Bug 13947 - mednafen new security issue in minilzo CVE-2014-4607
Summary: mednafen new security issue in minilzo CVE-2014-4607
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks: 13943
  Show dependency treegraph
 
Reported: 2014-08-19 23:55 CEST by Rémi Verschelde
Modified: 2014-08-25 10:44 CEST (History)
1 user (show)

See Also:
Source RPM: mednafen
CVE:
Status comment:


Attachments

Description Rémi Verschelde 2014-08-19 23:55:26 CEST
As pointed out on bug 13943, mednafen bundles minilzo.c and is therefore vulnerable to CVE-2014-4607.
See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607 and bug 13655.

Reproducible: 

Steps to Reproduce:
Rémi Verschelde 2014-08-19 23:55:41 CEST

Component: RPM Packages => Security

Rémi Verschelde 2014-08-20 00:01:51 CEST

Blocks: (none) => 13943

Rémi Verschelde 2014-08-20 00:02:44 CEST

Whiteboard: (none) => MGA3TOO MGA4TOO

Comment 1 Rémi Verschelde 2014-08-20 00:17:11 CEST
I've pushed the following packages with a patch to update minilzo to version 2.08, thus fixing the security issue and minor build issues:
 - mednafen-0.9.26-3.1.mga3.tainted
 - mednafen-0.9.26-4.1.mga4.tainted
 - mednafen-0.9.36.3-2.mga5.tainted

I will test at least the cauldron package tomorrow for noticeable regression, and look at how to test specifically for the compression feature. Then I'll assign to QA and write and advisory and a testing procedure.
Comment 2 Rémi Verschelde 2014-08-20 00:18:00 CEST
Well and the mga3 version did not build, I'll have to start a VM to fix the build there. Will do it tomorrow.
Comment 3 Rémi Verschelde 2014-08-20 19:34:52 CEST
Assigning to QA now.

Advisory
========

Summary: Updated mednafen packages fix security vulnerability

The bundled version of minilzo.c in the mednafen package has been updated
to version 2.08 to fix the following security vulnerability:

An integer overflow in minilzo before 2.07 allows attackers to cause a denial
of service or possibly code execution in applications using performing LZO
decompression on a compressed payload from the attacker (CVE-2014-4607).

References
----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607
http://openwall.com/lists/oss-security/2014/06/26/20
http://www.oberhumer.com/opensource/lzo/

SRPMs
-----
 - mednafen-0.9.26-3.1.mga3.tainted
 - mednafen-0.9.26-4.1.mga4.tainted

RPMs
----
 - mednafen-0.9.26-3.1.mga3.tainted
 - mednafen-0.9.26-4.1.mga4.tainted

Version: Cauldron => 4
Assignee: remi => qa-bugs
Whiteboard: MGA3TOO MGA4TOO => MGA3TOO

Comment 4 Rémi Verschelde 2014-08-20 19:35:14 CEST
Note, the RPMs are in tainted/updates_testing.
Comment 5 Rémi Verschelde 2014-08-20 19:52:04 CEST
Testing procedure
-----------------

Mednafen is a funny little non-user-friendly application with no GUI. To test it for basic regressions, you need a ROM or a CD of a game of one of the consoles it emulates, see the full list here in the package description with "urpmq -i mednafen".

You can then run the game with:
$ mednafen path/to/ROM/file

The tricky part is that input keys are not documented anywhere, and it took me some time to find out how to reconfigure them. Basically, you have to press <Alt + Shift + 1> to remap the key bindings for player 1 (a message tells you which key you are supposed to define at each step). Press all keys twice (if not it lets you configure lots of alternate keys bindings).

Now to check that the minilzo update did not break the package: minilzo is used for state-rewinding in a game, i.e. to go backwards in the play session. To use it, start mednafen with:

$ mednafen -srwcompressor minilzo -srwframes 600 path/to/ROM/file

(600 is the default number of frames to go backwards, you can adjust it if the result is not noticeable - it should be 10 sec for a NES game).

Then, while in game, press <Alt + S> to enable state-rewinding, and rewind with <Backspace>. The game should go backwards in time :-)

See the documentation for more details: http://mednafen.sourceforge.net/documentation/

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Rémi Verschelde 2014-08-21 14:27:35 CEST

Source RPM: (none) => mednafen

Comment 6 claire robinson 2014-08-21 16:21:40 CEST
Testing complete mga3 32

Found lots of nes roms http://lmgtfy.com/?q=nes+rom

It says on the screen that alt+s is enabling state rewinding and holding backspace does make it go backwards.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok

Comment 7 claire robinson 2014-08-22 18:15:36 CEST
Testing complete mga4 64

It's only stuff which happens after enabling state rewinding which can be rewound.

Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Comment 8 claire robinson 2014-08-22 18:22:17 CEST
Validating. Advisory uploaded.

I added http://advisories.mageia.org/MGASA-2014-0290.html to the references to match the other CVE-2014-4607 updates.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2014-08-25 10:44:52 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0352.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.