Debian has issued an advisory today (December 15): https://www.debian.org/security/2016/dsa-3735 CVE request: http://openwall.com/lists/oss-security/2016/12/15/1 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
URL: (none) => https://lwn.net/Vulnerabilities/709341/
Fixed in Cauldron with game-music-emu-0.6.1-1.mga6. Pushing the same version to Mageia 5, as it's only a couple commits ahead of 0.6.0 and contains only bugfixes (including this security bugfix). Suggested advisory: =================== Updated game-music-emu packages fix security vulnerabilities Chris Evans discovered that incorrect emulation of the SPC700 audio co-processor of the Super Nintendo Entertainment System allows the execution of arbitrary code if a malformed SPC music file is opened (CVE-2016-9957, CVE-2016-9958, CVE-2016-9959, CVE-2016-9960, CVE-2016-9961). References: - http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html - https://www.debian.org/security/2016/dsa-3735 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9957 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9958 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9959 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9960 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9961 SRPM in core/updates_testing: ============================= game-music-emu-0.6.1-1.mga5 RPMs in core/updates_testing: ============================= lib(64)gme0-0.6.1-1.mga5 lib(64)gme-devel-0.6.1-1.mga5
Version: Cauldron => 5Summary: game-music-emu new security issue => game-music-emu new security issues CVE-2016-995[789], CVE-2016-996[01]Whiteboard: MGA5TOO => (none)
Unless the DSA adds the CVEs, please include the CVE assignment in the refs: http://openwall.com/lists/oss-security/2016/12/15/11 Thanks.
Testing procedure: ================== libgme is used in some media players to decode audio formats specific to some console games: vlc, love (would need a love game that uses it, not that easy to find), qmmp, gstreamer1.0-plugins-bad, gstreamer0.10-plugins-bad. An easy way to reproduce the bug and test the fix, without going too much into the detail, would be: - Install gstreamer1.0-gme - Download those two files from the original security vulnerability description: https://security.appspot.com/security/spc/gnome_calc_fedora_25_libc_2.24-3.spc https://security.appspot.com/security/spc/xcalc_ubuntu_16.04_libc_2.23-0ubuntu3.spc - Try to run them, e.g. with: $ gst-play-1.0 ~/Downloads/gnome_calc_fedora_25_libc_2.24-3.spc $ gst-play-1.0 ~/Downloads/xcalc_ubuntu_16.04_libc_2.23-0ubuntu3.spc Before the update, they should trigger a segmentation fault, or if you're lucky, open gnome-calculator (that part of the original report doesn't work for me, but I guess it's distro dependent). After the update, it should actually play those files for 2:30 minutes, though they don't have any sound, but that's normal. To test the actual playback of valid music, you can e.g. download this archive and try gst-play-1.0 on some of the files: http://www.zophar.net/soundfiles/nintendo-snes-spc/final-fantasy-vi/Final%20Fantasy%20VI%20(EMU).zophar.zip Note that those music files are copyrighted material extracted from a game, so unless you posess the original game, it's best if you delete those files after the test ;)
Whiteboard: (none) => has_procedure
You can also play such files with VLC if you install the vlc-plugin-gme package.
Assignee: rverschelde => qa-bugs
Confirmed the segfaults and the lack thereof after the update. I was also able to play an SPC file I have of Aquatic Ambiance from Donkey Kong Country :D.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Full details on these vulnerabilities: https://scarybeastsecurity.blogspot.com/2016/12/redux-compromising-linux-using-snes.html
URL: https://lwn.net/Vulnerabilities/709341/ => https://lwn.net/Vulnerabilities/709663/
Installed this on i686 machine. Tried file. $ uname -a Linux localhost 4.4.36-desktop-2.mga5 #1 SMP Tue Dec 6 17:31:54 UTC 2016 i686 i686 i686 GNU/Linux Seems to work properly. Brian
CC: (none) => brtians1Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK mga5-32-ok
Validated; advisoried from Comment 1.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK mga5-32-ok => has_procedure MGA5-64-OK mga5-32-ok advisoryCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0428.html
Status: NEW => RESOLVEDResolution: (none) => FIXED