Bug 20846 - swftools new security issue CVE-2017-8400
Summary: swftools new security issue CVE-2017-8400
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-32-OK MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-05-13 19:16 CEST by David Walser
Modified: 2017-08-08 08:14 CEST (History)
4 users (show)

See Also:
Source RPM: swftools-0.9.2-7.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-05-13 19:16:50 CEST
openSUSE has issued an advisory on May 10:
https://lists.opensuse.org/opensuse-updates/2017-05/msg00034.html

Mageia 5 is also affected.
David Walser 2017-05-13 19:16:58 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-06-05 01:24:54 CEST
Patches committed in SVN.  Freeze activated early, so now waiting for freeze pushes to actually do the security update.
Comment 2 David Walser 2017-06-05 01:52:09 CEST
Advisory:
========================

Updated swftools package fixes security vulnerabilities:

In SWFTools 0.9.2, an out-of-bounds write of heap data can occur in the
function png_load() in lib/png.c. This issue can be triggered by a malformed
PNG file that is mishandled by png2swf. Attackers could exploit this issue for
DoS; it might cause arbitrary code execution (CVE-2017-8400).

In SWFTools 0.9.2, an out-of-bounds read of heap data can occur in the
function png_load() in lib/png.c. This issue can be triggered by a malformed
PNG file that is mishandled by png2swf. Attackers could exploit this issue for
DoS (CVE-2017-8401).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8401
https://lists.opensuse.org/opensuse-updates/2017-05/msg00034.html
========================

Updated packages in core/updates_testing:
========================
swftools-0.9.2-7.1.mga5

from swftools-0.9.2-7.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: matteo.pasotti => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 3 Len Lawrence 2017-06-05 22:00:39 CEST
x86_64 on mga5.1 Mate

Installed swftools and gnash/lightspark before the update and tried out a few of the tools.  Working fine as far as I could see except for wavtoswf which did not have mp3 audio stream support compiled in.
Two specimen PNG files are available via the CVE references for PoC tests.
When run against png2swf they both segfault.

Installed the updated tools package.

[CVE-2016-8400] 
$ png2swf 000004.png
$

The upstream test used png2swf_dbg to obtain diagnostics but this is not part of the tools package so we must assume that the vulnerability is being handled behind the scenes and that it can do no damage.  However ....

[CVE-2016-8401]
$ png2swf 000007.png
Segmentation fault
$
Apparently this was reassigned because somebody upstream asked if the issue really was fixed.  We might need some feedback on this.  Withholding the OK until we have a clearer idea of the status of CVE-2016-8401.

Running some simple tests on the tools without fiddling with parameter values:

$ jpeg2swf *.jpg
$ gnash output.swf
This runs a slideshow of the images in a continuous loop.
----------------------------------------------------------
$ png2swf ~/test/data/images/*.png
$ lightspark output.swf
This also provides a slideshow of the original png images.  Note that the output file appears in the directory from which the command is issued, by default.
----------------------------------------------------------
$ font2swf -o gemelli.swf gemelli.ttf
Warning: bad moveTo (0.000000,-107374182.400000)
.................
Warning: bad moveTo (0.000000,-107374182.400000)
$
$ ls -l *.swf
-rwxr-xr-x 1 lcl lcl 108062 Jun  5 20:08 gemelli.swf
$ file gemelli.swf
gemelli.swf: Macromedia Flash data, version 8

No idea what you do with this.  The series of warnings may occur for each glyph.
----------------------------------------------------------
Convert a series of gif files to swf format.  This works for an animated gif as well but when viewed the separate frames are stacked, which looks a bit untidy.
$ gif2swf -o Cassini_Saturn_flyover.swf -r 1 -l 10 3035_CassA.gif 
This takes a long time to execute.
$ gnash Cassini_Saturn_flyover.swf
Stacked frames for animated gifs.
----------------------------------------------------------
pdf2swf gets confused by wildcards so it is not possible to assemble a collection of single page PDFs into an SWF file.
$ pdf2swf UsingDocker.pdf
That worked fine and was pretty swift, processing 355 pages in a few seconds.
By default it uses the original file name with the .swf extension.  This is viewable in lightspark.
----------------------------------------------------------
swfdump provides frame by frame information on a file for frames and objects.
There are also action script utilities which we should leave to programmers with an interest in them.
----------------------------------------------------------

CC: (none) => tarazed25

Len Lawrence 2017-06-05 22:01:20 CEST

Whiteboard: (none) => feedback

Comment 4 Herman Viaene 2017-06-06 14:43:37 CEST
MGA-32 on Asus A6000VM Xfce
No installation issues
Used at CLI
$ jpeg2swf /home/tester5/Afbeeldingen/*.jpg
and
$ gnash output.swf 
runs the images OK
OK for me if Len's issue gets a favorable answer.

CC: (none) => herman.viaene

Comment 5 David Walser 2017-06-10 14:44:12 CEST
Good catch, 8401 appears not fixed:
https://github.com/matthiaskramm/swftools/issues/14
Comment 6 Rémi Verschelde 2017-08-03 10:18:50 CEST
Still no fix for CVE-2017-8401 after 3 months: https://github.com/matthiaskramm/swftools/issues/14

Should we test and validate for CVE-2017-8400 anyway?
Comment 7 Len Lawrence 2017-08-03 14:40:02 CEST
Yes, we should put 8401 on the shelf until a fix turns up and release the tools as they stand.  

I shall check how far we got with the testing and validate when the modified advisory is pushed, if that is the way we want to go.
Comment 8 David Walser 2017-08-03 15:29:38 CEST
Yeah, we can split the bug.
Len Lawrence 2017-08-03 19:46:57 CEST

Whiteboard: feedback => MGA5-64-OK

Comment 9 William Kenney 2017-08-06 20:18:45 CEST
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
swftools

default install of swftools & libzziplib0

[root@localhost wilcal]# urpmi swftools
Package swftools-0.9.2-7.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libzziplib0
Package libzziplib0-0.13.62-5.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi gnash
Package gnash-0.8.10-13.mga5.i586 is already installed
[root@localhost wilcal]# urpmi lightspark
Package lightspark-0.7.2-19.mga5.i586 is already installed

$ png2swf image_file.png
produces output.swf
$ gnash output.swf
displays the just created output.swf single image file

$ jpeg2swf *.jpg ( 5 files )
produces a slideshow of the 5 images
$ gnash --width 640 --height 480 --x-pos 300 --y-pos 300 output.swf
Plays the slideshow in a 640x480 window at 300x300
CTRL-Q kills the slideshow

$ lightspark output.swf
Also presents a slideshow of the original .png images
CTRL-Z kills the slideshow

$ swfdump output.swf
Displays a datadump of the images contained within the output.swf file

install swftools from updates_testing

[root@localhost wilcal]# urpmi swftools
Package swftools-0.9.2-7.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libzziplib0
Package libzziplib0-0.13.62-5.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi gnash
Package gnash-0.8.10-13.mga5.i586 is already installed
[root@localhost wilcal]# urpmi lightspark
Package lightspark-0.7.2-19.mga5.i586 is already installed

$ png2swf image_file.png
produces output.swf
$ gnash output.swf
displays the just created output.swf single image file

$ jpeg2swf *.jpg ( 5 files )
produces a slideshow of the 5 images
$ gnash --width 640 --height 480 --x-pos 300 --y-pos 300 output.swf
Plays the slideshow in a 640x480 window at 300x300
CTRL-Q kills the slideshow

$ lightspark output.swf
Also presents a slideshow of the original .png images
CTRL-Z kills the slideshow

$ swfdump output.swf
Displays a datadump of the images contained within the output.swf file

swftools seems to work

CC: (none) => wilcal.int

William Kenney 2017-08-06 20:19:27 CEST

Whiteboard: MGA5-64-OK => MGA5-32-OK MGA5-64-OK

Comment 10 William Kenney 2017-08-06 20:20:43 CEST
You have the honors Len
Comment 11 Len Lawrence 2017-08-07 09:09:52 CEST
Thanks Bill.  Just waiting for the *.  If you see it, go ahead.
Comment 12 Rémi Verschelde 2017-08-07 22:38:03 CEST
Validating, updated advisory uploaded.

(In reply to Len Lawrence from comment #11)
> Thanks Bill.  Just waiting for the *.  If you see it, go ahead.

Note that you can validate anyway, we can then see on the validated list which ones still need the advisory (they don't get pushed as updates by the sysadmins' script as long as they miss the advisory anyway).

---

Updated advisory:
========================

Updated swftools package fixes security vulnerability:

In SWFTools 0.9.2, an out-of-bounds write of heap data can occur in the
function png_load() in lib/png.c. This issue can be triggered by a malformed
PNG file that is mishandled by png2swf. Attackers could exploit this issue for
DoS; it might cause arbitrary code execution (CVE-2017-8400).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8400
https://lists.opensuse.org/opensuse-updates/2017-05/msg00034.html
========================

Updated packages in core/updates_testing:
========================
swftools-0.9.2-7.1.mga5

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK MGA5-64-OK => advisory MGA5-32-OK MGA5-64-OK

Comment 13 Mageia Robot 2017-08-08 00:17:11 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0245.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 14 David Walser 2017-08-08 00:48:55 CEST
Did someone clone the bug for the unfixed issue?
Rémi Verschelde 2017-08-08 08:11:56 CEST

Summary: swftools new security issues CVE-2017-8400 and CVE-2017-8401 => swftools new security issues CVE-2017-8400

Rémi Verschelde 2017-08-08 08:12:01 CEST

Summary: swftools new security issues CVE-2017-8400 => swftools new security issue CVE-2017-8400

Rémi Verschelde 2017-08-08 08:13:34 CEST

Blocks: (none) => 21470

Rémi Verschelde 2017-08-08 08:14:26 CEST

Blocks: 21470 => (none)


Note You need to log in before you can comment on or make changes to this bug.