Ubuntu has issued an advisory today (November 22): https://www.ubuntu.com/usn/usn-3135-1/ Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
More details than you'll ever need about this vulnerability: https://scarybeastsecurity.blogspot.co.uk/2016/11/0day-exploit-advancing-exploitation.html
CVE-2016-963[4-6]: http://openwall.com/lists/oss-security/2016/11/24/2
Summary: gstreamer0.10-plugins-good, gstreamer1.0-plugins-good new security issue in FLC decoding => gstreamer0.10-plugins-good, gstreamer1.0-plugins-good new security issue in FLC decoding (CVE-2016-963[4-6])
URL: (none) => https://lwn.net/Vulnerabilities/707218/
CVE-2016-980[78], CVE-2016-9810 assigned for issues fixed in 1.10.2: http://openwall.com/lists/oss-security/2016/12/05/8
LWN reference for CVE-2016-9808: https://lwn.net/Vulnerabilities/708239/
LWN reference for CVE-2016-9807: https://lwn.net/Vulnerabilities/709839/
Should I just remove the vulnerable FLI/FLC/FLX plugin like Red Hat did?
For gstreamer0.10-plugins-good, everybody has removed/disabled it, so yes. http://pkgs.fedoraproject.org/cgit/rpms/gstreamer-plugins-good.git/commit/?h=f24&id=f71a05920509649851ffcdf19925f1c08c1f439a For gstreamer1.0-plugins-good, everyone appears to be patching it. Fedora has patches for 1.8.x (should be usable in Cauldron): http://pkgs.fedoraproject.org/cgit/rpms/gstreamer1-plugins-good.git/commit/?h=f24&id=b0217c463268bb211dddf645a7f2e1d8503f55a5 Ubuntu has patches for 1.2.x: https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.2.4-1~ubuntu1.3 We have 1.4.x in Mageia 5, so you might be able to make something work between the two of those. If not, we could just disable it in Mageia 5.
Should be fixed in cauldron in gstreamer0.10-plugins-good-0.10.31-11.mga6 and gstreamer1.0-plugins-good-1.8.3-3.mga6 . Updates submitted to 5/updates_testing for QA review. Now to write the advisory...
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Assigning to QA.
Assignee: shlomif => qa-bugs
There is an exploit file for this so shall try it on 64bit system. Downloaded the sample Castelvania theme music from http://scarybeastsecurity.blogspot.co.uk/2016/11/0day-exploit-compromising-linux-desktop.html and the file exploit_ubuntu_12.04.5_xcalc.nsf which was written for that specific version of Ubuntu. Here it segfaulted under xine. The sample music played fine in xine with accompanying video.
CC: (none) => tarazed25
Looking for applications requiring gstreamer0.10 - xine not among them apparently. cutegram exaile fmj gcompris gmusicbrowser gnac gstreamer0.10-espeak gstreamer0.10-farstream gstreamer0.10-moodbar gstreamer0.10-plugins-good guayadeque luciole mate-settings-daemon-gstreamer miro mopidy perroquet psi-plugin-media radiotray subtitleeditor task-sugar exaile played the soundtrack from cv2.nsf OK but reported "Playback error encountered no suitable plugins found" for the command: $ exaile exploit_ubuntu_12.04.5_xcalc.nsf .......... INFO : Playing file:///home/lcl/exploit_ubuntu_12.04.5_xcalc.nsf ERROR : <gst.Message GstMessageError, gerror=(GError)NULL, debug=(string)"gstdecodebin2.c\(3576\):\ gst_decode_bin_expose\ \(\):\ /GstPlayBin2:player/GstURIDecodeBin:uridecodebin0/GstDecodeBin2:decodebin20:\012no\ suitable\ plugins\ found"; from decodebin20 at 0x11f6bb0> ['__class__', '__cmp__', '__delattr__', '__dict__', '__doc__', '__format__', '__getattribute__', '__grefcount__', '__gstminiobject_init__', '__gtype__', '__hash__', '__init__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'copy', 'flags', 'parse_async_start', 'parse_buffering', 'parse_buffering_stats', 'parse_clock_lost', 'parse_clock_provide', 'parse_duration', 'parse_error', 'parse_info', 'parse_new_clock', 'parse_qos', 'parse_qos_stats', 'parse_qos_values', 'parse_request_state', 'parse_segment_done', 'parse_segment_start', 'parse_state_changed', 'parse_step_done', 'parse_step_start', 'parse_stream_status', 'parse_structure_change', 'parse_tag', 'parse_tag_full', 'parse_warning', 'set_buffering_stats', 'set_qos_stats', 'set_qos_values', 'set_seqnum', 'src', 'structure', 'timestamp', 'type'] Installed the plugins from updates testing: - gstreamer0.10-plugins-good-0.10.31-9.1.mga5.x86_64 - gstreamer0.10-pulse-0.10.31-9.1.mga5.x86_64 - gstreamer0.10-soup-0.10.31-9.1.mga5.x86_64 - gstreamer1.0-flac-1.4.3-2.1.mga5.x86_64 - gstreamer1.0-plugins-good-1.4.3-2.1.mga5.x86_64 - gstreamer1.0-pulse-1.4.3-2.1.mga5.x86_64 - gstreamer1.0-soup-1.4.3-2.1.mga5.x86_64 - gstreamer1.0-vp8-1.4.3-2.1.mga5.x86_64 $ exaile cv2.nsf That played the soundtrack after the update. $ exaile exploit_ubuntu_12.04.5_xcalc.nsf aborted with a segmentation fault: INFO : Playing file:///home/lcl/Downloads/exploit_ubuntu_12.04.5_xcalc.nsf Segmentation fault Different, but does it prove anything? Tried out gmusicbrowser. It found an ogg file to play. Added some folders from my Music directory and double-clicked on various tracks in different formats. Works a treat.
CVE-2016-9634 Test file: exploit_ubuntu_12.04.5_xcalc.nsf CVE-2016-9807 & CVE-2016-9808 gstreamer-invalid-memory-read-flx_decode_chunks.fli from https://bugzilla.gnome.org/show_bug.cgi?id=774859 Asan needed to reproduce the reported error text. This looks like a PoC for 9808. crash_delta_fli_2.flx from scarybeast but how to use it? CVE-2016-9809 Test file: oob-gst_h264_parse_set_caps.mkv Needs asan to expose the bug. exaile tries to use matroskademux0 but fails and exits. CVE-2016-9810 decodebin2-gst_decode_chain_free_internal from https://bugzilla.gnome.org/show_bug.cgi?id=774897 Floundering a bit here. Not at all clear how to use these test files or how to interpret output. Best to fall back to testing normal files against the updated plugins I guess.
$ uname -a Linux localhost.localdomain 4.4.36-desktop-2.mga5 #1 SMP Tue Dec 6 17:31:54 UTC 2016 i686 i686 i686 GNU/Li The following 4 packages are going to be installed: - gstreamer0.10-pulse-0.10.31-9.1.mga5.i586 - gstreamer1.0-plugins-good-1.4.3-2.1.mga5.i586 - gstreamer1.0-pulse-1.4.3-2.1.mga5.i586 - gstreamer1.0-soup-1.4.3-2.1.mga5.i586 8KB of additional disk space will be used. 1.5MB of packages will be retrieved. Is it ok to continue? Ran Totem and mplayer along with playing music through. All is working correctly.
CC: (none) => brtians1Whiteboard: (none) => mga5-32-ok
x86_64 Played some MP3, OGG, WAV and MP4 files in totem; sound and video OK.
Whiteboard: mga5-32-ok => mga5-32-ok MGA5-64-OK
Validating; but ex Comment 8, Advisory awaits. I was going to invent one, but am unsure of package & SRPM versions.
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
(In reply to Lewis Smith from comment #15) > Validating; but ex Comment 8, Advisory awaits. I was going to invent one, > but am unsure of package & SRPM versions. Click on "RPMS" in the "Lists" column on the relevant line in madb. You'll see: http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/19830/application/0 Although, I think only the SRPMs are included in the Advisory.
CC: (none) => jim
Advisory: ======================== Updated gstreamer0.10-plugins-good and gstreamer1.0-plugins-good packages fix security vulnerabilities: Multiple flaws were discovered in GStreamer's FLC/FLI/FLX media file format decoding plug-in. A remote attacker could use these flaws to cause an application using GStreamer to crash or, potentially, execute arbitrary code with the privileges of the user running the application (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9808). An invalid memory read access flaw was found in GStreamer's FLC/FLI/FLX media file format decoding plug-in. A remote attacker could use this flaw to cause an application using GStreamer to crash (CVE-2016-9807, CVE-2016-9810). Note that CVE-2016-9810 only affected gstreamer1.0-plugins-good. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9635 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9636 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9810 https://rhn.redhat.com/errata/RHSA-2016-2975.html http://openwall.com/lists/oss-security/2016/12/05/8 Source RPMs: gstreamer0.10-plugins-good-0.10.31-9.1.mga5.src.rpm gstreamer1.0-plugins-good-1.4.3-2.1.mga5.src.rpm
Thanks David.
Whiteboard: mga5-32-ok MGA5-64-OK => mga5-32-ok MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0424.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2016-9810: https://lwn.net/Vulnerabilities/710363/