Bug 28278

libebml-1.4.1-1.mga8 uploaded for Cauldron.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Thanks for doing that already.
For M7, different committers makes for global bug assignment.

Assignee: bugsquad => pkg-bugs

new version pushed in mga7

src:
    - libebml-1.4.2-1.mga7
    - mkvtoolnix-32.0.0-2.1.mga7
    - libmatroska-1.5.0-2.1.mga7
    - vlc-3.0.12.1-1.1.mga7

CC: (none) => mageia
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 1.4.1 => (none)

libmatroska rebuild failed.

Built so far:
libebml5-1.4.2-1.mga7
libebml-devel-1.4.2-1.mga7
mkvtoolnix-32.0.0-2.1.mga7
mkvtoolnix-gui-32.0.0-2.1.mga7
vlc-3.0.12.1-1.1.mga7
libvlc5-3.0.12.1-1.1.mga7
libvlccore9-3.0.12.1-1.1.mga7
libvlc-devel-3.0.12.1-1.1.mga7
vlc-plugin-common-3.0.12.1-1.1.mga7
vlc-plugin-zvbi-3.0.12.1-1.1.mga7
vlc-plugin-kate-3.0.12.1-1.1.mga7
vlc-plugin-libass-3.0.12.1-1.1.mga7
vlc-plugin-lua-3.0.12.1-1.1.mga7
vlc-plugin-ncurses-3.0.12.1-1.1.mga7
vlc-plugin-lirc-3.0.12.1-1.1.mga7
svlc-3.0.12.1-1.1.mga7
vlc-plugin-aa-3.0.12.1-1.1.mga7
vlc-plugin-sdl-3.0.12.1-1.1.mga7
vlc-plugin-shout-3.0.12.1-1.1.mga7
vlc-plugin-opengl-3.0.12.1-1.1.mga7
vlc-plugin-vdpau-3.0.12.1-1.1.mga7
vlc-plugin-projectm-3.0.12.1-1.1.mga7
vlc-plugin-theora-3.0.12.1-1.1.mga7
vlc-plugin-twolame-3.0.12.1-1.1.mga7
vlc-plugin-fluidsynth-3.0.12.1-1.1.mga7
vlc-plugin-gme-3.0.12.1-1.1.mga7
vlc-plugin-schroedinger-3.0.12.1-1.1.mga7
vlc-plugin-speex-3.0.12.1-1.1.mga7
vlc-plugin-flac-3.0.12.1-1.1.mga7
vlc-plugin-dv-3.0.12.1-1.1.mga7
vlc-plugin-mod-3.0.12.1-1.1.mga7
vlc-plugin-mpc-3.0.12.1-1.1.mga7
vlc-plugin-sid-3.0.12.1-1.1.mga7
vlc-plugin-sndio-3.0.12.1-1.1.mga7
vlc-plugin-pulse-3.0.12.1-1.1.mga7
vlc-plugin-jack-3.0.12.1-1.1.mga7
vlc-plugin-rist-3.0.12.1-1.1.mga7
vlc-plugin-upnp-3.0.12.1-1.1.mga7
vlc-plugin-gnutls-3.0.12.1-1.1.mga7
vlc-plugin-libnotify-3.0.12.1-1.1.mga7
vlc-plugin-chromaprint-3.0.12.1-1.1.mga7
vlc-plugin-samba-3.0.12.1-1.1.mga7

Status comment: (none) => libmatroska needs rebuilt against updated libebml
Assignee: qa-bugs => mageia

build fixed

Assignee: mageia => qa-bugs

(In reply to David Walser from comment #4)
> libmatroska rebuild failed.

which now produces:
libmatroska6-1.5.0-2.1.mga7
libmatroska-devel-1.5.0-2.1.mga7

Advisory:
========================

Updated libebml packages fix security vulnerability:

Heap use-after-free when parsing malformed file.

The mkvtoolnix, libmatroska, and vlc packages have been rebuilt for the
updated libebml.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7COLX6WFFOI3RIOY2IOXWASU3QKAOWKO/

mga7-64 Plasma Nvidia
Sloppy test:  I updated all from list in comment 4 & 6  that was installed,
Clean update, and i can still play videos, and found a couple dated bugs from mga6 have been fixed and marked them so...

CC: (none) => fri

These install and work OK, but shouldn't there also be tainted versions?

Keywords: (none) => feedback
CC: (none) => andrewsfarm

At least of vlc, yes.

1.4.2, which we're updating to here, also fixes a heap overflow (CVE-2021-3405):
https://www.debian.org/lts/security/2021/dla-2629

Summary: libebml new use-after-free security issue => libebml new use-after-free security issue and CVE-2021-3405

(In reply to David Walser from comment #11)
> 1.4.2, which we're updating to here, also fixes a heap overflow
> (CVE-2021-3405):
> https://www.debian.org/lts/security/2021/dla-2629

Fedora has issued an advisory for this on March 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JNHQI6MDOECJ2HT5GCLEX2DMJFEOWPW7/

VLC update to 3.0.14 pending in Bug 28930, so it needs to be rebuilt anyway.  The rest of this bug can be validated (sans the vlc package).

Keywords: feedback => (none)

mga7, x86_64

$ rpm -qa | grep ebml
lib64ebml4-1.3.7-1.mga7

Had a look at https://github.com/Matroska-Org/libebml/issues/74 to see if the PoC could be run without debuginfo sources.  gdb complains immediately but launches vlc.  
The upstream test appears to be on a 32-bit system.

Updated libebml.
$ rpm -qa | grep ebml
lib64ebml4-1.3.7-1.mga7
lib64ebml5-1.4.2-1.mga7

Noting comment 13, we can short circuit this bug.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Advisory:
========================

Updated libebml packages fix security vulnerabilities:

Heap use-after-free when parsing malformed file.

A flaw was found in libebml before 1.4.2. A heap overflow bug exists in the implementation of EbmlString::ReadData and EbmlUnicodeString::ReadData in libebml (CVE-2021-3405).

The mkvtoolnix, libmatroska packages have been rebuilt for the
updated libebml.

(Note in adv: VLC update to 3.0.14 pending in Bug 28930, so it needs to be rebuilt anyway.  The rest of this bug can be validated (sans the vlc package)).

References:
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3405
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7COLX6WFFOI3RIOY2IOXWASU3QKAOWKO/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JNHQI6MDOECJ2HT5GCLEX2DMJFEOWPW7/
 - https://www.debian.org/lts/security/2021/dla-2629
========================

Updated packages in 7/core/updates_testing:
========================
lib(64)ebml5-1.4.2-1.mga7
lib(64)ebml-devel-1.4.2-1.mga7
mkvtoolnix-32.0.0-2.1.mga7
mkvtoolnix-gui-32.0.0-2.1.mga7
lib(64)matroska6-1.5.0-2.1.mga7
lib(64)matroska-devel-1.5.0-2.1.mga7

from SRPM:
libebml-1.4.2-1.mga7
mkvtoolnix-32.0.0-2.1.mga7
libmatroska-1.5.0-2.1.mga7

CVE: (none) => CVE-2021-3405
Keywords: (none) => advisory
CC: (none) => ouaurelien

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0226.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED