Bug 20357 - libquicktime new security issue CVE-2016-2399
: libquicktime new security issue CVE-2016-2399
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 5
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
:
: advisory MGA5-64-OK MGA5-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2017-02-26 17:12 CET by David Walser
Modified: 2017-03-25 17:57 CET (History)
6 users (show)

See Also:
Source RPM: libquicktime-1.2.4-13.mga6.src.rpm
CVE:
Status comment:


Attachments
Python script to generate PoC data file (3.67 KB, text/plain)
2017-03-02 23:12 CET, Len Lawrence
Details
Exploit file for CVE-2016-2399 (818 bytes, application/octet-stream)
2017-03-02 23:19 CET, Len Lawrence
Details
Testing notes before update (1.73 KB, text/plain)
2017-03-02 23:23 CET, Len Lawrence
Details

Description David Walser 2017-02-26 17:12:38 CET
openSUSE has issued an advisory on February 22:
https://lists.opensuse.org/opensuse-updates/2017-02/msg00102.html

Lots more info including references and a reproducer in the SUSE bug:
https://bugzilla.suse.com/show_bug.cgi?id=1022805

Mageia 5 is also affected.
Comment 1 Marja van Waes 2017-02-27 07:44:00 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Comment 2 Nicolas Salguero 2017-03-02 14:57:14 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Integer overflow in the quicktime_read_pascal function in libquicktime 1.2.4 and earlier allows remote attackers to cause a denial of service or possibly have other unspecified impact via a crafted hdlr MP4 atom. (CVE-2016-2399)

References:
https://lists.opensuse.org/opensuse-updates/2017-02/msg00102.html
https://bugzilla.suse.com/show_bug.cgi?id=1022805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399
========================

Updated packages in core/updates_testing:
========================
libquicktime-1.2.4-10.1.mga5
lib(64)quicktime0-1.2.4-10.1.mga5
lib(64)quicktime-devel-1.2.4-10.1.mga5
libquicktime-dv-1.2.4-10.1.mga5
libquicktime-progs-1.2.4-10.1.mga5

from SRPMS:
libquicktime-1.2.4-10.1.mga5.src.rpm

Updated packages in tainted/updates_testing:
========================
libquicktime-1.2.4-10.1.mga5.tainted
lib(64)quicktime0-1.2.4-10.1.mga5.tainted
lib(64)quicktime-devel-1.2.4-10.1.mga5.tainted
libquicktime-dv-1.2.4-10.1.mga5.tainted
libquicktime-progs-1.2.4-10.1.mga5.tainted
libquicktime-lame-1.2.4-10.1.mga5.tainted
libquicktime-faad-1.2.4-10.1.mga5.tainted
libquicktime-x264-1.2.4-10.1.mga5.tainted

from SRPMS:
libquicktime-1.2.4-10.1.mga5.tainted.src.rpm
Comment 3 Len Lawrence 2017-03-02 19:55:30 CET
About to run this on x86_64 hardware.
Comment 4 Len Lawrence 2017-03-02 23:10:32 CET
There is a PoC available, attached here.  This was used to test libquicktime before the update.  A segfault occurs when the qtdump program is run against the supplied data, described in the second attachment.  The functionality tests can be deferred to the post-update stage.
Comment 5 Len Lawrence 2017-03-02 23:12:48 CET
Created attachment 9010 [details]
Python script to generate PoC data file
Comment 6 Len Lawrence 2017-03-02 23:19:31 CET
Created attachment 9011 [details]
Exploit file for CVE-2016-2399

Attribution: Kristyna Streitova
https://bugzilla.suse.com/show_bug.cgi?id=1022805
Comment 7 Len Lawrence 2017-03-02 23:23:19 CET
Created attachment 9012 [details]
Testing notes before update
Comment 8 Len Lawrence 2017-03-03 01:59:59 CET
Installed packages from Core and Tainted Updates Testing.

$ qtdump nemux_data.mp4
quicktime_dump
ftyp
 major brand: AAAA
 minor version: 00000300
 compatible brands: 3gp4 mp41 3gp6 
movie data (mdat)
 size 8
 start 28
movie (moov)
 movie header (mvhd)
.............................
     sample size (stsz)
      version 0
      flags 0
      sample_size 0
      total_entries 0
     chunk offset (stco)
      version 0
      flags 0
      total_entries 0

There is no segfault but the analysis shows that file is effectively empty and the integer overflow has been handled gracefully.  Comparison of the traces before and after the update shows that the updated library functions continue analyzing the data
just where the segfault occurred in the pre-update test.

On a genuine quicktime file a large amount of data is produced containing samples sample sizes and ending with offsets.

$ qtdump Baikonur.mp4 > filedump

$ head filedump
quicktime_dump
ftyp
 major brand: mp42
 minor version: 00000000
 compatible brands: isom mp42 
movie data (mdat)
 size 1775410436
 start 2758025
movie (moov)
 movie header (mvhd)

$ tail -5 filedump
       offset 13165 1778040744 (69fabfa8)
       offset 13166 1778083719 (69fb6787)
       offset 13167 1778113257 (69fbdae9)
       offset 13168 1778140053 (69fc4395)
       offset 13169 1778163411 (69fc9ed3)

Other tests:
$ libquicktime_config
That brings up a simple gui for the installed audio and video codecs.

$ lqtplay FascinationGratte-ciel.mp4
INFO: playing FascinationGratte-ciel.mp4
Type: MP4
  1 audio tracks.
........................
The player window has no controls or decorations.

$ lqt_transcode -lv             # lists all known video codecs
$ lqt_transcode -la             # likewise for audio
Avoiding actual use on account of lack of knowledge.

$ qt2text TheDisappearance_4.mp4
Time: 0 (0.000000 seconds), Duration: 99600 (99.600000 seconds), String:
""
Time: 99600 (99.600000 seconds), Duration: 2160 (2.160000 seconds), String:
"MUFFLED VOICES FROM RADIO"

and so on.  Obviously subtitles.

$ qtdechunk Albatross.mp4 ppm

This produces a very large number of frame files of this sort:
$ file ppm000499
ppm000499: AIX core file fulldump 32-bit, n\222@)\362=\303\360\367\233\312n\265\013\215\274[\3757\336\324\246%qs\011U]\231\304\342kR\343\233\004\211
$ qtinfo Albatross.mp4
Type: MP4
  1 audio tracks.
    2 channels, 16 bits, sample rate 48000, length 243329008 samples, compressor mp4a.
    Sample format: Floating point.
    Channel setup: Front Left, Front Right
    Language: und
    supported.
  1 video tracks.
    1280x720, depth 24
    rate 25.000000 [16000:640] constant
    length 126734 frames
    compressor avc1.
    Native colormodel:  YUV 4:2:0 planar
    Interlace mode:     None (Progressive)
    Chroma placement: MPEG-2
    No timecodes available
    supported.
  0 text tracks.

The documentation says RGB frames are dechunked but this file seems to be YUV.

Had a go at reconstituting the clip from the original.
$ ls -c1 ppm* > ppms
$ sort ppms > frames
$ qtrechunk -f 25.0 -w 1280 -h 720 frames test.mov
Rate: 25.000000 (0:0)
100.00% Completed

test.mov would not play in vlc.  It was a very short clip and maybe lacked important data.  The original dump was interrupted.  Or more likely the problem might be that the original movie did not contain RGB frames.

$ qtyuv4toyuv TheDisappearance_4.mp4 test.yuv
This had to be interrupted.  vlc refused to play it on the grounds that 
Codec `I420' (Planar 4:2:0 YUV) is not supported.  It should not be expected to play but the error indicates that the conversion had succeeded.

It is hard to say if the library is OK without more expert knowledge but in general it seems to function and the integer overflow issue has been dealt with.
Comment 9 Len Lawrence 2017-03-03 10:28:52 CET
Referring to comment 8

"$ qtyuv4toyuv TheDisappearance_4.mp4 test.yuv
This had to be interrupted.  vlc refused to play it on the grounds that 
Codec `I420' (Planar 4:2:0 YUV) is not supported.  It should not be expected to play but the error indicates that the conversion had succeeded."

Does not prove anything in fact.
Ignore that test - needs to be redone.
Comment 10 Len Lawrence 2017-03-09 18:03:15 CET
The tests are positive enough to clear this for 64-bit.  Giving it the OK.
Comment 11 Brian Rockwell 2017-03-22 02:24:43 CET
not sure about 32-bit

The following 3 packages are going to be installed:

- libquicktime-1.2.4-10.1.mga5.i586
- libquicktime-dv-1.2.4-10.1.mga5.i586
- libquicktime-progs-1.2.4-10.1.mga5.i586

1.9MB of additional disk space will be used.

317KB of packages will be retrieved.

Is it ok to continue?


$ qtdump nemux_data.mp4
Segmentation fault
Comment 12 Nicolas Salguero 2017-03-22 10:16:42 CET
Hi,

I think you forgot one package: libquicktime0-1.2.4-10.1.mga5.i586.  With that package, in my tests, I cannot trigger the segmentation fault.

Best regards,

Nico.
Comment 13 Dave Hodgins 2017-03-25 02:25:58 CET
On i586, confirmed bug before update ...
$ qtdump nemux_data.mp4 
Segmentation fault

With Core updates testing enabled, ran urpmi libquicktime libquicktime0 libquicktime-progs

qtdump works without segfault.

Installed tainted updates testing version and confirmed it also fixes the problem.
Comment 14 Mageia Robot 2017-03-25 17:57:33 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0084.html

Note You need to log in before you can comment on or make changes to this bug.