Bug 5208

Summary:	plib new security issue CVE-2011-4620
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:
Severity:	normal
Priority:	Normal	CC:	davidwhodgins, stormi-mageia, sysadmin-bugs, tmb
Version:	1	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	plib-1.8.5-3.mga1.src.rpm	CVE:
Status comment:
Attachments:	plib-1.8.5-CVE-2011-4620.diff patch for similar code in irrlicht

Description David Walser 2012-04-03 01:29:26 CEST

Debian has issued an update for this, and describes it as a remotely exploitable buffer overflow vulnerability.

Mageia 1 and Cauldron are affected.  Fixing this is currently blocked by a build error on Cauldron.

In Mageia, plib is complied into the packages that use it, so for this to be fixed, they will need to be rebuilt.  Those packages are:
- torcs
- flightgear
- speed-dreams
- tuxkart
- tux_aqfh

Additionally, supertuxkart was forked from tuxkart and switched its build dependency from plib to irrlicht, which contains code that looks just like the affected code in plib, just with changed variable names.  This should probably be patched as well.  In this case, supertuxkart is dynamically linked to irrlicht, so rebuilding supertuxkart would not be required.

Finally, it looks like in Debian that plib is built as a library and that the software using plib in Debian is dynamically linked to that library, rather than having it complied in.  It would be nice if we could do the same in Cauldron at some point.

References:
http://www.debian.org/security/2012/dsa-2425.en.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4620

Comment 1 David Walser 2012-04-03 01:31:58 CEST

Created attachment 1910 [details]
plib-1.8.5-CVE-2011-4620.diff

Comment 2 David Walser 2012-04-03 01:39:22 CEST

Created attachment 1911 [details]
patch for similar code in irrlicht

David Walser 2012-04-03 01:40:26 CEST

Blocks: (none) => 5046

Remco Rijnders 2012-04-03 06:48:53 CEST

CC: (none) => stormi

Comment 3 David Walser 2012-04-03 19:58:05 CEST

OK it builds in Cauldron now.  On Mageia 1 it builds with mesaglut which pulls in libxmu-devel as a dependency, but on Cauldron it builds with freeglut which does not.

I have submitted updated plib and irrlicht packages for Cauldron.  All that needs done there is rebuilding the 5 packages that use plib.

Mageia 1 hasn't been addressed yet.

Comment 4 David Walser 2012-04-04 18:28:19 CEST

The 5 packages in Cauldron have been rebuilt.

David Walser 2012-04-04 18:29:16 CEST

Blocks: 5046 => (none)

Comment 5 David Walser 2012-04-07 04:42:39 CEST

For Mageia 1, there is only torcs, flightgear, supertuxkart, and tuxkart.

In Mageia 1, supertuxkart was built with plib (hadn't switched to irrlicht yet).

Comment 6 David Walser 2012-04-07 06:34:19 CEST

Patched (plib) and rebuilt (games) package uploaded.

Note to QA, the affected code is used for printing error messages.

Advisory:
========================

Updated plib and other packages fix security vulnerability:

Buffer overflow in the ulSetError function in util/ulError.cxx
in PLIB 1.8.5, as used in TORCS 1.3.1 and other products, allows
user-assisted remote attackers to execute arbitrary code via vectors
involving a long error message, as demonstrated by a crafted acc
file for TORCS (CVE-2011-4620).

The torcs, flightgear, supertuxkart, and tuxkart packages have been
rebuilt with the fixed plib library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4620
http://www.debian.org/security/2012/dsa-2425.en.html
========================

Updated packages in core/updates_testing:
========================
plib-devel-1.8.5-3.1.mga1
torcs-1.3.1-7.1.mga1
torcs-robots-base-1.3.1-7.1.mga1
torcs-robots-berniw-1.3.1-7.1.mga1
torcs-robots-bt-1.3.1-7.1.mga1
torcs-robots-olethros-1.3.1-7.1.mga1
flightgear-2.0.0-4.1.mga1
supertuxkart-0.7-1.1.mga1
tuxkart-0.4.0-10.1.mga1

from SRPMS:
plib-1.8.5-3.1.mga1.src.rpm
torcs-1.3.1-7.1.mga1.src.rpm
flightgear-2.0.0-4.1.mga1.src.rpm
supertuxkart-0.7-1.1.mga1.src.rpm
tuxkart-0.4.0-10.1.mga1.src.rpm

Assignee: bugsquad => qa-bugs

Comment 7 David Walser 2012-04-07 07:11:35 CEST

Hmm, supertuxkart in Mageia 1 is using irrlicht after all.  The rebuild for plib wasn't necessary (although I did fix an error in the .desktop file).

I'll upload a patched irrlicht and update the advisory.

Comment 8 David Walser 2012-04-07 07:20:37 CEST

The affected code isn't in the version of irrlicht used in Mageia 1.  This should be good to go.

Comment 9 Dave Hodgins 2012-04-07 21:48:15 CEST

Just fyi, I can't test these on my ancient hardware.  Lockups with the
ati driver, and do not work under vesa.  Someone else will have to
do the i586 testing for these.

CC: (none) => davidwhodgins

Comment 10 Manuel Hiebel 2012-04-11 22:12:34 CEST

flightgear & torcs works fine on x86_64. Don't know how to see some errors.

Comment 11 claire robinson 2012-04-20 15:11:50 CEST

torcs PoC here http://www.securityfocus.com/bid/51152/exploit

Confirmed the list of packages using plib-devel as buildrequire.

Comment 12 claire robinson 2012-04-20 16:27:26 CEST

i586

Torcs
-----
There is a segfault with torcs when choosing quick race > configure race > accept but it isn't a regression.

/usr/games/torcs: line 53: 24727 Segmentation fault      $LIBDIR/torcs-bin -l $LOCAL_CONF -L $LIBDIR -D $DATADIR $*

I'll create a bug for that.

With the compiled PoC in place of car4-trb1.acc in /usr/share/games/torcs/cars/car4-trb1/

When starting a race..

WARNING: ssgLoadAC: 'cars/car4-trb1/car4-trb1.acc' is not in AC3D format.
/usr/games/torcs: line 53: 24372 Segmentation fault      $LIBDIR/torcs-bin -l $LOCAL_CONF -L $LIBDIR -D $DATADIR $*

That is the same segfault as the one above so I'm not sure it is related to the PoC.

Comment 13 claire robinson 2012-04-20 16:56:03 CEST

Flightgear
----------

My old laptop can't really run this but with the Release version at startup it gives an error..

$ fgfs
Mesa 7.10.2 implementation error: Bad renderbuffer format: 21

Please report at bugs.freedesktop.org

It later gives several pages of these before reaching the cockpit..

i915_program_error: Bad source->Index: 12
i915_program_error: Bad source->Index: 12

No regressions sat on the runway with the update. I'll create another bug for this.

Comment 14 claire robinson 2012-04-20 17:21:23 CEST

Tuxkart Ok.
Supertuxkart Ok.

Testing complete i586

Comment 15 claire robinson 2012-04-20 17:27:39 CEST

Bug 5513 created for flightgear.
Bug 5514 created for torcs

Comment 16 David Walser 2012-04-23 04:00:39 CEST

José Jorge has fixed Bug 5514, so its SRPM is now torcs-1.3.1-7.2.mga1.

Comment 17 claire robinson 2012-04-24 18:08:20 CEST

Still to test - tuxkart & supertuxkart x86_64

Comment 18 claire robinson 2012-04-25 15:31:00 CEST

All tested OK

Validating

Please see comment 6 for Advisory and SRPM

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 19 claire robinson 2012-04-25 15:32:15 CEST

I think torcs has already been pushed after bug5514 was closed.

Comment 20 Thomas Backlund 2012-04-25 21:45:00 CEST

Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED