Bug 20357 - libquicktime new security issue CVE-2016-2399
Summary: libquicktime new security issue CVE-2016-2399
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Reported: 2017-02-26 17:12 CET by David Walser
Modified: 2017-03-25 17:57 CET (History)
6 users (show)

See Also:
Source RPM: libquicktime-1.2.4-13.mga6.src.rpm
Status comment:

Python script to generate PoC data file (3.67 KB, text/plain)
2017-03-02 23:12 CET, Len Lawrence
Exploit file for CVE-2016-2399 (818 bytes, application/octet-stream)
2017-03-02 23:19 CET, Len Lawrence
Testing notes before update (1.73 KB, text/plain)
2017-03-02 23:23 CET, Len Lawrence

Description David Walser 2017-02-26 17:12:38 CET
openSUSE has issued an advisory on February 22:

Lots more info including references and a reproducer in the SUSE bug:

Mageia 5 is also affected.
David Walser 2017-02-26 17:12:51 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-02-27 07:44:00 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2017-03-02 14:57:14 CET
Suggested advisory:

The updated packages fix a security vulnerability:

Integer overflow in the quicktime_read_pascal function in libquicktime 1.2.4 and earlier allows remote attackers to cause a denial of service or possibly have other unspecified impact via a crafted hdlr MP4 atom. (CVE-2016-2399)


Updated packages in core/updates_testing:

from SRPMS:

Updated packages in tainted/updates_testing:

from SRPMS:

CC: (none) => nicolas.salguero
Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 3 Len Lawrence 2017-03-02 19:55:30 CET
About to run this on x86_64 hardware.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2017-03-02 23:10:32 CET
There is a PoC available, attached here.  This was used to test libquicktime before the update.  A segfault occurs when the qtdump program is run against the supplied data, described in the second attachment.  The functionality tests can be deferred to the post-update stage.
Comment 5 Len Lawrence 2017-03-02 23:12:48 CET
Created attachment 9010 [details]
Python script to generate PoC data file
Comment 6 Len Lawrence 2017-03-02 23:19:31 CET
Created attachment 9011 [details]
Exploit file for CVE-2016-2399

Attribution: Kristyna Streitova
Comment 7 Len Lawrence 2017-03-02 23:23:19 CET
Created attachment 9012 [details]
Testing notes before update
Comment 8 Len Lawrence 2017-03-03 01:59:59 CET
Installed packages from Core and Tainted Updates Testing.

$ qtdump nemux_data.mp4
 major brand: AAAA
 minor version: 00000300
 compatible brands: 3gp4 mp41 3gp6 
movie data (mdat)
 size 8
 start 28
movie (moov)
 movie header (mvhd)
     sample size (stsz)
      version 0
      flags 0
      sample_size 0
      total_entries 0
     chunk offset (stco)
      version 0
      flags 0
      total_entries 0

There is no segfault but the analysis shows that file is effectively empty and the integer overflow has been handled gracefully.  Comparison of the traces before and after the update shows that the updated library functions continue analyzing the data
just where the segfault occurred in the pre-update test.

On a genuine quicktime file a large amount of data is produced containing samples sample sizes and ending with offsets.

$ qtdump Baikonur.mp4 > filedump

$ head filedump
 major brand: mp42
 minor version: 00000000
 compatible brands: isom mp42 
movie data (mdat)
 size 1775410436
 start 2758025
movie (moov)
 movie header (mvhd)

$ tail -5 filedump
       offset 13165 1778040744 (69fabfa8)
       offset 13166 1778083719 (69fb6787)
       offset 13167 1778113257 (69fbdae9)
       offset 13168 1778140053 (69fc4395)
       offset 13169 1778163411 (69fc9ed3)

Other tests:
$ libquicktime_config
That brings up a simple gui for the installed audio and video codecs.

$ lqtplay FascinationGratte-ciel.mp4
INFO: playing FascinationGratte-ciel.mp4
Type: MP4
  1 audio tracks.
The player window has no controls or decorations.

$ lqt_transcode -lv             # lists all known video codecs
$ lqt_transcode -la             # likewise for audio
Avoiding actual use on account of lack of knowledge.

$ qt2text TheDisappearance_4.mp4
Time: 0 (0.000000 seconds), Duration: 99600 (99.600000 seconds), String:
Time: 99600 (99.600000 seconds), Duration: 2160 (2.160000 seconds), String:

and so on.  Obviously subtitles.

$ qtdechunk Albatross.mp4 ppm

This produces a very large number of frame files of this sort:
$ file ppm000499
ppm000499: AIX core file fulldump 32-bit, n\222@)\362=\303\360\367\233\312n\265\013\215\274[\3757\336\324\246%qs\011U]\231\304\342kR\343\233\004\211
$ qtinfo Albatross.mp4
Type: MP4
  1 audio tracks.
    2 channels, 16 bits, sample rate 48000, length 243329008 samples, compressor mp4a.
    Sample format: Floating point.
    Channel setup: Front Left, Front Right
    Language: und
  1 video tracks.
    1280x720, depth 24
    rate 25.000000 [16000:640] constant
    length 126734 frames
    compressor avc1.
    Native colormodel:  YUV 4:2:0 planar
    Interlace mode:     None (Progressive)
    Chroma placement: MPEG-2
    No timecodes available
  0 text tracks.

The documentation says RGB frames are dechunked but this file seems to be YUV.

Had a go at reconstituting the clip from the original.
$ ls -c1 ppm* > ppms
$ sort ppms > frames
$ qtrechunk -f 25.0 -w 1280 -h 720 frames test.mov
Rate: 25.000000 (0:0)
100.00% Completed

test.mov would not play in vlc.  It was a very short clip and maybe lacked important data.  The original dump was interrupted.  Or more likely the problem might be that the original movie did not contain RGB frames.

$ qtyuv4toyuv TheDisappearance_4.mp4 test.yuv
This had to be interrupted.  vlc refused to play it on the grounds that 
Codec `I420' (Planar 4:2:0 YUV) is not supported.  It should not be expected to play but the error indicates that the conversion had succeeded.

It is hard to say if the library is OK without more expert knowledge but in general it seems to function and the integer overflow issue has been dealt with.
Comment 9 Len Lawrence 2017-03-03 10:28:52 CET
Referring to comment 8

"$ qtyuv4toyuv TheDisappearance_4.mp4 test.yuv
This had to be interrupted.  vlc refused to play it on the grounds that 
Codec `I420' (Planar 4:2:0 YUV) is not supported.  It should not be expected to play but the error indicates that the conversion had succeeded."

Does not prove anything in fact.
Ignore that test - needs to be redone.
Dave Hodgins 2017-03-08 04:08:31 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 10 Len Lawrence 2017-03-09 18:03:15 CET
The tests are positive enough to clear this for 64-bit.  Giving it the OK.
Len Lawrence 2017-03-09 18:03:34 CET

Whiteboard: advisory => advisory MGA5-64-OK

Comment 11 Brian Rockwell 2017-03-22 02:24:43 CET
not sure about 32-bit

The following 3 packages are going to be installed:

- libquicktime-1.2.4-10.1.mga5.i586
- libquicktime-dv-1.2.4-10.1.mga5.i586
- libquicktime-progs-1.2.4-10.1.mga5.i586

1.9MB of additional disk space will be used.

317KB of packages will be retrieved.

Is it ok to continue?

$ qtdump nemux_data.mp4
Segmentation fault

Keywords: (none) => NEEDHELP
CC: (none) => brtians1

Comment 12 Nicolas Salguero 2017-03-22 10:16:42 CET

I think you forgot one package: libquicktime0-1.2.4-10.1.mga5.i586.  With that package, in my tests, I cannot trigger the segmentation fault.

Best regards,

Comment 13 Dave Hodgins 2017-03-25 02:25:58 CET
On i586, confirmed bug before update ...
$ qtdump nemux_data.mp4 
Segmentation fault

With Core updates testing enabled, ran urpmi libquicktime libquicktime0 libquicktime-progs

qtdump works without segfault.

Installed tainted updates testing version and confirmed it also fixes the problem.

Keywords: NEEDHELP => validated_update
Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 14 Mageia Robot 2017-03-25 17:57:33 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.