Bug 29175

Summary: live555 new security issues CVE-2019-15232 and CVE-2021-28899
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: live-2020.12.23-1.mga8.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 29100    

Description David Walser 2021-06-25 00:33:47 CEST 
openSUSE has issued an advisory today (June 24):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Y7ZOGH7UAC6Q7OJHR62KOMWS64YF4G73/

The newer issue is fixed upstream in 2021.03.16:
http://live555.com/liveMedia/public/changelog.txt

Mageia 7 and Mageia 8 are also affected.

In Mageia 8, live is built as a shared library, but in Mageia 7 it's statically compiled into mplayer and vlc, which would need to be rebuilt against the update (and VLC is pending an update in Bug 29100).

CVE-2019-15232 only affects Mageia 7, as it was fixed upstream in 2019.08.16.

It looks like the vulnerabilities only affect the server code, which I don't think mplayer uses, and I doubt vlc does (but I'm not sure).
Comment 1 Lewis Smith 2021-06-26 20:23:09 CEST 
Various people have maintained this SRPM, so necessarily assigning the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-06-29 14:51:11 CEST 
For some libraries, the major number was incremented so mplayer and vlc needed to be rebuilt in Mageia 8 and Cauldron too.

CC: (none) => nicolas.salguero

Comment 3 Nicolas Salguero 2021-06-29 15:00:07 CEST 
For Mageia 7, vlc failed to build (see: http://pkgsubmit.mageia.org/uploads/failure/7/core/updates_testing/20210629122826.ns80.duvel.11799/).  All the other builds succeeded:
  - live-2021.06.25-1.mga{7|8|9}
  - vlc-3.0.16-1.mga{8|9}(.tainted)
  - mplayer-1.4-{1.1.mga7|9.3.mga8|15.mga9}(.tainted)
Comment 4 David Walser 2021-06-29 18:20:31 CEST 
Note that there are core and tainted builds for mplayer (and vlc in Bug 29100).

Advisory:
========================

Updated live packages fix security vulnerabilities:

Live555 before 2019.08.16 has a Use-After-Free because
GenericMediaServer::createNewClientSessionWithId can generate the same client
session ID in succession, which is mishandled by the MPEG1or2 and Matroska
file demultiplexors (CVE-2019-15232).

Vulnerability in the AC3AudioFileServerMediaSubsession,
ADTSAudioFileServerMediaSubsession, and AMRAudioFileServerMediaSubsessionLive
OnDemandServerMediaSubsession subclasses in Networks LIVE555 Streaming Media
before 2021.3.16 (CVE-2021-28899).

The mplayer package has been rebuilt against the updated live package.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28889
http://lists.live555.com/pipermail/live-devel/2021-March/021891.html
http://live555.com/liveMedia/public/changelog.txt
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Y7ZOGH7UAC6Q7OJHR62KOMWS64YF4G73/
========================

Updated packages in core/updates_testing:
========================
live-2021.06.25-1.mga7
live-devel-2021.06.25-1.mga7
liblivemedia94-2021.06.25-1.mga8
live-debuginfo-2021.06.25-1.mga8
live-2021.06.25-1.mga8
liblive-devel-2021.06.25-1.mga8
libgroupsock30-2021.06.25-1.mga8
libbasicusageenvironment1-2021.06.25-1.mga8
libusageenvironment3-2021.06.25-1.mga8

from SRPMS:
live-2021.06.25-1.mga7.src.rpm
live-2021.06.25-1.mga8.src.rpm

Updated packages in {core,tainted}/updates_testing:
========================
mplayer-1.4-1.1.mga7
mplayer-doc-1.4-1.1.mga7
mplayer-gui-1.4-1.1.mga7
mencoder-1.4-1.1.mga7
mplayer-1.4-9.3.mga8
mplayer-doc-1.4-9.3.mga8
mplayer-gui-1.4-9.3.mga8
mencoder-1.4-9.3.mga8

from SRPMS:
mplayer-1.4-1.1.mga7.src.rpm
mplayer-1.4-9.3.mga8.src.rpm

Whiteboard: (none) => MGA7TOO
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8

David Walser 2021-06-29 18:25:55 CEST

Blocks: (none) => 29100

Comment 5 Thomas Andrews 2021-07-02 01:01:38 CEST 
Updated these with vlc at the same time, first with non-tainted, then switched to tainted. No installation issues. Played videos with both versions of vlc, with no problems. Didn't think to install mplayer-gui untill after I had installed the tainted packages. Used that to play some videos, with no issues.

However, I did not do any live streaming, so my test is probably inadequate for this bug.

CC: (none) => andrewsfarm

Comment 6 Thomas Andrews 2021-07-02 16:20:07 CEST 
Looked back to previous updates and found Bug 13705 Comment 4, with several streaming urls that were still valid. (Thanks, wilcal) Tried one each in the tainted versions of vlc and mplayer-gui, and both played as they should.

So, I would say the mga8 tainted version of mplayer is OK, as is live555. Need to try non-tainted versions on another system.
Comment 7 Thomas Andrews 2021-07-02 19:41:18 CEST 
Tested vlc and these packages together, both core and tainted, in a 64-bit mga7 Plasma system. Also tested the core mga8 packages on the same hardware.

No installation issues on any packages. Each time, tested both vlc an mplayer with wilcal's streaming video, a podcast of the latest tech news from seven years ago. All played the stream as expected. 

Also, played some video files with mplayer, and they looked good, too.

This looks OK for both mga7 and mga8. Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK
CC: (none) => sysadmin-bugs

Thomas Backlund 2021-07-04 02:44:21 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-07-04 04:15:21 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0313.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED