Bug 20237 - gstreamer1.0-plugins-good new security issues CVE-2016-1019[89] and CVE-2017-584[015]
Summary: gstreamer1.0-plugins-good new security issues CVE-2016-1019[89] and CVE-2017-...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/713774/
Whiteboard: MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-02-02 12:15 CET by David Walser
Modified: 2017-09-21 15:44 CEST (History)
7 users (show)

See Also:
Source RPM: gstreamer1.0-plugins-good-1.4.3-2.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-02-02 12:15:05 CET
CVEs have been assigned for several security issues fixed in gstreamer 1.10.3:
http://openwall.com/lists/oss-security/2017/02/02/9

Five of those affect plugins-good.  Mageia 5 may be affected.
Comment 1 Marja Van Waes 2017-02-02 16:03:59 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

David Walser 2017-02-07 12:09:01 CET

URL: (none) => https://lwn.net/Vulnerabilities/713774/

Comment 2 David Walser 2017-02-21 12:16:19 CET
gstreamer0.10-plugins-good also affected:
https://lwn.net/Alerts/714997/
David Walser 2017-02-21 12:27:55 CET

Assignee: pkg-bugs => shlomif

Comment 3 David Walser 2017-04-20 12:02:23 CEST
openSUSE has issued an advisory for this on April 19:
https://lists.opensuse.org/opensuse-updates/2017-04/msg00073.html
Comment 4 Nicolas Lécureuil 2017-08-22 15:27:41 CEST
pushed in updates_testing
src.rpm:
        gstreamer1.0-plugins-good-1.4.3-2.2.mga5
        gstreamer0.10-plugins-good-0.10.31-9.1.mga5

Assignee: shlomif => qa-bugs
CC: (none) => mageia

Comment 5 David Walser 2017-08-22 16:51:31 CEST
Advisory:
========================

Updated gstreamer0.10-plugins-good and gstreamer1.0-plugins-good packages fix
security vulnerabilities:

A crafted AAC audio file could have caused an invalid read and thus corruption
or denial of service (CVE-2016-10198).

A crafted mp4 file could have caused an invalid read and thus corruption or
denial of service (CVE-2016-10199).

A crafted AVI file could have caused an invalid read and thus corruption or
denial of service (CVE-2017-5840).

A crafted AVI file with metadata tag entries (ncdt) could have caused invalid
read access and thus corruption or denial of service (CVE-2017-5841).

A crafted AVI file could have caused an invalid read access resulting in denial
of service (CVE-2017-5845).

Note that GStreamer 0.10 was only affected by CVE-2016-10198 and CVE-2017-5840.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10198
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10199
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5840
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5841
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5845
http://openwall.com/lists/oss-security/2017/02/02/9
https://lists.opensuse.org/opensuse-updates/2017-04/msg00073.html
https://lwn.net/Alerts/714997/
========================

Updated packages in core/updates_testing:
========================
gstreamer0.10-plugins-good-0.10.31-9.1.mga5
gstreamer0.10-plugins-good-debuginfo-0.10.31-9.1.mga5
gstreamer0.10-jack-0.10.31-9.1.mga5
gstreamer0.10-soup-0.10.31-9.1.mga5
gstreamer0.10-pulse-0.10.31-9.1.mga5
gstreamer0.10-dv-0.10.31-9.1.mga5
gstreamer0.10-speex-0.10.31-9.1.mga5
gstreamer0.10-raw1394-0.10.31-9.1.mga5
gstreamer0.10-flac-0.10.31-9.1.mga5
gstreamer0.10-aalib-0.10.31-9.1.mga5
gstreamer0.10-caca-0.10.31-9.1.mga5
gstreamer0.10-wavpack-0.10.31-9.1.mga5
gstreamer1.0-plugins-good-1.4.3-2.2.mga5
gstreamer1.0-plugins-good-debuginfo-1.4.3-2.2.mga5
gstreamer1.0-jack-1.4.3-2.2.mga5
gstreamer1.0-soup-1.4.3-2.2.mga5
gstreamer1.0-pulse-1.4.3-2.2.mga5
gstreamer1.0-dv-1.4.3-2.2.mga5
gstreamer1.0-speex-1.4.3-2.2.mga5
gstreamer1.0-raw1394-1.4.3-2.2.mga5
gstreamer1.0-flac-1.4.3-2.2.mga5
gstreamer1.0-aalib-1.4.3-2.2.mga5
gstreamer1.0-caca-1.4.3-2.2.mga5
gstreamer1.0-vp8-1.4.3-2.2.mga5
gstreamer1.0-wavpack-1.4.3-2.2.mga5

from SRPMS:
gstreamer0.10-plugins-good-0.10.31-9.1.mga5.src.rpm
gstreamer1.0-plugins-good-1.4.3-2.2.mga5.src.rpm
Comment 6 Herman Viaene 2017-08-26 11:51:09 CEST
MGA5-32 on Asus A6000VM
No installation issues.
Tried to figure out how to test these.
Played .wav file with mplayer, parole and vlc, but only parole shows calls to gstreamer in the trace.

CC: (none) => herman.viaene

Comment 7 Lewis Smith 2017-08-28 09:55:43 CEST
From Comment 5, it looks as if the least we can do is try these things with .aac .mp4 .avi files. Surprised that .mp4 does not require tainted/bad plugins.

 $ urpmq --whatrequires gstreamer0.10-plugins-good | sort | uniq
canta
exaile
gnac
luciole
mopidy
perroquet
psi-plugin-media
radiotray
soundconverter
task-sugar

 $ urpmq --whatrequires gstreamer1.0-plugins-good | sort | uniq
audio-recorder
cheese
gmusicbrowser
gnome-dvb-daemon
goobox
guayadeque
kamoso
knowthelist
mate-applet-streamer
parole
peek
phonon4qt5-gstreamer
phonon-gstreamer
rygel
rhythmbox
sound-juicer
subtitleeditor
totem
xplayer

CC: (none) => lewyssmith

Comment 8 Len Lawrence 2017-08-28 19:07:42 CEST
If nobody else has a strong interest I shall test these on mga5:x86_64.
There are poc files available which need to be run but given our past experience with such things they may not prove to be very useful.
0.10: gnac can be used for audio conversions
1.0: parole, totem.

Back later.

CC: (none) => tarazed25

Comment 9 Len Lawrence 2017-08-28 21:24:36 CEST
Looks like the PoCs could be useful.  A preliminary look shows one of them segfaulting before the update and being handled cleanly afterwards.
To be continued....
Comment 10 Len Lawrence 2017-08-28 23:48:34 CEST
There are a few plugins from tainted but they don't belong to this update.
Tried running inside valgrind but did not find that particularly useful.
Ran the files with totem to pinpoint the 1.0 plugins - the full set of 0.1 plugins not yet installed.  All tests are before updating.

CVE-2016-10198
gst_aac_parse_sink_setcaps.aac
segfault

CVE-2016-10199
qtdemux.mp4
"This file contains no playable streams"

CVE-2017-5840
oob-qtdemux_parse_samples.mp4
A program requires an additional plugin to decode this file
= audio/x-gst-fourcc-000 decoder
Do you want to search for this now? -> Cancel
In the terminal:
** Message: PackageKit: structure: gstreamer1(decoder-audio/x-gst-fourcc-0000)()(64bit)
<This may be covered in tainted - something to do with the aac codec ??>

CVE-2017-5841
DSC_0131.AVI
Played 5 second clip which restarted automatically, played and stopped.

CVE-2017-5845
DSCN0902.AVI
segfault
Comment 11 Len Lawrence 2017-08-29 00:32:46 CEST
A bit of a puzzle here.  The gstreamer0.10-plugins-good and others listed in comment 5 seem to be in core updates already, not in updates testing, so it is difficult to look at anything before the updates.

$ rpm -qa | grep gstreamer0.10
gstreamer0.10-tools-0.10.36-12.mga5
gstreamer0.10-gnomevfs-0.10.36-9.1.mga5
gstreamer0.10-pulse-0.10.31-9.1.mga5
lib64gstreamer0.10_0-0.10.36-12.mga5
gstreamer0.10-plugins-base-0.10.36-9.1.mga5
gstreamer0.10-python-0.10.22-8.mga5

# urpmi gstreamer0.10-plugins-good
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates (distrib3)")
  gstreamer0.10-plugins-good     0.10.31      9.1.mga5      x86_64  
  gstreamer0.10-soup             0.10.31      9.1.mga5      x86_64  (recommended)
4.8MB of additional disk space will be used.
1.3MB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) n
Comment 12 Lewis Smith 2017-09-10 20:52:27 CEST
I agree with Len Comment 11. Looking at the RPMs link, all the 'gstreamer0.10' pkgs are already in Updates, issued.
Setting feedback for this point.

The 'gstreamer1.0' pkgs are indeed updates from the current issue '-1.4.3-2.1.mga5'. 
To complicate things further, I have packages installed from both groups which are not in these packages lists, at different or advanced versions - presumably from other SRPMs; and several listed packages missing from my system! Without ever having meddled in this area, beyond enabling 'tainted' where a few such packages exist in both lists for my installed system.
A veritable worm's nest.

Keywords: (none) => feedback

Comment 13 David Walser 2017-09-16 04:00:50 CEST
The subrel was defined in the wrong place in the SPEC by the previous update (by Shlomi) for gstreamer0.10-plugins-good so Nicolas missed it and redefined in the correct place as 1 again.  I've fixed that and rebuilt it.

Now the SRPMS are:
gstreamer0.10-plugins-good-0.10.31-9.1.mga5.src.rpm
gstreamer1.0-plugins-good-1.4.3-2.2.mga5.src.rpm

Beyond that, I can't follow what Lewis is talking about.

CC: (none) => shlomif
Keywords: feedback => (none)

Comment 14 Lewis Smith 2017-09-17 21:32:26 CEST
> Beyond that, I can't follow what Lewis is talking about.
Not sure now myself! I think confusion about other gstreamer0.10 packages with different version numbers, from different SRPMs.

But we are still at the undisputable point where all alleged updated gstreamer0.10 packages listed in comment 5 as version -0.10.31-9.1.mga5 are *already* issued at this version. Having installed normally the packages I did not already have, my list is:
 gstreamer0.10-soup-0.10.31-9.1.mga5
 gstreamer0.10-wavpack-0.10.31-9.1.mga5
 gstreamer0.10-aalib-0.10.31-9.1.mga5
 gstreamer0.10-pulse-0.10.31-9.1.mga5
 gstreamer0.10-flac-0.10.31-9.1.mga5
 gstreamer0.10-speex-0.10.31-9.1.mga5
 gstreamer0.10-caca-0.10.31-9.1.mga5
 gstreamer0.10-dv-0.10.31-9.1.mga5
 gstreamer0.10-raw1394-0.10.31-9.1.mga5
 gstreamer0.10-plugins-good-0.10.31-9.1.mga5
 gstreamer0.10-jack-0.10.31-9.1.mga5
i.e. the same as in this update. So something is wrong.
We are only questioning that these packages seem to have not been updated, hence should not be in this update at all. Indeed, the RPMs bug link shows for these pkgs 'core-updates' (issued), while the gstreamer1.0 lot are indeed in 'core-updates_testing' (to test).
It makes quite a difference to what we should test, and touches the Advisory.
Comment 15 David Walser 2017-09-17 21:49:17 CEST
No, the subrel has been increased on the 0.10 one.  Looks like I typoed that in my last comment.

Now the SRPMS are:
gstreamer0.10-plugins-good-0.10.31-9.2.mga5.src.rpm
gstreamer1.0-plugins-good-1.4.3-2.2.mga5.src.rpm

As for the other gstreamer packages from other SRPMS, those are in other bugs and aren't relevant to this one.
Comment 16 Lewis Smith 2017-09-19 09:33:37 CEST
(In reply to David Walser from comment #15)
> Now the SRPMS are:
> gstreamer0.10-plugins-good-0.10.31-9.2.mga5.src.rpm
> gstreamer1.0-plugins-good-1.4.3-2.2.mga5.src.rpm
And at last the 'gstreamer0.10' things are indeed at -0.10.31-9.2.mga5 and in 'core-updates_testing' for the first time. So the updated packages list now looks like:
gstreamer0.10-aalib-0.10.31-9.2.mga5.
gstreamer0.10-caca-0.10.31-9.2.mga5
gstreamer0.10-dv-0.10.31-9.2.mga5
gstreamer0.10-flac-0.10.31-9.2.mga5
gstreamer0.10-jack-0.10.31-9.2.mga5
gstreamer0.10-plugins-good-0.10.31-9.2.mga5
gstreamer0.10-pulse-0.10.31-9.2.mga5
gstreamer0.10-raw1394-0.10.31-9.2.mga5
gstreamer0.10-soup-0.10.31-9.2.mga5
gstreamer0.10-speex-0.10.31-9.2.mga5
gstreamer0.10-wavpack-0.10.31-9.2.mga5

gstreamer1.0-aalib-1.4.3-2.2.mga5
gstreamer1.0-caca-1.4.3-2.2.mga5
gstreamer1.0-dv-1.4.3-2.2.mga5
gstreamer1.0-flac-1.4.3-2.2.mga5
gstreamer1.0-jack-1.4.3-2.2.mga5
gstreamer1.0-plugins-good-1.4.3-2.2.mga5
gstreamer1.0-pulse-1.4.3-2.2.mga5
gstreamer1.0-raw1394-1.4.3-2.2.mga5
gstreamer1.0-soup-1.4.3-2.2.mga5
gstreamer1.0-speex-1.4.3-2.2.mga5
gstreamer1.0-vp8-1.4.3-2.2.mga5
gstreamer1.0-wavpack-1.4.3-2.2.mga5

from:
gstreamer0.10-plugins-good-0.10.31-9.2.mga5.src.rpm
gstreamer1.0-plugins-good-1.4.3-2.2.mga5.src.rpm

We can resume testing. Reminder: "it looks as if the least we can do is try these things with .aac .mp4 .avi files" (none of which I have); application lists comment 7.
@Len : since you researched the PoCs used in comment 10, can you give their URLs?
Comment 17 Len Lawrence 2017-09-19 13:00:05 CEST
URLs for the PoC images referred to in comment 8

CVE-2016-10198 : https://bugzilla.gnome.org/show_bug.cgi?id=775450
CVE-2016-10199 : https://bugzilla.gnome.org/show_bug.cgi?id=775451
CVE-2017-5840  : https://bugzilla.gnome.org/show_bug.cgi?id=777469
CVE-2017-5841  : https://samples.mplayerhq.hu/ffmpeg-bugs/trac/ticket3279/DSC_0131.AVI
CVE-2017-5845  : https://samples.mplayerhq.hu/ffmpeg-bugs/trac/ticket3330/DSC_0902.AVI

These files are intended to be tested within an ASAN framework so may not provide any extra information after an update if simply opened, using identify for instance.  Sometimes the only difference that can be seen is the absence of segfaults or aborts which in itself indicates that the particular patch has addressed the vulnerability.

Sidebar: What is ASAN?
ASAN = Address Sanitization which is an option for the GCC and Clang compilers (and maybe others) which overrides malloc to provide checks for buffer overflows and use-after-free issues.  One reason it is not used by default is the extra time and memory required for the checks and its use within QA is not recommended because it involves local builds, which could go wrong and which would tend to overload testers.
Comment 18 Len Lawrence 2017-09-20 12:20:39 CEST
Back on this, starting from version 1.4.3-2.1 for the 1.0 plugins.
Comment 19 Len Lawrence 2017-09-20 19:18:46 CEST
Testing on mga5 for x86_64
Before the update gstreamer1.0-plugins-good were at version 1.4.3-2.1.

CVE-2016-10198
$ valgrind totem gst_aac_parse_sink_setcaps.aac
.................
(gst-plugin-scanner:28281): GStreamer-CRITICAL **: gst_structure_new_empty: assertion 'gst_structure_validate_name (name)' failed
==28271== Invalid write of size 8
.................
<finishing with HEAP, LEAK and ERROR summaries>

CVE-2016-10199
$ valgrind totem qtdemux.mp4
totem window appeared with the message "This file contains no playable streams".
Copious output from valgrind.

CVE-2017-5840
$ valgrind totem oob-qtdemux_parse_samples.mp4
The totem window came up noting that an additional plugin was required, presumably for a tainted codec (audio/x-gst-fourcc-0000 decoder)
task-codec-audio-4-4.mga5.tainted.noarch was already installed.

CVE-2017-5841
$ valgrind totem DSC_0131.AVI
totem played the clip fine but valgrind reported 284 errors.

CVE-2017-5845
$ valgrind totem DSC_0902.AVI
...............
==27186== Invalid write of size 8
,,,,,,

totem segfaulted immediately.

Not a lot to go on here.

Ran the update.
- gstreamer1.0-aalib-1.4.3-2.2.mga5.x86_64
- gstreamer1.0-caca-1.4.3-2.2.mga5.x86_64
- gstreamer1.0-dv-1.4.3-2.2.mga5.x86_64
- gstreamer1.0-flac-1.4.3-2.2.mga5.x86_64
- gstreamer1.0-jack-1.4.3-2.2.mga5.x86_64
- gstreamer1.0-plugins-good-1.4.3-2.2.mga5.x86_64
- gstreamer1.0-pulse-1.4.3-2.2.mga5.x86_64
- gstreamer1.0-raw1394-1.4.3-2.2.mga5.x86_64
- gstreamer1.0-soup-1.4.3-2.2.mga5.x86_64
- gstreamer1.0-speex-1.4.3-2.2.mga5.x86_64
- gstreamer1.0-vp8-1.4.3-2.2.mga5.x86_64
- gstreamer1.0-wavpack-1.4.3-2.2.mga5.x86_64

$ totem gst_aac_parse_sink_setcaps.aac
totem objected:
This file is corrupt and cannot be played.

$ totem qtdemux.mp4
This file contains no playable streams.

$ totem qtdemux.mp4
** Message: Missing plugin: gstreamer|1.0|totem|audio/x-gst-fourcc-0000 decoder
Cancelled.

$ totem DSC_0131.AVI
As before this played fine.

$ totem DSC_0902.AVI0
This also played OK.

Again, not much to go on, although the last test showed no sign of having encountered the error which made totem crash before.  When run with valgrind it reported memory leaks and counted 115 errors.  There is no way of knowing if valgrind is detecting errors unrelated to the current bug.

General conclusion: the PoCs are not of much help to QA.

Utility tests coming up.
Comment 20 Len Lawrence 2017-09-20 20:58:29 CEST
Utility tests.
To check gstreamer-plugins for various audio formats totem seems as good as any.
Tried it out on various music files, some with video, using bluetooth audio and keeping an eye on pavucontrol.
 
$ totem TheLassOfFyvie.mp3
$ totem TheCreaturesOfPrometheus_overture.flac
$ totem ToccataEfuga_BWV565_KarlRichter.mp4
$ totem CherryOhBaby.ogg
$ totem Chiomiscordidite.aac
$ totem sunday.xm
$ totem marseillaise.aiff
$ totem HarpConcerto_inBflatmajor.wav
$ totem CharlotteChurch_MenOfHarlech.flv

No problems with any of these.  Note that the earlier PoC tests with valgrind contained references to the gstreamer-plugins.  Running the following and checking the trace file with grep turned up multiple references to gstreamer1.0 along with instances of libgstflac.so, libgst1394.so, libgstsouphttpsrc.so, libgstjack.so, libgstspeex.so, libgstwavpack.so and so on.
$ strace totem RedRedWine.ogg 2> trace
Which demonstrates that totem is heavily involved with gstreamer1.0 plugins.

Giving this the 64-bit OK.
Len Lawrence 2017-09-20 20:58:47 CEST

Whiteboard: (none) => MGA5-64-OK

Comment 21 Lewis Smith 2017-09-21 09:28:47 CEST
Advisory from comments 5 & 15.
Thanks Len for doing this thorny one. Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 22 Mageia Robot 2017-09-21 15:44:22 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0348.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.