Bug 19751 - ming new security issues CVE-2016-926[4-6], CVE-2016-982[7-9], and CVE-2016-9831
Summary: ming new security issues CVE-2016-926[4-6], CVE-2016-982[7-9], and CVE-2016-9831
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/712664/
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-11-10 19:05 CET by David Walser
Modified: 2017-03-03 11:10 CET (History)
7 users (show)

See Also:
Source RPM: ming-0.4.5-8.mga5.src.rpm
CVE:
Status comment:

Attachments
Condensed report of PoC tests (2.26 KB, application/octet-stream)
2017-02-25 21:52 CET, Len Lawrence 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-11-10 19:05:12 CET 
CVEs have been assigned for three security issues in libming:
http://openwall.com/lists/oss-security/2016/11/10/9
http://openwall.com/lists/oss-security/2016/11/10/10
http://openwall.com/lists/oss-security/2016/11/10/11

There are currently no fixes available.
David Walser 2016-11-10 19:06:19 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-11-11 20:36:22 CET 
Assigning to all packagers collectively, snce there is no registered maintainer for this package

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2016-12-05 20:02:07 CET 
CVEs have been assigned for security issues in libming:
http://openwall.com/lists/oss-security/2016/12/05/2
http://openwall.com/lists/oss-security/2016/12/05/3
http://openwall.com/lists/oss-security/2016/12/05/4
http://openwall.com/lists/oss-security/2016/12/05/6

I don't believe any fixes are available yet.

Summary: libming new security issues CVE-2016-926[4-6] => ming new security issues CVE-2016-926[4-6], CVE-2016-982[7-9], and CVE-2016-9831

Comment 3 David Walser 2017-01-27 00:19:01 CET 
Debian-LTS has issued an advisory for this today (January 26):
https://lwn.net/Alerts/712627/

URL: (none) => https://lwn.net/Vulnerabilities/712664/

Comment 4 Nicolas Salguero 2017-02-20 14:31:28 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Global-buffer-overflow in printMP3Headers. (CVE-2016-9264)

Divide-by-zero in printMP3Headers. (CVE-2016-9265)

Left shift in listmp3.c. (CVE-2016-9266)

Heap-based buffer overflow in _iprintf. (CVE-2016-9827)

NULL pointer dereference in dumpBuffer. (CVE-2016-9828)

Heap-based buffer overflow in parseSWF_DEFINEFONT. (CVE-2016-9829)

Heap-based buffer overflow in parseSWF_RGBA. (CVE-2016-9831)

References:
http://openwall.com/lists/oss-security/2016/11/10/9
http://openwall.com/lists/oss-security/2016/11/10/10
http://openwall.com/lists/oss-security/2016/11/10/11
http://openwall.com/lists/oss-security/2016/12/05/2
http://openwall.com/lists/oss-security/2016/12/05/3
http://openwall.com/lists/oss-security/2016/12/05/4
http://openwall.com/lists/oss-security/2016/12/05/6
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9264
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9265
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9266
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9827
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9828
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9829
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9831
========================

Updated packages in core/updates_testing:
========================
lib(64)ming1-0.4.5-8.1.mga5
lib(64)ming-devel-0.4.5-8.1.mga5
perl-SWF-0.4.5-8.1.mga5
python-SWF-0.4.5-8.1.mga5
ming-utils-0.4.5-8.1.mga5

from SRPMS:
ming-0.4.5-8.1.mga5.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)

Dave Hodgins 2017-02-22 02:46:00 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 5 Herman Viaene 2017-02-23 10:03:37 CET 
MGA5-32 on Asus A6000VM Xfce
No installation issues
From the ming-utils README file : "These are various tools useful in development of ming.  None are  particularly user friendly."
Had a look at what and run
listjpeg on a .jpg file to show frame header
and
hexdump on a .txt file to show hex codes.
All work and look OK.

CC: (none) => herman.viaene
Whiteboard: advisory => advisory MGA5-32-OK

Comment 6 Lewis Smith 2017-02-24 21:42:56 CET 
BACKGROUND
"Ming is a library for generating Macromedia Flash files (.swf), written in C, and includes useful utilities for working with .swf files.
It has wrappers that allow it to be used in C++, PHP, Python, Ruby, and Perl."

From its site and rpm file details, the tools are:
    makefdb - rip fdb font definition files out of a swf or generator template file. 
    bindump - show file data in hex and binary
    dbl2png
    png2dbl
    hexdump - show file data in hex
    makeswf - compile actionscript code into a swf movie 
    makefdb
    gif2dbl - convert a gif-file to dbl
    gif2mask - convert a gif image to an alpha mask
    png2dbl - convert a png-file to dbl 
    listaction - show actionscript in the swf
    listaction_d
    listfdb - show contents of fdb font file
    listjpeg - show frame header info in jpeg files
    listmp3 - show frame header info in mp3 files
    listswf - swf format disassembler 
    listswf_d
    raw2adpcm - convert a raw (pcm?) soundfile to a adpcm-coded soundfile 
    swftoperl - attempt to make a perl/ming script out of an swf file.
    swftophp - attempt to make a php/ming script out of an swf file 
    swftocxx
    swftopython
    swftotcl

CC: (none) => lewyssmith

Comment 7 Lewis Smith 2017-02-24 22:44:07 CET 
Correction to comment 6:
 bindump does not exist.
 hexdump is *not* in this package, but "The  hexdump command is part of the
  util-linux package".
There are no man entries. /usr/share/doc/ming-utils/util.README tells you no more than the list above. <command> -h may show basic usage.

BEFORE update, installed:
 lib64ming1-0.4.5-8.mga5
 ming-utils-0.4.5-8.mga5
 perl-SWF-0.4.5-8.mga5
 python-SWF-0.4.5-8.mga5

$ listjpeg /mnt/common/lluniau/camera/p1000083.jpg
SOI
Unknown JPEG block: e1
31230 bytes
Quantization table
132 bytes
Start of frame 0
17 bytes
Huffman table
418 bytes
Unknown JPEG block: dd
4 bytes
Start of scan

$ gif2dbl 200_s.gif              GIF -> DBL [leaves original file]
$ dbl2png 200_s.dbl              DBL -> PNG
$ display 200_s.gif              Compare original .gif & final .png
$ display 200_s.png              Look the same!

$ cp 200_s.png 201_s.png         [Copy the original for later reference]
$ png2dbl 200_s.png              PNG -> DBL
$ dbl2png 200_s.dbl              DBL -> PNG
$ display 201_s.png              Compare the orginal .png
$ display 200_s.png              with that twice converted; look the same

AFTER the update, no problem with same:
 lib64ming1-0.4.5-8.1.mga5
 ming-utils-0.4.5-8.1.mga5
 perl-SWF-0.4.5-8.1.mga5
 python-SWF-0.4.5-8.1.mga5

$ listjpeg /mnt/common/lluniau/camera/p1000083.jpg
Output identical to previously.

Image conversion commands as previously:
Gif -> dbl -> png         Original gif looks same as final png.
Png -> dbl -> png         Copy of original png looks same as final one.

Update OK within these meagre limits.

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Len Lawrence 2017-02-25 01:35:49 CET 
@lewis

Found a SWF file lying around in my Videos directory.  Shall have a quick look at that first thing this morning.

CC: (none) => tarazed25

Comment 9 Lewis Smith 2017-02-25 08:28:24 CET 
Am reverting the status of this because I had not checked for POCs among the references. As Len has suggested, there might be something there we can test more positively. Between Len & myself one of us will try POCs if possible - without going overboard. Back this evening. Feel free, Len.

Keywords: validated_update => (none)
Whiteboard: advisory MGA5-32-OK MGA5-64-OK => advisory MGA5-32-OK

Comment 10 Len Lawrence 2017-02-25 10:27:01 CET 
Long report coming up.

x86_64 real hardware

Installed ming packages from Updates Testing.
Wiki page: http://www.libming.net/

The ming utils allow an SWF file to be analysed; the excerpt here shows the start 
and end of a listaction console listing which is also written to a file called
actionscript.
listswf shows the structure of the file.

$ ls -l surfacefly_spirit.swf 
-rw-r--r-- 1 lcl lcl 19622421 May 25  2008 surfacefly_spirit.swf
$ listaction surfacefly_spirit.swf
File version: 6
File size: 20003889
Frame size: (0,12800)x(0,7200)
Frame rate: 25.000000 / sec.
Total frames: 65535

Offset: 12488 (0x30c8)
Block type: 26 (SWF_PLACEOBJECT2)
Block length: 5
...........................................
Offset: 20003870 (0x1313c1e)
Block type: 26 (SWF_PLACEOBJECT2)
Block length: 5


Offset: 20003883 (0x1313c2b)
Block type: 12 (SWF_DOACTION)
Block length: 2

 2 Actions
    20003885:SWFACTION_STOP
    20003886:SWFACTION_END
------------------------------------------------------------------------------
$ listswf surfacefly_spirit.swf | less 
File version: 6
File size: 20003889
Frame size: (0,12800)x(0,7200)
Frame rate: 25.000000 / sec.
Total frames: 65535

Offset: 21 (0x0015)
Block type: 9 (SWF_SETBACKGROUNDCOLOR)
Block length: 3

 RGBA: ( 0, 0, 0,ff)

Offset: 26 (0x001a)
Block type: 60 (SWF_DEFINEVIDEOSTREAM)
Block length: 10

$ swftopython surfacefly_spirit.swf > flyover.py

This logs its internal actions while it builds the output file.
$ head flyover.py
#!/usr/bin/python
from ming import *

Ming_useSWFVersion(6);

m =  SWFMovie();

Ming_setScale(1.0);
m.setRate(25.000000);
m.setDimension(12800, 7200);

How the python file is meant to be used is another matter.  A plugin of some kind
would be needed for a video player but the utility does produce what looks like a
rational script.  The website indicates that the python project is incomplete.
------------------------------------------------------------------------------
$ swftophp surfacefly_spirit.swf > test.php
$ head test.php
<?php
$m = new SWFMovie(6);

ming_setscale(1.0);
$m->setRate(25.000000);
$m->setDimension(12800, 7200);
$m->setFrames(65535);

/* SWF_SETBACKGROUNDCOLOR */
$m->setBackground(0x00, 0x00, 0x00);

That looks legitimate but I have forgotten how to test php code at the commandline or
where to put it to run in a browser.

swfptoperl also generates likely looking code:
$ swftoperl surfacefly_spirit.swf > test.pl
$ head test.pl
#!/usr/bin/perl -w
# Generated by swftoperl converter included with ming. Have fun. 

# Change this to your needs. If you installed perl-ming global you don't need this.
#use lib("/home/peter/mystuff/lib/site_perl");

# We import all because our converter is not so clever to select only needed. ;-)
use SWF qw(:ALL);
# Just copy from a sample, needed to use Constants like SWFFILL_RADIAL_GRADIENT
use SWF::Constants qw(:Text :Button :DisplayItem :Fill);
--------------------------------------------------------------------------------
From Ubuntu:
swftoperl is a command line tool for decompiling swf format files.  It
produces Perl code that can be used to recreate the original file.
BUGS
       The decompilation is not 100% complete, but it at least provides a
       useful starting point, and in many cases will produce a complete program.


Summary:
This part of the project has the earmarks of a work in progress.  It looks as if
most of it is working but greater expertise is required to turn the generated script
files into video streams.

@lewis: shall revert later and see if the PoCs can actually be used (by us).
Comment 11 Lewis Smith 2017-02-25 21:07:06 CET 
Test files (POCs)

Every link in Comment 0 & Comment 2 (recapitulated Comment 4) follows a similar path:
 openwall - blogs.gentoo.org/ago/ - reproducer - raw
everything impeccably documented with the reproducer presumably the POC; but no indication of how to invoke them. They are all described like: 
"if you have a web application that calls directly the listmp3 binary to parse untrusted mp3, then you are affected."
"if you have a web application that calls directly the listswf binary to parse untrusted swf, then you are affected."

I think this is going too far for us.

@Len re Comment 10 : it is unclear whether you ran these tests pre or post update. Whatever, could you try just 1 or 2 the other way (update or downgrade) to see whether the output is similar (ideally identical). That way we at least know that there is no reversion by the update, and OK it.
If you like to attach the .swf file here (it may be too big), I can have a go. Or we can look for a suficciently small one; and an .mp3 . I will look forthwith.
Comment 12 Len Lawrence 2017-02-25 21:48:06 CET 
Those were all after the update to see that Shockwave Flash was being handled OK.

I then moved to another machine and ran the PoCs before and after the updates.
Adding short report here:

x86_64 real hardware.
Upstream has kindly provided a set of PoCs for the seven CVEs which may help us confirm that
the patches work for us.  Please see the attachment for the pre and post update PoC
checks, which is provided for the sake of completeness.  There is also a full record of
the tests, mainly hundreds of lines of diagnostics, which could be uploaded, but who
would read it?

In summary, the tests here agree with the original reports.

Here is a digest of the PoC reports after the update.

CVE-2016-9264
$ listmp3 00034-libming-globaloverflow-printMP3Headers
frame 1: MP25 layer 1, 8000 Hz, 0kbps, mono, length=0, protect off
invalid samplerate index

CVE-2016-9265
$ listmp3 00045-libming-fpe-printMP3Headers
no valid frame found

CVE-2016-9266
$ listmp3 00046-libming-leftshift-listmp3_c
no valid frame found

The rest followed a pattern of several diagnostic messages and
"unknown block type - is not implemented"

CVE-2016-9827
$ listswf 00077-libming-heapoverflow-_iprintf
...................
printing type:  67 (Unknown Block Type) is not implemented

CVE-2016-9828
$ listswf 00078-libming-nullptr-dumpBuffer
...........................
printing type:  864 (Unknown Block Type) is not implemented

CVE-2016-9829
$ listswf 00075-libming-heapoverflow-parseSWF_DEFINEFONT
...............................
printing type:  666 (Unknown Block Type) is not implemented

CVE-2016-9831
$ listswf 00076-libming-heapoverflow-parseSWF_RGBA
............................
printing type:  840 (Unknown Block Type) is not implemented

All terminated cleanly.

This endorses the earlier OK so go ahead Lewis.
Umm, 32bit POC tests?
Comment 13 Len Lawrence 2017-02-25 21:52:17 CET 
Created attachment 8987 [details]
Condensed report of PoC tests

There is a longer, verbatim, log of the results if needed.
Comment 14 Len Lawrence 2017-02-25 22:06:28 CET 
Yes, I could rerun the SWF test(s) on another mga5.1 installation which probably does not have ming installed.  Will do in fact.  The file is about 19 MB in size.
Comment 15 Lewis Smith 2017-02-25 22:13:43 CET 
@Len : brilliant and 7 x conclusive. I should have done that if I had thought more.

Please do not do any more (re Comment 14). As if 7 POCs is not enough!

32-bit: If someone could try just a couple (say one each of .mp3 and .swf) of the tests as described - with their URLs - in the attachment, both before and after the update, it looks quickly done. In the meantime, un-OKing for 32-bit.
Lewis Smith 2017-02-25 22:14:23 CET

Whiteboard: advisory MGA5-32-OK => advisory MGA5-64-OK

Comment 16 Len Lawrence 2017-02-25 22:51:15 CET 
Already done.  It is a good job we don't use paper much any more. 

Installed the ming packages on another machine to exercise the utilities on
a SWF file before the update.

$ listaction surfacefly_spirit.swf
File version: 6
File size: 20003889
Frame size: (0,12800)x(0,7200)
Frame rate: 25.000000 / sec.
Total frames: 65535

Offset: 12488 (0x30c8)
Block type: 26 (SWF_PLACEOBJECT2)
Block length: 5
.......

$ tail -14 actionlist

Offset: 20003870 (0x1313c1e)
Block type: 26 (SWF_PLACEOBJECT2)
Block length: 5


Offset: 20003883 (0x1313c2b)
Block type: 12 (SWF_DOACTION)
Block length: 2

 2 Actions
    20003885:SWFACTION_STOP
    20003886:SWFACTION_END

This is identical to the post-update listing.
The following output also matches the post-update example:
$ listswf surfacefly_spirit.swf | less
File version: 6
File size: 20003889
Frame size: (0,12800)x(0,7200)
Frame rate: 25.000000 / sec.
Total frames: 65535

Offset: 21 (0x0015)
Block type: 9 (SWF_SETBACKGROUNDCOLOR)
Block length: 3

 RGBA: ( 0, 0, 0,ff)

Offset: 26 (0x001a)
Block type: 60 (SWF_DEFINEVIDEOSTREAM)
Block length: 10
............

$ swftopython surfacefly_spirit.swf > flyover.py
$ head flyover.py
#!/usr/bin/python
from ming import *

Ming_useSWFVersion(6);

m =  SWFMovie();

Ming_setScale(1.0);
m.setRate(25.000000);
m.setDimension(12800, 7200);

This matches as far as the original was recorded.

$ swftophp surfacefly_spirit.swf > test.php
$ head test.php
<?php
$m = new SWFMovie(6);

ming_setscale(1.0);
$m->setRate(25.000000);
$m->setDimension(12800, 7200);
$m->setFrames(65535);

/* SWF_SETBACKGROUNDCOLOR */
$m->setBackground(0x00, 0x00, 0x00);

Again, a match for the original post-update output.

Likewise for perl:

$ /usr/bin/swftoperl surfacefly_spirit.swf > test.pl
$ head test.pl
#!/usr/bin/perl -w
# Generated by swftoperl converter included with ming. Have fun. 

# Change this to your needs. If you installed perl-ming global you don't need this.
#use lib("/home/peter/mystuff/lib/site_perl");

# We import all because our converter is not so clever to select only needed. ;-)
use SWF qw(:ALL);
# Just copy from a sample, needed to use Constants like SWFFILL_RADIAL_GRADIENT
use SWF::Constants qw(:Text :Button :DisplayItem :Fill);

That seems fine.
Comment 17 Herman Viaene 2017-02-28 12:03:58 CET 
MGA5-32 on Asus A6000VM Xfce
Found a test swf file:
$ listswf test.swf | less
File version: 6
File size: 595750
Frame size: (0,11000)x(0,8000)
Frame rate: 12.000000 / sec.
Total frames: 358

Offset: 21 (0x0015)
Block type: 9 (SWF_SETBACKGROUNDCOLOR)
Block length: 3

 RGBA: (ff,ff,ff,ff)

Offset: 26 (0x001a)
Block type: 18 (SWF_SOUNDSTREAMHEAD)
Block length: 4

  PlaybackSoundRate 22 kHz
  PlaybackSoundSize 16 bit
  PlaybackSoundType mono
  StreamSoundCompression ADPCM
  StreamSoundRate 22 kHz
  StreamSoundSize 16 bit
  StreamSoundType mono
  StreamSoundSampleCount 1837

Offset: 36 (0x0024)
Block type: 60 (SWF_DEFINEVIDEOSTREAM)
Block length: 10

  CharacterID: 1
  NumFrames: 358
  Width: 160; Height 120
  Flag deblocking: 0
  Flag smoothing: 0

$ listaction test.swf

gives similar output on the CLI, but I cann't find anywhere an actionlist file

$ listmp3 00045-libming-fpe-printMP3Headers
no valid frame found

$ listswf 00077-libming-heapoverflow-_iprintf
header indicates a filesize of 3313068799 but filesize is 165
File version: 128
File size: 165
Frame size: (-4671272,-4672424)x(-4703645,4404051)
Frame rate: 142.777344 / sec.
Total frames: 2696

Offset: 25 (0x0019)
Block type: 67 (Unknown Block Type)
Block length: 24

printing type:  67 (Unknown Block Type) is not implemented

Leaving it up to the experts to judge.
Dave Hodgins 2017-03-02 22:05:48 CET

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK

Comment 18 Mageia Robot 2017-03-03 11:10:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0070.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.