Bug 19952 - game-music-emu new security issues CVE-2016-995[789], CVE-2016-996[01]
Summary: game-music-emu new security issues CVE-2016-995[789], CVE-2016-996[01]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/709663/
Whiteboard: has_procedure MGA5-64-OK mga5-32-ok a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-12-15 15:39 CET by David Walser
Modified: 2016-12-29 11:30 CET (History)
3 users (show)

See Also:
Source RPM: game-music-emu-0.6.0-5.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-12-15 15:39:07 CET
Debian has issued an advisory today (December 15):
https://www.debian.org/security/2016/dsa-3735

CVE request:
http://openwall.com/lists/oss-security/2016/12/15/1

Mageia 5 is also affected.
David Walser 2016-12-15 15:39:14 CET

Whiteboard: (none) => MGA5TOO

David Walser 2016-12-15 17:08:48 CET

URL: (none) => https://lwn.net/Vulnerabilities/709341/

Comment 1 Rémi Verschelde 2016-12-15 18:59:54 CET
Fixed in Cauldron with game-music-emu-0.6.1-1.mga6.

Pushing the same version to Mageia 5, as it's only a couple commits ahead of 0.6.0 and contains only bugfixes (including this security bugfix).


Suggested advisory:
===================

Updated game-music-emu packages fix security vulnerabilities

  Chris Evans discovered that incorrect emulation of the SPC700 audio
  co-processor of the Super Nintendo Entertainment System allows the execution
  of arbitrary code if a malformed SPC music file is opened (CVE-2016-9957,
  CVE-2016-9958, CVE-2016-9959, CVE-2016-9960, CVE-2016-9961).

References:

- http://scarybeastsecurity.blogspot.de/2016/12/redux-compromising-linux-using-snes.html
- https://www.debian.org/security/2016/dsa-3735
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9957
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9958
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9959
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9960
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9961


SRPM in core/updates_testing:
=============================

game-music-emu-0.6.1-1.mga5


RPMs in core/updates_testing:
=============================

lib(64)gme0-0.6.1-1.mga5
lib(64)gme-devel-0.6.1-1.mga5

Version: Cauldron => 5
Summary: game-music-emu new security issue => game-music-emu new security issues CVE-2016-995[789], CVE-2016-996[01]
Whiteboard: MGA5TOO => (none)

Comment 2 David Walser 2016-12-15 19:01:32 CET
Unless the DSA adds the CVEs, please include the CVE assignment in the refs:
http://openwall.com/lists/oss-security/2016/12/15/11

Thanks.
Comment 3 Rémi Verschelde 2016-12-15 19:17:45 CET
Testing procedure:
==================

libgme is used in some media players to decode audio formats specific to some console games: vlc, love (would need a love game that uses it, not that easy to find), qmmp, gstreamer1.0-plugins-bad, gstreamer0.10-plugins-bad.

An easy way to reproduce the bug and test the fix, without going too much into the detail, would be:

- Install gstreamer1.0-gme
- Download those two files from the original security vulnerability description:
https://security.appspot.com/security/spc/gnome_calc_fedora_25_libc_2.24-3.spc
https://security.appspot.com/security/spc/xcalc_ubuntu_16.04_libc_2.23-0ubuntu3.spc
- Try to run them, e.g. with:
$ gst-play-1.0 ~/Downloads/gnome_calc_fedora_25_libc_2.24-3.spc
$ gst-play-1.0 ~/Downloads/xcalc_ubuntu_16.04_libc_2.23-0ubuntu3.spc

Before the update, they should trigger a segmentation fault, or if you're lucky, open gnome-calculator (that part of the original report doesn't work for me, but I guess it's distro dependent).

After the update, it should actually play those files for 2:30 minutes, though they don't have any sound, but that's normal.


To test the actual playback of valid music, you can e.g. download this archive and try gst-play-1.0 on some of the files: http://www.zophar.net/soundfiles/nintendo-snes-spc/final-fantasy-vi/Final%20Fantasy%20VI%20(EMU).zophar.zip
Note that those music files are copyrighted material extracted from a game, so unless you posess the original game, it's best if you delete those files after the test ;)
Rémi Verschelde 2016-12-15 19:18:14 CET

Whiteboard: (none) => has_procedure

Comment 4 Rémi Verschelde 2016-12-15 19:20:04 CET
You can also play such files with VLC if you install the vlc-plugin-gme package.
Rémi Verschelde 2016-12-15 19:25:33 CET

Assignee: rverschelde => qa-bugs

Comment 5 David Walser 2016-12-17 20:08:56 CET
Confirmed the segfaults and the lack thereof after the update.  I was also able to play an SPC file I have of Aquatic Ambiance from Donkey Kong Country :D.

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 6 David Walser 2016-12-18 16:11:44 CET
Full details on these vulnerabilities:
https://scarybeastsecurity.blogspot.com/2016/12/redux-compromising-linux-using-snes.html
David Walser 2016-12-22 16:12:07 CET

URL: https://lwn.net/Vulnerabilities/709341/ => https://lwn.net/Vulnerabilities/709663/

Comment 7 Brian Rockwell 2016-12-23 00:11:35 CET
Installed this on i686 machine.  Tried file.

$ uname -a
Linux localhost 4.4.36-desktop-2.mga5 #1 SMP Tue Dec 6 17:31:54 UTC 2016 i686 i686 i686 GNU/Linux


Seems to work properly.

Brian

CC: (none) => brtians1
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK mga5-32-ok

Comment 8 Lewis Smith 2016-12-28 10:36:52 CET
Validated; advisoried from Comment 1.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK mga5-32-ok => has_procedure MGA5-64-OK mga5-32-ok advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 9 Mageia Robot 2016-12-29 11:30:21 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0428.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.