Bug 29392

Summary: libass new security issue CVE-2020-36430
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libass-0.15.0-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2021-08-20 17:52:17 CEST 
SUSE has issued an advisory today (August 20):
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009325.html

The issue is fixed upstream in 0.15.1.

Advisory:
========================

Updated libass packages fix security vulnerability:

libass 0.15.x before 0.15.1 has a heap-based buffer overflow in decode_chars
(called from decode_font and process_text) because the wrong integer data type
is used for subtraction (CVE-2020-36430).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36430
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009325.html
========================

Updated packages in core/updates_testing:
========================
libass9-0.15.1-1.mga8
libass-devel-0.15.1-1.mga8

from libass-0.15.1-1.mga8.src.rpm
Comment 1 David Walser 2021-08-20 18:00:05 CEST 
openSUSE has issued an advisory for this today (August 20):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TQ4DQBQAAUJIVKVW7IIROTEKRYDSFT2S/

We can use that reference in the advisory instead.
Comment 2 Len Lawrence 2021-08-26 14:07:43 CEST 
mga8, x64

Poked around to see if there was any way to test the overflow issue but as is fairly usual these days the PoC are part of a cluster-fuzz framework.  Not only do we not want to get into a rebuilding situation but the final product differs from the release candidate.

Installed the vlc-plugin-libass and ran a trace on vlc while playing a film with subtitles enabled.
That showed that liblibass_plugin.so was being opened.  The plugin requires lib64ass9.

Updated the two packages.
Ran the vlc test to confirm that the libass plugin was opened.
The requires list indicates that mplayer uses the library directly.
Verified that by running mplayer under strace.
$ grep libass mplayer.trace
openat(AT_FDCWD, "/lib64/libass.so.9", O_RDONLY|O_CLOEXEC) = 3

This looks OK for 64-bits.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 3 Thomas Andrews 2021-08-26 20:59:06 CEST 
Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2021-08-27 17:01:42 CEST

Keywords: (none) => advisory

Comment 4 Mageia Robot 2021-08-27 17:31:21 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0413.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED