As pointed out on bug 13943, mednafen bundles minilzo.c and is therefore vulnerable to CVE-2014-4607. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607 and bug 13655. Reproducible: Steps to Reproduce:
Component: RPM Packages => Security
Blocks: (none) => 13943
Whiteboard: (none) => MGA3TOO MGA4TOO
I've pushed the following packages with a patch to update minilzo to version 2.08, thus fixing the security issue and minor build issues: - mednafen-0.9.26-3.1.mga3.tainted - mednafen-0.9.26-4.1.mga4.tainted - mednafen-0.9.36.3-2.mga5.tainted I will test at least the cauldron package tomorrow for noticeable regression, and look at how to test specifically for the compression feature. Then I'll assign to QA and write and advisory and a testing procedure.
Well and the mga3 version did not build, I'll have to start a VM to fix the build there. Will do it tomorrow.
Assigning to QA now. Advisory ======== Summary: Updated mednafen packages fix security vulnerability The bundled version of minilzo.c in the mednafen package has been updated to version 2.08 to fix the following security vulnerability: An integer overflow in minilzo before 2.07 allows attackers to cause a denial of service or possibly code execution in applications using performing LZO decompression on a compressed payload from the attacker (CVE-2014-4607). References ---------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607 http://openwall.com/lists/oss-security/2014/06/26/20 http://www.oberhumer.com/opensource/lzo/ SRPMs ----- - mednafen-0.9.26-3.1.mga3.tainted - mednafen-0.9.26-4.1.mga4.tainted RPMs ---- - mednafen-0.9.26-3.1.mga3.tainted - mednafen-0.9.26-4.1.mga4.tainted
Version: Cauldron => 4Assignee: remi => qa-bugsWhiteboard: MGA3TOO MGA4TOO => MGA3TOO
Note, the RPMs are in tainted/updates_testing.
Testing procedure ----------------- Mednafen is a funny little non-user-friendly application with no GUI. To test it for basic regressions, you need a ROM or a CD of a game of one of the consoles it emulates, see the full list here in the package description with "urpmq -i mednafen". You can then run the game with: $ mednafen path/to/ROM/file The tricky part is that input keys are not documented anywhere, and it took me some time to find out how to reconfigure them. Basically, you have to press <Alt + Shift + 1> to remap the key bindings for player 1 (a message tells you which key you are supposed to define at each step). Press all keys twice (if not it lets you configure lots of alternate keys bindings). Now to check that the minilzo update did not break the package: minilzo is used for state-rewinding in a game, i.e. to go backwards in the play session. To use it, start mednafen with: $ mednafen -srwcompressor minilzo -srwframes 600 path/to/ROM/file (600 is the default number of frames to go backwards, you can adjust it if the result is not noticeable - it should be 10 sec for a NES game). Then, while in game, press <Alt + S> to enable state-rewinding, and rewind with <Backspace>. The game should go backwards in time :-) See the documentation for more details: http://mednafen.sourceforge.net/documentation/
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Source RPM: (none) => mednafen
Testing complete mga3 32 Found lots of nes roms http://lmgtfy.com/?q=nes+rom It says on the screen that alt+s is enabling state rewinding and holding backspace does make it go backwards.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok
Testing complete mga4 64 It's only stuff which happens after enabling state rewinding which can be rewound.
Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok
Validating. Advisory uploaded. I added http://advisories.mageia.org/MGASA-2014-0290.html to the references to match the other CVE-2014-4607 updates. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0352.html
Status: NEW => RESOLVEDResolution: (none) => FIXED