Bug 17004 - libebml new security issues TALOS-CAN-0036 and TALOS-CAN-0037
Summary: libebml new security issues TALOS-CAN-0036 and TALOS-CAN-0037
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/663514/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
: 17005 (view as bug list)
Depends on:
Reported: 2015-10-24 12:54 CEST by Götz Waschk
Modified: 2016-06-22 19:43 CEST (History)
4 users (show)

See Also:
Source RPM: libebml-1.3.0-5.mga5.src.rpm
Status comment:


Description Götz Waschk 2015-10-24 12:54:32 CEST
Cisco found a security bug in libebml labeled 
TALOS-CAN-0036, but not yet available to the public at http://talosintel.com/vulnerability-reports/

The fix is in libebml 1.3.3 and in git:


Steps to Reproduce:
Götz Waschk 2015-10-24 13:02:23 CEST

Blocks: (none) => 17005

Comment 1 David Walser 2015-10-30 15:51:04 CET
Thanks for the report.  Update is checked into SVN.  Hopefully we won't have to wait until 60 days after 10-08-2015 for details.  I'd be interested to know how you found this info and if you know when we can expect any more details.

Summary: security issue in libebml => libebml new security issue TALOS-CAN-0036

Comment 2 Götz Waschk 2015-11-01 18:27:52 CET
It was referenced in the libebml 1.3.3 announcement. It is public.
Comment 3 David Walser 2015-11-02 22:34:22 CET
Thanks.  If you could provide a link to such announcements in the future, it would help.

The release announcements are here:

The security fixes are only in libebml, so I'll close the other bug.

Blocks: 17005 => (none)
Summary: libebml new security issue TALOS-CAN-0036 => libebml new security issues TALOS-CAN-0036 and TALOS-CAN-0037

Comment 4 David Walser 2015-11-02 22:35:05 CET
*** Bug 17005 has been marked as a duplicate of this bug. ***
Comment 5 David Walser 2015-11-02 22:43:06 CET
Saving the advisory for later as the build system is not usable.


Updated libebml packages fix security vulnerabilities:

In EbmlMaster::Read() in libebml before 1.3.3, when the parser encountered a
deeply nested element with an infinite size then a following element of an
upper level was not propagated correctly. Instead the element with the
infinite size was added into the EBML element tree a second time resulting in
memory access after freeing it and multiple attempts to free the same memory
address during destruction (TALOS-CAN-0037).

In EbmlUnicodeString::UpdateFromUTF8() in libebml before 1.3.3, when reading
from a UTF-8 string in which the length indicated by a UTF-8 character's first
byte exceeds the string's actual number of bytes the parser would access
beyond the end of the string resulting in a heap information leak

The libebml package has been updated to version 1.3.3, which fixes these
issues and other bugs, including another invalid memory access issue.

The libmatroska package has also been rebuilt against the updated libebml
and updated to version 1.4.4, which also fixes an invalid memory access
issue and other bugs.  See the release announcements for details.

Comment 6 David Walser 2015-11-02 23:56:02 CET
Updated packages uploaded for Mageia 5.  Advisory in Comment 5.


from SRPMS:

CC: (none) => luigiwalser
Assignee: bugsquad => qa-bugs

Comment 7 David Walser 2015-11-03 21:04:20 CET
The primary consumers of these libraries are mkvtoolnix and vlc.  You can use mkvtoolnix for doing whatever it is that it does for testing this, or use VLC to play a Matroska video (.mkv) file.

Whiteboard: (none) => has_procedure

Comment 8 David Walser 2015-11-03 21:52:34 CET
There are some sample Matroska video files here:

Working fine Mageia 5 i586.

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 9 Len Lawrence 2015-11-03 23:19:31 CET
mga5 - x86_64 - Mate
Upgraded from:
and pulled these in from the command line:

Downloaded six mkv files from the Matroska test suite and played them with vlc.  All played fine, with sound and subtitles where given, and a noticeable sound gap in test8.mkv.

mkvtoolnix installed OK but had no idea how to run it.  It turns out that it is a set of tools: mkvmerge, mkvinfo, mkvextract, mkvpropedit and a separate mkvtoolnix-gui which I could not find, possibly in another RPM.

$ mkvinfo test2.mkv
returned a lot of information about the attributes and structure of the file.

CC: (none) => tarazed25

Comment 10 Len Lawrence 2015-11-03 23:26:09 CET
The audio gap in test8.mkv is reported on the Matroska website and detected by mkvinfo:
|  + Simple
|   + Name: COMMENT
|   + String: Matroska Validation File 8, audio missing between timecodes 6.019s and 6.360s

Anyway, the update works for 64-bit.
Len Lawrence 2015-11-03 23:26:35 CET

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Dave Hodgins 2015-11-05 22:01:14 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 11 Mageia Robot 2015-11-05 23:47:00 CET
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

David Walser 2015-11-06 18:25:54 CET

URL: (none) => http://lwn.net/Vulnerabilities/663514/

Comment 12 David Walser 2016-02-29 23:43:47 CET
Looks like these got CVE-2015-8790 and CVE-2015-8791:
Comment 13 David Walser 2016-03-23 19:14:21 CET
Apparently the commit in libmatroska that Götz linked in Bug 17005 got CVE-2015-8792:
Comment 14 David Walser 2016-03-31 16:21:07 CEST
CVE-2015-8789 was also fixed in this update:

It was referenced in this Debian advisory:
Comment 15 David Walser 2016-03-31 18:20:20 CEST
(In reply to David Walser from comment #14)
> CVE-2015-8789 was also fixed in this update:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8789
> It was referenced in this Debian advisory:
> https://lists.debian.org/debian-security-announce/2016/msg00112.html
> https://www.debian.org/security/2016/dsa-3538

LWN reference:
Comment 16 David Walser 2016-06-22 19:43:48 CEST
According to the TALOS pages themselves:

these are CVE-2016-1514 and CVE-2016-1515 (which doesn't make sense since they should be 2015 CVEs).  So, it looks like someone wrongly assigned some duplicate CVEs.

LWN reference:

Note You need to log in before you can comment on or make changes to this bug.