Bug 27626

Summary: mediainfo new security issues CVE-2020-15395 and CVE-2020-26797
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, mageia, ouaurelien, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: mediainfo-18.12-2.mga7.src.rpm CVE: CVE-2020-15395
Status comment:

Comment 1 Lewis Smith 2020-11-18 08:59:15 CET 
In the absence of a particular maintainer for this SRPM, having to assign the bug globally.

Assignee: bugsquad => pkg-bugs

David Walser 2020-12-28 19:03:25 CET

Status comment: (none) => Fixed upstream in 20.09

Comment 2 Nicolas Lécureuil 2021-03-11 21:44:21 CET 
New version pushed in mga7


src:
    - libmediainfo-20.09-1.mga7
    - mediainfo-20.09-1.mga7


can be tested now, but Need to be pushed AFTER imagemagick update

Assignee: pkg-bugs => qa-bugs
CC: (none) => mageia

Comment 3 David Walser 2021-03-12 20:43:55 CET 
RPMs:
mediainfo-20.09-1.mga7
mediainfo-gui-wx-20.09-1.mga7
mediainfo-gui-qt-20.09-1.mga7
mediainfo-gui-common-20.09-1.mga7

(In reply to Nicolas Lécureuil from comment #2)
> can be tested now, but Need to be pushed AFTER imagemagick update

Why?  I don't see a dependency there.

Status comment: Fixed upstream in 20.09 => (none)

Comment 4 Len Lawrence 2021-03-13 19:18:38 CET 
Going ahead with this.
mga7, x64

Installed the gui packages and tried out mediainfo-gui.
It seems to work OK.
No exploits available for the buffer overflow issue.  This is the very common problem of string buffer allocation which does not take into account the terminating null byte.

Updated the four packages from testing.

$ mediainfo tsunami.ts
General
ID                                       : 0 (0x0)
Complete name                            : tsunami.ts
Format                                   : MPEG-TS
[...]
Video
ID                                       : 101 (0x65)
Menu ID                                  : 1 (0x1)
Format                                   : AVC
[...]
Audio
ID                                       : 102 (0x66)
Menu ID                                  : 1 (0x1)
Format                                   : AAC LC
....

$ mediainfo tsunami.ts | grep Duration
Duration                                 : 51 min 35 s
Duration                                 : 51 min 35 s
Duration                                 : 51 min 35 s
$ mediainfo LItalianainAlgeri.wav | egrep -i "codec|duration"
Duration                                 : 6 min 51 s
Codec ID                                 : 1
Duration                                 : 6 min 51 s

Exercized the GUI.
$ mediainfo-gui *.wav

This presented the gui focused on WAV files only and provided a dropdown menu for the titles.
For each title there is General information and Audio information and a link to the website for the audio codec (in theory). For the first one tried, the PCM codec led to a Microsoft site.

Invoked without an argument, General, Video, Audio and Text frames are provided and buttons for file navigation and the current directory.
Tried .../Videos/Cassini
Selected a MOV file.
General => QuickTime..... encoded date.....
           1 Video stream: JPEG

The link to player for this file led to an Apple site.

Video => English, ....
"Go to the website of this codec" pointed to the same Apple site.

Everything seems to be in order apart from the broken link that is a data problem.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2021-03-14 00:01:42 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 David Walser 2021-03-14 15:49:56 CET 
Advisory:
========================

Updated libmediainfo and mediainfo packages fix security vulnerability:

In MediaInfoLib in MediaArea MediaInfo 20.03, there is a stack-based buffer
over-read in Streams_Fill_PerStream in Multiple/File_MpegPs.cpp (aka an
off-by-one during MpegPs parsing) (CVE-2020-15395).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15395
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QQJCEQRRPTN5CY5URDFTEJU3A2VKLNBA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KSR47ROV33MCI6NPBVCSG5WTU5L4YGIY/
Comment 7 Aurelien Oudelet 2021-03-14 17:15:43 CET 
Advisory committed to SVN.

Keywords: (none) => advisory
CC: (none) => ouaurelien
CVE: (none) => CVE-2020-15395

Comment 8 Mageia Robot 2021-03-14 22:22:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0134.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2021-05-29 21:50:50 CEST 
*** Bug 28992 has been marked as a duplicate of this bug. ***