Bug 20773 - mad new security issues CVE-2017-837[2-4]
Summary: mad new security issues CVE-2017-837[2-4]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-05-02 02:26 CEST by David Walser
Modified: 2018-01-02 16:03 CET (History)
5 users (show)

See Also:
Source RPM: mad-0.15.1b-17.3.mga5.src.rpm
CVE:
Status comment: Old 2008 Debian patch supposed to fix those before they were redescovered and attributed a CVE - need rediff and checking that PoC no longer apply


Attachments

Description David Walser 2017-05-02 02:26:46 CEST
Security issues in the mad library have been announced today (May 1):
http://openwall.com/lists/oss-security/2017/05/01/7
http://openwall.com/lists/oss-security/2017/05/01/8
http://openwall.com/lists/oss-security/2017/05/01/9

Fixes do not appear to be available yet.

Mageia 5 is also affected.
David Walser 2017-05-02 02:26:57 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-05-02 07:33:06 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 Rémi Verschelde 2017-06-11 13:18:00 CEST
Checked the Debian CVE tracker, apparently they consider those three CVEs fixed by a patch they included in 2008:

https://security-tracker.debian.org/tracker/CVE-2017-8372
https://security-tracker.debian.org/tracker/CVE-2017-8373
https://security-tracker.debian.org/tracker/CVE-2017-8374

The 2008 bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508133
The patch: https://sources.debian.net/src/libmad/0.15.1b-8/debian/patches/frame_length.diff/

Would have to check the PoCs to be sure the patch is enough, but that should be a start. No activity whatsoever upstream otherwise.
Comment 3 Rémi Verschelde 2017-06-11 13:30:11 CEST
Note that the patch would need to be rediffed as it won't apply on top of our own contrib_src_mad_check-bitstream-length--mod2.patch.
Rémi Verschelde 2017-06-11 13:42:32 CEST

Status comment: (none) => Old 2008 Debian patch supposed to fix those before they were redescovered and attributed a CVE - need rediff and checking that PoC no longer apply

David Walser 2017-07-07 04:24:31 CEST

Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO

Comment 4 David Walser 2017-12-28 23:38:31 CET
Advisory:
========================

Updated mad packages fix security vulnerabilities:

The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b allows
remote attackers to cause a denial of service (heap-based buffer overflow and
application crash) or possibly have unspecified other impact via a crafted
audio file (CVE-2017-8373).

The mad_bit_skip function in bit.c in Underbit MAD libmad 0.15.1b allows
remote attackers to cause a denial of service (heap-based buffer over-read
and application crash) via a crafted audio file (CVE-2017-8374).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8374
http://openwall.com/lists/oss-security/2017/05/01/8
http://openwall.com/lists/oss-security/2017/05/01/9
https://security-tracker.debian.org/tracker/CVE-2017-8373
https://security-tracker.debian.org/tracker/CVE-2017-8374
========================

Updated packages in core/updates_testing:
========================
libmad0-0.15.1b-17.4.mga5
libmad-devel-0.15.1b-17.4.mga5
libmad0-0.15.1b-22.1.mga6
libmad-devel-0.15.1b-22.1.mga6

from SRPMS:
mad-0.15.1b-17.4.mga5.src.rpm
mad-0.15.1b-22.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: shlomif => qa-bugs

Comment 5 Lewis Smith 2017-12-30 11:48:29 CET
To test normally.
Dave Hodgins 2017-12-31 12:35:06 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Thomas Andrews 2018-01-01 16:31:20 CET
Installed lib64mad0-0.15.1b-17.4.mga5 on real hardware, then played mp3 files with Audacity, vlc, and xine. 

No problems noted. Giving the 64-bit OK for MGA5.

CC: (none) => andrewsfarm
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 7 Thomas Andrews 2018-01-01 16:38:28 CET
Installed lib64mad0-0.15.1b-22.1.mga6 on real hardware, then played mp3 files with Kmplayer, vlc, and Dragon Player.

No problems noted. Giving the 64-bit OK for MGA6.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 8 Lewis Smith 2018-01-02 13:02:36 CET
Confirming M6/64 *after* update: lib64mad0-0.15.1b-22.1.mga6

Thanks TJ for the spread of tests.
Because this is a library-only update, confirmed its employment.

Mplayer:
 $ strace mplayer /mnt/common/Mageia/BachSomething.mp3 2>&1 | grep libmad
open("/lib64/libmad.so.0", O_RDONLY|O_CLOEXEC) = 3
write(1, "Trying to force audio codec driv"..., 52Trying to force audio codec driver family libmad...
write(1, "Opening audio decoder: [libmad] "..., 58Opening audio decoder: [libmad] libmad mpeg audio decoder
write(1, "Selected audio codec: [mad] afm:"..., 66Selected audio codec: [mad] afm: libmad (libMAD MPEG layer 1-2-3)
shows the library is well used, the music played OK.

VLC:
 $ strace vlc 2>&1 | grep libmad
stat("/usr/lib64/vlc/plugins/audio_filter/libmad_plugin.so", {st_mode=S_IFREG|0755, st_size=11208, ...}) = 0
Played fine.

Audacity:
 $ strace audacity 2>&1 | grep libmad
open("/lib64/libmad.so.0", O_RDONLY|O_CLOEXEC) = 3
Made it obvious it was importing an .mp3 file, played & displayed fine.

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 9 Mageia Robot 2018-01-02 16:03:02 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0019.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.