Updated packages in core/updates_testing: ======================== lib(64)ass9-0.15.0-1.mga7 lib(64)ass-devel-0.15.0-1.mga7 from SRPM: libass-0.15.0-1.mga7.src.rpm Keywords:
Triaged =>
(none) mga7, x86_64 CVE-2020-26682 https://github.com/libass/libass/issues/431 $ chmod +x libass_fuzzer $ gdb libass_fuzzer .... (gdb) r poc ... Fontconfig error: Cannot load default config file libass_fuzzer: ass_outline.c:1354: _Bool outline_stroke(ASS_Outline *, ASS_Outline *, const ASS_Outline *, int, int, int): Assertion `rad >= eps' failed. Program received signal SIGABRT, Aborted. 0x00007ffff7c7ba7a in raise () from /lib64/libc.so.6 Missing separate debuginfos, use: debuginfo-install libgcc1-8.4.0-1.mga7.x86_64 (gdb) quit The analysis which follows in the upstream test cannot be preformed here because debug info is unavailable. Updated the packages and looked at the PoC again. $ gdb libass_fuzzer .... Reading symbols from libass_fuzzer...done. (gdb) r poc ...... Reading 11249 bytes from poc Fontconfig warning: line 5: unknown element "its:rules" ..... Fontconfig error: Cannot load default config file libass_fuzzer: ass_outline.c:1354: _Bool outline_stroke(ASS_Outline *, ASS_Outline *, const ASS_Outline *, int, int, int): Assertion `rad >= eps' failed. Program received signal SIGABRT, Aborted. 0x00007ffff7c7ba7a in raise () from /lib64/libc.so.6 Missing separate debuginfos, use: debuginfo-install libgcc1-8.4.0-1.mga7.x86_64 (gdb) quit No SIGABRT this time, which is encouraging. Ran a trace on vlc while playing a film with subtitles. Everything working properly. $ grep ass vlc.trace stat("/usr/lib64/vlc/plugins/codec/liblibass_plugin.so", {st_mode=S_IFREG|0755, st_size=19664, ...}) = 0 Giving this an OK. CC:
(none) =>
tarazed25
Len Lawrence
2021-01-10 18:28:35 CET
Whiteboard:
(none) =>
MGA7-64-OK Validating Advisory pushed to SVN. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0017.html Status:
ASSIGNED =>
RESOLVED |