openSUSE has issued an advisory on February 22: https://lists.opensuse.org/opensuse-updates/2017-02/msg00102.html Lots more info including references and a reproducer in the SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1022805 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: Integer overflow in the quicktime_read_pascal function in libquicktime 1.2.4 and earlier allows remote attackers to cause a denial of service or possibly have other unspecified impact via a crafted hdlr MP4 atom. (CVE-2016-2399) References: https://lists.opensuse.org/opensuse-updates/2017-02/msg00102.html https://bugzilla.suse.com/show_bug.cgi?id=1022805 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399 ======================== Updated packages in core/updates_testing: ======================== libquicktime-1.2.4-10.1.mga5 lib(64)quicktime0-1.2.4-10.1.mga5 lib(64)quicktime-devel-1.2.4-10.1.mga5 libquicktime-dv-1.2.4-10.1.mga5 libquicktime-progs-1.2.4-10.1.mga5 from SRPMS: libquicktime-1.2.4-10.1.mga5.src.rpm Updated packages in tainted/updates_testing: ======================== libquicktime-1.2.4-10.1.mga5.tainted lib(64)quicktime0-1.2.4-10.1.mga5.tainted lib(64)quicktime-devel-1.2.4-10.1.mga5.tainted libquicktime-dv-1.2.4-10.1.mga5.tainted libquicktime-progs-1.2.4-10.1.mga5.tainted libquicktime-lame-1.2.4-10.1.mga5.tainted libquicktime-faad-1.2.4-10.1.mga5.tainted libquicktime-x264-1.2.4-10.1.mga5.tainted from SRPMS: libquicktime-1.2.4-10.1.mga5.tainted.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroVersion: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => (none)
About to run this on x86_64 hardware.
CC: (none) => tarazed25
There is a PoC available, attached here. This was used to test libquicktime before the update. A segfault occurs when the qtdump program is run against the supplied data, described in the second attachment. The functionality tests can be deferred to the post-update stage.
Created attachment 9010 [details] Python script to generate PoC data file
Created attachment 9011 [details] Exploit file for CVE-2016-2399 Attribution: Kristyna Streitova https://bugzilla.suse.com/show_bug.cgi?id=1022805
Created attachment 9012 [details] Testing notes before update
Installed packages from Core and Tainted Updates Testing. $ qtdump nemux_data.mp4 quicktime_dump ftyp major brand: AAAA minor version: 00000300 compatible brands: 3gp4 mp41 3gp6 movie data (mdat) size 8 start 28 movie (moov) movie header (mvhd) ............................. sample size (stsz) version 0 flags 0 sample_size 0 total_entries 0 chunk offset (stco) version 0 flags 0 total_entries 0 There is no segfault but the analysis shows that file is effectively empty and the integer overflow has been handled gracefully. Comparison of the traces before and after the update shows that the updated library functions continue analyzing the data just where the segfault occurred in the pre-update test. On a genuine quicktime file a large amount of data is produced containing samples sample sizes and ending with offsets. $ qtdump Baikonur.mp4 > filedump $ head filedump quicktime_dump ftyp major brand: mp42 minor version: 00000000 compatible brands: isom mp42 movie data (mdat) size 1775410436 start 2758025 movie (moov) movie header (mvhd) $ tail -5 filedump offset 13165 1778040744 (69fabfa8) offset 13166 1778083719 (69fb6787) offset 13167 1778113257 (69fbdae9) offset 13168 1778140053 (69fc4395) offset 13169 1778163411 (69fc9ed3) Other tests: $ libquicktime_config That brings up a simple gui for the installed audio and video codecs. $ lqtplay FascinationGratte-ciel.mp4 INFO: playing FascinationGratte-ciel.mp4 Type: MP4 1 audio tracks. ........................ The player window has no controls or decorations. $ lqt_transcode -lv # lists all known video codecs $ lqt_transcode -la # likewise for audio Avoiding actual use on account of lack of knowledge. $ qt2text TheDisappearance_4.mp4 Time: 0 (0.000000 seconds), Duration: 99600 (99.600000 seconds), String: "" Time: 99600 (99.600000 seconds), Duration: 2160 (2.160000 seconds), String: "MUFFLED VOICES FROM RADIO" and so on. Obviously subtitles. $ qtdechunk Albatross.mp4 ppm This produces a very large number of frame files of this sort: $ file ppm000499 ppm000499: AIX core file fulldump 32-bit, n\222@)\362=\303\360\367\233\312n\265\013\215\274[\3757\336\324\246%qs\011U]\231\304\342kR\343\233\004\211 $ qtinfo Albatross.mp4 Type: MP4 1 audio tracks. 2 channels, 16 bits, sample rate 48000, length 243329008 samples, compressor mp4a. Sample format: Floating point. Channel setup: Front Left, Front Right Language: und supported. 1 video tracks. 1280x720, depth 24 rate 25.000000 [16000:640] constant length 126734 frames compressor avc1. Native colormodel: YUV 4:2:0 planar Interlace mode: None (Progressive) Chroma placement: MPEG-2 No timecodes available supported. 0 text tracks. The documentation says RGB frames are dechunked but this file seems to be YUV. Had a go at reconstituting the clip from the original. $ ls -c1 ppm* > ppms $ sort ppms > frames $ qtrechunk -f 25.0 -w 1280 -h 720 frames test.mov Rate: 25.000000 (0:0) 100.00% Completed test.mov would not play in vlc. It was a very short clip and maybe lacked important data. The original dump was interrupted. Or more likely the problem might be that the original movie did not contain RGB frames. $ qtyuv4toyuv TheDisappearance_4.mp4 test.yuv This had to be interrupted. vlc refused to play it on the grounds that Codec `I420' (Planar 4:2:0 YUV) is not supported. It should not be expected to play but the error indicates that the conversion had succeeded. It is hard to say if the library is OK without more expert knowledge but in general it seems to function and the integer overflow issue has been dealt with.
Referring to comment 8 "$ qtyuv4toyuv TheDisappearance_4.mp4 test.yuv This had to be interrupted. vlc refused to play it on the grounds that Codec `I420' (Planar 4:2:0 YUV) is not supported. It should not be expected to play but the error indicates that the conversion had succeeded." Does not prove anything in fact. Ignore that test - needs to be redone.
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
The tests are positive enough to clear this for 64-bit. Giving it the OK.
Whiteboard: advisory => advisory MGA5-64-OK
not sure about 32-bit The following 3 packages are going to be installed: - libquicktime-1.2.4-10.1.mga5.i586 - libquicktime-dv-1.2.4-10.1.mga5.i586 - libquicktime-progs-1.2.4-10.1.mga5.i586 1.9MB of additional disk space will be used. 317KB of packages will be retrieved. Is it ok to continue? $ qtdump nemux_data.mp4 Segmentation fault
Keywords: (none) => NEEDHELPCC: (none) => brtians1
Hi, I think you forgot one package: libquicktime0-1.2.4-10.1.mga5.i586. With that package, in my tests, I cannot trigger the segmentation fault. Best regards, Nico.
On i586, confirmed bug before update ... $ qtdump nemux_data.mp4 Segmentation fault With Core updates testing enabled, ran urpmi libquicktime libquicktime0 libquicktime-progs qtdump works without segfault. Installed tainted updates testing version and confirmed it also fixes the problem.
Keywords: NEEDHELP => validated_updateWhiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0084.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED