Bug 14658 - flac new security issues CVE-2014-8962 and CVE-2014-9028
Summary: flac new security issues CVE-2014-8962 and CVE-2014-9028
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/623336/
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-11-25 16:12 CET by David Walser
Modified: 2014-11-29 21:18 CET (History)
3 users (show)

See Also:
Source RPM: flac-1.3.0-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-11-25 16:12:48 CET
An advisory has been issued today (November 25):
http://www.ocert.org/advisories/ocert-2014-008.html

FLAC 1.3.1 has not actually been released yet and it looks like it's only being called 1.3.1pre1 as of today in git, so I don't know when the final release is planned.

I've commited the patches linked in the advisory, plus another due to a report from the Google Security Team here:
https://git.xiph.org/?p=flac.git;a=commit;h=93846ee22383fae4a57dc467022524d9d828694a

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated flac packages fix security vulnerabilities:

In libFLAC before 1.3.1, a stack overflow (CVE-2014-8962) and a heap overflow
(CVE-2014-9028), which may result in arbitrary code execution, can be
triggered by passing a maliciously crafted .flac file to the libFLAC decoder.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8962
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9028
http://www.ocert.org/advisories/ocert-2014-008.html
========================

Updated packages in core/updates_testing:
========================
flac-1.3.0-2.1.mga4
libflac8-1.3.0-2.1.mga4
libflac-devel-1.3.0-2.1.mga4
libflac++6-1.3.0-2.1.mga4
libflac++-devel-1.3.0-2.1.mga4

from flac-1.3.0-2.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Herman Viaene 2014-11-26 10:45:33 CET
Testing on MGA4-64 on HP6555b
According to the flac website, grip is dependent on flac.
As test I gripped a complete CD (Mendelsohn symphonies 1 and 4) and the resulting .ogg open and play in amarok, audacity and xine.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-64-OK

Comment 2 David Walser 2014-11-26 17:01:11 CET
grip may be dependent on flac, but it'll only use it if you rip to flac format, not if you rip to Ogg Vorbis format.

Another way to test it is converting something with sox.  I converted an mp3 file to flac with:
sox foo.mp3 foo.flac

and then tested that I could play the flac file with mplayer.

I'll change the OK to 32 as I tested on Mageia 4 i586, and let you try again with flac format on x86_64.

Whiteboard: MGA4-64-OK => MGA4-32-OK

David Walser 2014-11-26 18:33:44 CET

Whiteboard: MGA4-32-OK => has_procedure MGA4-32-OK

Comment 3 William Kenney 2014-11-26 18:56:55 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
flac audiokonverter

default install of flac & audiokonverter

[root@localhost wilcal]# urpmi flac
Package flac-1.3.0-2.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi audiokonverter
Package audiokonverter-5.9.1-5.mga4.tainted.noarch is already installed

urpmq --whatrequires flac
audiokonverter
MCC -> Install & Remove Software -> flac installs with audiokonverter

/usr/bin/audioconvert4  ( terminal command "audioconvert4" opens the GUI )

Convert an mp3 file to flac format
ffmpeg -i James_Bond_Theme.mp3 James_Bond_Theme.flac
Delete James_Bond_Theme.mp3

Open audioconvert4 from a terminal
Convert James_Bond_Theme.flac to James_Bond_Theme.mp3 selecting
128 bitrate & keep stereo
James_Bond_Theme.mp3 plays with VLC, Amarok & opens with in Audacity
Delete James_Bond_Theme.mp3

install flac from updates_testing

[root@localhost wilcal]# urpmi flac
Package flac-1.3.0-2.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi audiokonverter
Package audiokonverter-5.9.1-5.mga4.tainted.noarch is already installed

Open audioconvert4 from a terminal
Convert James_Bond_Theme.flac to James_Bond_Theme.mp3 selecting
128 bitrate & keep stereo
James_Bond_Theme.mp3 plays with VLC, Amarok & opens with in Audacity

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 4 William Kenney 2014-11-26 19:02:09 CET
Back in a bit with 32
Comment 5 William Kenney 2014-11-26 19:26:01 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
flac audiokonverter

default install of flac & audiokonverter

[root@localhost wilcal]# urpmi flac
Package flac-1.3.0-2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi audiokonverter
Package audiokonverter-5.9.1-5.mga4.tainted.noarch is already installed

urpmq --whatrequires flac
audiokonverter
MCC -> Install & Remove Software -> flac installs with audiokonverter

/usr/bin/audioconvert4  ( terminal command "audioconvert4" opens the GUI )

Convert an mp3 file to flac format
ffmpeg -i James_Bond_Theme.mp3 James_Bond_Theme.flac
Delete James_Bond_Theme.mp3

Open audioconvert4 from a terminal
Convert James_Bond_Theme.flac to James_Bond_Theme.mp3 selecting
128 bitrate & keep stereo
James_Bond_Theme.mp3 plays with VLC, Totem ( Videos ) & opens with in Audacity
Delete James_Bond_Theme.mp3

install flac from updates_testing

[root@localhost wilcal]# urpmi flac
Package flac-1.3.0-2.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi audiokonverter
Package audiokonverter-5.9.1-5.mga4.tainted.noarch is already installed

Open audioconvert4 from a terminal
Convert James_Bond_Theme.flac to James_Bond_Theme.mp3 selecting
128 bitrate & keep stereo
James_Bond_Theme.mp3 plays with VLC, Totem ( Videos ) & opens with in Audacity

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 6 William Kenney 2014-11-26 19:27:57 CET
IMO this is good to go David.
What'da ya say?

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 7 Rémi Verschelde 2014-11-26 20:35:42 CET
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 8 Herman Viaene 2014-11-27 10:57:23 CET
After David's comment, I did my test with grip again, making sure to make .flac files now.
Resulting flac files open and play OK on Amarok and Audacity. But xine seems to open the file, but no sound.
Started xine from the CLI, and used its menu to select one of the .flac files. Then xine gives an error : no MRL found, which in itself is nonsens.
At the CLI then give the command xine <some flac file>, and now Konsole is flooded with messages like
[flac @ 0x7f576c0baea0] invalid frame header
[flac @ 0x7f576c0baea0] decode frame() failed
[flac @ 0x7f576c0baea0] invalid sync code
and this repeats ad infinitum.
This is caused by the fact that the xine-flac package is not installed. Once this is installed, the flac file plays fine in xine.
To me quite a twisted way to find out that a package is missing when you have xine AND flac installed.
Comment 9 David Walser 2014-11-28 18:24:50 CET
Ubuntu has issued an advisory for this on November 27:
http://www.ubuntu.com/usn/usn-2426-1/

URL: (none) => http://lwn.net/Vulnerabilities/623336/

Comment 10 Mageia Robot 2014-11-29 21:18:50 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0499.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.