Bug 27406

Summary: brotli new security issue CVE-2020-8927
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: ouaurelien, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: brotli-1.0.7-2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-10-13 18:32:03 CEST 
Ubuntu has issued an advisory on October 5:
https://ubuntu.com/security/notices/USN-4568-1

The issue is fixed upstream in 1.0.9.
Comment 1 Jani Välimaa 2020-10-13 19:03:28 CEST 
Pushed brotli-1.0.7-2.1.mga7 with a patch from Ubuntu to core/updates_testing for mga7.

SRPMS:
brotli-1.0.7-2.1.mga7

RPMS:
brotli-1.0.7-2.1.mga7
lib(64)brotlicommon1-1.0.7-2.1
lib(64)brotlienc1-1.0.7-2.1.mga7
lib(64)brotlidec1-1.0.7-2.1.mga7
lib(64)brotli-devel-1.0.7-2.1.mga7
python2-brotli-1.0.7-2.1.mga7
python3-brotli-1.0.7-2.1.mga7

Assignee: jani.valimaa => qa-bugs

Comment 2 David Walser 2020-10-13 19:38:42 CEST 
Advisory:
========================

Updated brotli packages fix security vulnerability:

A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an
attacker controlling the input length of a "one-shot" decompression request to
a script can trigger a crash, which happens when copying over chunks of data
larger than 2 GiB (CVE-2020-8927).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8927
https://ubuntu.com/security/notices/USN-4568-1
Comment 3 Len Lawrence 2020-10-14 12:01:16 CEST 
mga7, x64

Tried out brotli before updating, compressing a large iso, which took about three hours.  Default compression was about 1.2.

Updated all 7 packages.
Tried different compression factors.
$ brotli -5 oldjournal
$ ll oldjournal*
-rw-r--r-- 1 lcl lcl 6135857 Apr 10  2016 oldjournal
-rw-r--r-- 1 lcl lcl 1898034 Apr 10  2016 oldjournal.br

$ brotli -9 --suffix=br9 oldjournal
-rw-r--r-- 1 lcl lcl 1707709 Apr 10  2016 oldjournalbr9

$ brotli -S .br11 -q 11 oldjournal
-rw-r--r-- 1 lcl lcl 1555693 Apr 10  2016 oldjournal.br11

11 is the default and maximum compression level

Tested decompression and file naming.

$ brotli -d -S .9 oldjournalbr9
input file [oldjournalbr9] suffix mismatch
$ brotli -d oldjournalbr9 -o oldjournalbr9.9
That worked.

$ mv oldjournal oldjournal.0
$ brotli -d oldjournal.br
$ brotli -d oldjournal.br11 -o oldjournal.11

$ ll oldjournal*
-rw-r--r-- 1 lcl lcl 6135857 Apr 10  2016 oldjournal
-rw-r--r-- 1 lcl lcl 6135857 Apr 10  2016 oldjournal.0
-rw-r--r-- 1 lcl lcl 6135857 Apr 10  2016 oldjournal.11
-rw-r--r-- 1 lcl lcl 1898034 Apr 10  2016 oldjournal.br
-rw-r--r-- 1 lcl lcl 1555693 Apr 10  2016 oldjournal.br11
-rw-r--r-- 1 lcl lcl 1707709 Apr 10  2016 oldjournalbr9
-rw-r--r-- 1 lcl lcl 6135857 Apr 10  2016 oldjournalbr9.9

$ diff oldjournal.0 oldjournal.11
$
That shows that compression and decompression are reliable.

$ brotli -v --test oldjournal.br11
Confirms the integrity of a compressed file.

$ brotli -V
brotli 1.0.7

$ brotli -vZ -w 12 -S .w12 oldjournal
Using a window size of 4K slows down the compression and increases the size of the compressed file.
-rw-r--r-- 1 lcl lcl 2213492 Apr 10  2016 oldjournal.w12

All this looks fine.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 4 Len Lawrence 2020-10-14 12:09:21 CEST 
Addendum to comment 3:

$ brotli -vZ -w 0 -S .w0 oldjournal
-rw-r--r-- 1 lcl lcl 1555693 Apr 10  2016 oldjournal.w0

Window size 0 lets the compressor use the optimum value.
Comment 5 Aurelien Oudelet 2020-10-15 16:06:40 CEST 
Validating and advisory done.

CC: (none) => ouaurelien

Aurelien Oudelet 2020-10-15 16:06:52 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2020-10-16 17:46:29 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0385.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED