CVEs have been assigned for three security issues in libming: http://openwall.com/lists/oss-security/2016/11/10/9 http://openwall.com/lists/oss-security/2016/11/10/10 http://openwall.com/lists/oss-security/2016/11/10/11 There are currently no fixes available.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, snce there is no registered maintainer for this package
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
CVEs have been assigned for security issues in libming: http://openwall.com/lists/oss-security/2016/12/05/2 http://openwall.com/lists/oss-security/2016/12/05/3 http://openwall.com/lists/oss-security/2016/12/05/4 http://openwall.com/lists/oss-security/2016/12/05/6 I don't believe any fixes are available yet.
Summary: libming new security issues CVE-2016-926[4-6] => ming new security issues CVE-2016-926[4-6], CVE-2016-982[7-9], and CVE-2016-9831
Debian-LTS has issued an advisory for this today (January 26): https://lwn.net/Alerts/712627/
URL: (none) => https://lwn.net/Vulnerabilities/712664/
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Global-buffer-overflow in printMP3Headers. (CVE-2016-9264) Divide-by-zero in printMP3Headers. (CVE-2016-9265) Left shift in listmp3.c. (CVE-2016-9266) Heap-based buffer overflow in _iprintf. (CVE-2016-9827) NULL pointer dereference in dumpBuffer. (CVE-2016-9828) Heap-based buffer overflow in parseSWF_DEFINEFONT. (CVE-2016-9829) Heap-based buffer overflow in parseSWF_RGBA. (CVE-2016-9831) References: http://openwall.com/lists/oss-security/2016/11/10/9 http://openwall.com/lists/oss-security/2016/11/10/10 http://openwall.com/lists/oss-security/2016/11/10/11 http://openwall.com/lists/oss-security/2016/12/05/2 http://openwall.com/lists/oss-security/2016/12/05/3 http://openwall.com/lists/oss-security/2016/12/05/4 http://openwall.com/lists/oss-security/2016/12/05/6 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9264 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9265 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9266 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9827 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9828 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9829 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9831 ======================== Updated packages in core/updates_testing: ======================== lib(64)ming1-0.4.5-8.1.mga5 lib(64)ming-devel-0.4.5-8.1.mga5 perl-SWF-0.4.5-8.1.mga5 python-SWF-0.4.5-8.1.mga5 ming-utils-0.4.5-8.1.mga5 from SRPMS: ming-0.4.5-8.1.mga5.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroVersion: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => (none)
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
MGA5-32 on Asus A6000VM Xfce No installation issues From the ming-utils README file : "These are various tools useful in development of ming. None are particularly user friendly." Had a look at what and run listjpeg on a .jpg file to show frame header and hexdump on a .txt file to show hex codes. All work and look OK.
CC: (none) => herman.viaeneWhiteboard: advisory => advisory MGA5-32-OK
BACKGROUND "Ming is a library for generating Macromedia Flash files (.swf), written in C, and includes useful utilities for working with .swf files. It has wrappers that allow it to be used in C++, PHP, Python, Ruby, and Perl." From its site and rpm file details, the tools are: makefdb - rip fdb font definition files out of a swf or generator template file. bindump - show file data in hex and binary dbl2png png2dbl hexdump - show file data in hex makeswf - compile actionscript code into a swf movie makefdb gif2dbl - convert a gif-file to dbl gif2mask - convert a gif image to an alpha mask png2dbl - convert a png-file to dbl listaction - show actionscript in the swf listaction_d listfdb - show contents of fdb font file listjpeg - show frame header info in jpeg files listmp3 - show frame header info in mp3 files listswf - swf format disassembler listswf_d raw2adpcm - convert a raw (pcm?) soundfile to a adpcm-coded soundfile swftoperl - attempt to make a perl/ming script out of an swf file. swftophp - attempt to make a php/ming script out of an swf file swftocxx swftopython swftotcl
CC: (none) => lewyssmith
Correction to comment 6: bindump does not exist. hexdump is *not* in this package, but "The hexdump command is part of the util-linux package". There are no man entries. /usr/share/doc/ming-utils/util.README tells you no more than the list above. <command> -h may show basic usage. BEFORE update, installed: lib64ming1-0.4.5-8.mga5 ming-utils-0.4.5-8.mga5 perl-SWF-0.4.5-8.mga5 python-SWF-0.4.5-8.mga5 $ listjpeg /mnt/common/lluniau/camera/p1000083.jpg SOI Unknown JPEG block: e1 31230 bytes Quantization table 132 bytes Start of frame 0 17 bytes Huffman table 418 bytes Unknown JPEG block: dd 4 bytes Start of scan $ gif2dbl 200_s.gif GIF -> DBL [leaves original file] $ dbl2png 200_s.dbl DBL -> PNG $ display 200_s.gif Compare original .gif & final .png $ display 200_s.png Look the same! $ cp 200_s.png 201_s.png [Copy the original for later reference] $ png2dbl 200_s.png PNG -> DBL $ dbl2png 200_s.dbl DBL -> PNG $ display 201_s.png Compare the orginal .png $ display 200_s.png with that twice converted; look the same AFTER the update, no problem with same: lib64ming1-0.4.5-8.1.mga5 ming-utils-0.4.5-8.1.mga5 perl-SWF-0.4.5-8.1.mga5 python-SWF-0.4.5-8.1.mga5 $ listjpeg /mnt/common/lluniau/camera/p1000083.jpg Output identical to previously. Image conversion commands as previously: Gif -> dbl -> png Original gif looks same as final png. Png -> dbl -> png Copy of original png looks same as final one. Update OK within these meagre limits.
Keywords: (none) => validated_updateWhiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
@lewis Found a SWF file lying around in my Videos directory. Shall have a quick look at that first thing this morning.
CC: (none) => tarazed25
Am reverting the status of this because I had not checked for POCs among the references. As Len has suggested, there might be something there we can test more positively. Between Len & myself one of us will try POCs if possible - without going overboard. Back this evening. Feel free, Len.
Keywords: validated_update => (none)Whiteboard: advisory MGA5-32-OK MGA5-64-OK => advisory MGA5-32-OK
Long report coming up. x86_64 real hardware Installed ming packages from Updates Testing. Wiki page: http://www.libming.net/ The ming utils allow an SWF file to be analysed; the excerpt here shows the start and end of a listaction console listing which is also written to a file called actionscript. listswf shows the structure of the file. $ ls -l surfacefly_spirit.swf -rw-r--r-- 1 lcl lcl 19622421 May 25 2008 surfacefly_spirit.swf $ listaction surfacefly_spirit.swf File version: 6 File size: 20003889 Frame size: (0,12800)x(0,7200) Frame rate: 25.000000 / sec. Total frames: 65535 Offset: 12488 (0x30c8) Block type: 26 (SWF_PLACEOBJECT2) Block length: 5 ........................................... Offset: 20003870 (0x1313c1e) Block type: 26 (SWF_PLACEOBJECT2) Block length: 5 Offset: 20003883 (0x1313c2b) Block type: 12 (SWF_DOACTION) Block length: 2 2 Actions 20003885:SWFACTION_STOP 20003886:SWFACTION_END ------------------------------------------------------------------------------ $ listswf surfacefly_spirit.swf | less File version: 6 File size: 20003889 Frame size: (0,12800)x(0,7200) Frame rate: 25.000000 / sec. Total frames: 65535 Offset: 21 (0x0015) Block type: 9 (SWF_SETBACKGROUNDCOLOR) Block length: 3 RGBA: ( 0, 0, 0,ff) Offset: 26 (0x001a) Block type: 60 (SWF_DEFINEVIDEOSTREAM) Block length: 10 $ swftopython surfacefly_spirit.swf > flyover.py This logs its internal actions while it builds the output file. $ head flyover.py #!/usr/bin/python from ming import * Ming_useSWFVersion(6); m = SWFMovie(); Ming_setScale(1.0); m.setRate(25.000000); m.setDimension(12800, 7200); How the python file is meant to be used is another matter. A plugin of some kind would be needed for a video player but the utility does produce what looks like a rational script. The website indicates that the python project is incomplete. ------------------------------------------------------------------------------ $ swftophp surfacefly_spirit.swf > test.php $ head test.php <?php $m = new SWFMovie(6); ming_setscale(1.0); $m->setRate(25.000000); $m->setDimension(12800, 7200); $m->setFrames(65535); /* SWF_SETBACKGROUNDCOLOR */ $m->setBackground(0x00, 0x00, 0x00); That looks legitimate but I have forgotten how to test php code at the commandline or where to put it to run in a browser. swfptoperl also generates likely looking code: $ swftoperl surfacefly_spirit.swf > test.pl $ head test.pl #!/usr/bin/perl -w # Generated by swftoperl converter included with ming. Have fun. # Change this to your needs. If you installed perl-ming global you don't need this. #use lib("/home/peter/mystuff/lib/site_perl"); # We import all because our converter is not so clever to select only needed. ;-) use SWF qw(:ALL); # Just copy from a sample, needed to use Constants like SWFFILL_RADIAL_GRADIENT use SWF::Constants qw(:Text :Button :DisplayItem :Fill); -------------------------------------------------------------------------------- From Ubuntu: swftoperl is a command line tool for decompiling swf format files. It produces Perl code that can be used to recreate the original file. BUGS The decompilation is not 100% complete, but it at least provides a useful starting point, and in many cases will produce a complete program. Summary: This part of the project has the earmarks of a work in progress. It looks as if most of it is working but greater expertise is required to turn the generated script files into video streams. @lewis: shall revert later and see if the PoCs can actually be used (by us).
Test files (POCs) Every link in Comment 0 & Comment 2 (recapitulated Comment 4) follows a similar path: openwall - blogs.gentoo.org/ago/ - reproducer - raw everything impeccably documented with the reproducer presumably the POC; but no indication of how to invoke them. They are all described like: "if you have a web application that calls directly the listmp3 binary to parse untrusted mp3, then you are affected." "if you have a web application that calls directly the listswf binary to parse untrusted swf, then you are affected." I think this is going too far for us. @Len re Comment 10 : it is unclear whether you ran these tests pre or post update. Whatever, could you try just 1 or 2 the other way (update or downgrade) to see whether the output is similar (ideally identical). That way we at least know that there is no reversion by the update, and OK it. If you like to attach the .swf file here (it may be too big), I can have a go. Or we can look for a suficciently small one; and an .mp3 . I will look forthwith.
Those were all after the update to see that Shockwave Flash was being handled OK. I then moved to another machine and ran the PoCs before and after the updates. Adding short report here: x86_64 real hardware. Upstream has kindly provided a set of PoCs for the seven CVEs which may help us confirm that the patches work for us. Please see the attachment for the pre and post update PoC checks, which is provided for the sake of completeness. There is also a full record of the tests, mainly hundreds of lines of diagnostics, which could be uploaded, but who would read it? In summary, the tests here agree with the original reports. Here is a digest of the PoC reports after the update. CVE-2016-9264 $ listmp3 00034-libming-globaloverflow-printMP3Headers frame 1: MP25 layer 1, 8000 Hz, 0kbps, mono, length=0, protect off invalid samplerate index CVE-2016-9265 $ listmp3 00045-libming-fpe-printMP3Headers no valid frame found CVE-2016-9266 $ listmp3 00046-libming-leftshift-listmp3_c no valid frame found The rest followed a pattern of several diagnostic messages and "unknown block type - is not implemented" CVE-2016-9827 $ listswf 00077-libming-heapoverflow-_iprintf ................... printing type: 67 (Unknown Block Type) is not implemented CVE-2016-9828 $ listswf 00078-libming-nullptr-dumpBuffer ........................... printing type: 864 (Unknown Block Type) is not implemented CVE-2016-9829 $ listswf 00075-libming-heapoverflow-parseSWF_DEFINEFONT ............................... printing type: 666 (Unknown Block Type) is not implemented CVE-2016-9831 $ listswf 00076-libming-heapoverflow-parseSWF_RGBA ............................ printing type: 840 (Unknown Block Type) is not implemented All terminated cleanly. This endorses the earlier OK so go ahead Lewis. Umm, 32bit POC tests?
Created attachment 8987 [details] Condensed report of PoC tests There is a longer, verbatim, log of the results if needed.
Yes, I could rerun the SWF test(s) on another mga5.1 installation which probably does not have ming installed. Will do in fact. The file is about 19 MB in size.
@Len : brilliant and 7 x conclusive. I should have done that if I had thought more. Please do not do any more (re Comment 14). As if 7 POCs is not enough! 32-bit: If someone could try just a couple (say one each of .mp3 and .swf) of the tests as described - with their URLs - in the attachment, both before and after the update, it looks quickly done. In the meantime, un-OKing for 32-bit.
Whiteboard: advisory MGA5-32-OK => advisory MGA5-64-OK
Already done. It is a good job we don't use paper much any more. Installed the ming packages on another machine to exercise the utilities on a SWF file before the update. $ listaction surfacefly_spirit.swf File version: 6 File size: 20003889 Frame size: (0,12800)x(0,7200) Frame rate: 25.000000 / sec. Total frames: 65535 Offset: 12488 (0x30c8) Block type: 26 (SWF_PLACEOBJECT2) Block length: 5 ....... $ tail -14 actionlist Offset: 20003870 (0x1313c1e) Block type: 26 (SWF_PLACEOBJECT2) Block length: 5 Offset: 20003883 (0x1313c2b) Block type: 12 (SWF_DOACTION) Block length: 2 2 Actions 20003885:SWFACTION_STOP 20003886:SWFACTION_END This is identical to the post-update listing. The following output also matches the post-update example: $ listswf surfacefly_spirit.swf | less File version: 6 File size: 20003889 Frame size: (0,12800)x(0,7200) Frame rate: 25.000000 / sec. Total frames: 65535 Offset: 21 (0x0015) Block type: 9 (SWF_SETBACKGROUNDCOLOR) Block length: 3 RGBA: ( 0, 0, 0,ff) Offset: 26 (0x001a) Block type: 60 (SWF_DEFINEVIDEOSTREAM) Block length: 10 ............ $ swftopython surfacefly_spirit.swf > flyover.py $ head flyover.py #!/usr/bin/python from ming import * Ming_useSWFVersion(6); m = SWFMovie(); Ming_setScale(1.0); m.setRate(25.000000); m.setDimension(12800, 7200); This matches as far as the original was recorded. $ swftophp surfacefly_spirit.swf > test.php $ head test.php <?php $m = new SWFMovie(6); ming_setscale(1.0); $m->setRate(25.000000); $m->setDimension(12800, 7200); $m->setFrames(65535); /* SWF_SETBACKGROUNDCOLOR */ $m->setBackground(0x00, 0x00, 0x00); Again, a match for the original post-update output. Likewise for perl: $ /usr/bin/swftoperl surfacefly_spirit.swf > test.pl $ head test.pl #!/usr/bin/perl -w # Generated by swftoperl converter included with ming. Have fun. # Change this to your needs. If you installed perl-ming global you don't need this. #use lib("/home/peter/mystuff/lib/site_perl"); # We import all because our converter is not so clever to select only needed. ;-) use SWF qw(:ALL); # Just copy from a sample, needed to use Constants like SWFFILL_RADIAL_GRADIENT use SWF::Constants qw(:Text :Button :DisplayItem :Fill); That seems fine.
MGA5-32 on Asus A6000VM Xfce Found a test swf file: $ listswf test.swf | less File version: 6 File size: 595750 Frame size: (0,11000)x(0,8000) Frame rate: 12.000000 / sec. Total frames: 358 Offset: 21 (0x0015) Block type: 9 (SWF_SETBACKGROUNDCOLOR) Block length: 3 RGBA: (ff,ff,ff,ff) Offset: 26 (0x001a) Block type: 18 (SWF_SOUNDSTREAMHEAD) Block length: 4 PlaybackSoundRate 22 kHz PlaybackSoundSize 16 bit PlaybackSoundType mono StreamSoundCompression ADPCM StreamSoundRate 22 kHz StreamSoundSize 16 bit StreamSoundType mono StreamSoundSampleCount 1837 Offset: 36 (0x0024) Block type: 60 (SWF_DEFINEVIDEOSTREAM) Block length: 10 CharacterID: 1 NumFrames: 358 Width: 160; Height 120 Flag deblocking: 0 Flag smoothing: 0 $ listaction test.swf gives similar output on the CLI, but I cann't find anywhere an actionlist file $ listmp3 00045-libming-fpe-printMP3Headers no valid frame found $ listswf 00077-libming-heapoverflow-_iprintf header indicates a filesize of 3313068799 but filesize is 165 File version: 128 File size: 165 Frame size: (-4671272,-4672424)x(-4703645,4404051) Frame rate: 142.777344 / sec. Total frames: 2696 Offset: 25 (0x0019) Block type: 67 (Unknown Block Type) Block length: 24 printing type: 67 (Unknown Block Type) is not implemented Leaving it up to the experts to judge.
Keywords: (none) => validated_updateWhiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0070.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED