Bug 20846 - swftools new security issues CVE-2017-8400 and CVE-2017-8401
Summary: swftools new security issues CVE-2017-8400 and CVE-2017-8401
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: feedback
Depends on:
Reported: 2017-05-13 19:16 CEST by David Walser
Modified: 2017-06-10 14:44 CEST (History)
2 users (show)

See Also:
Source RPM: swftools-0.9.2-7.mga5.src.rpm
Status comment:


Description David Walser 2017-05-13 19:16:50 CEST
openSUSE has issued an advisory on May 10:

Mageia 5 is also affected.
Comment 1 David Walser 2017-06-05 01:24:54 CEST
Patches committed in SVN.  Freeze activated early, so now waiting for freeze pushes to actually do the security update.
Comment 2 David Walser 2017-06-05 01:52:09 CEST

Updated swftools package fixes security vulnerabilities:

In SWFTools 0.9.2, an out-of-bounds write of heap data can occur in the
function png_load() in lib/png.c. This issue can be triggered by a malformed
PNG file that is mishandled by png2swf. Attackers could exploit this issue for
DoS; it might cause arbitrary code execution (CVE-2017-8400).

In SWFTools 0.9.2, an out-of-bounds read of heap data can occur in the
function png_load() in lib/png.c. This issue can be triggered by a malformed
PNG file that is mishandled by png2swf. Attackers could exploit this issue for
DoS (CVE-2017-8401).


Updated packages in core/updates_testing:

from swftools-0.9.2-7.1.mga5.src.rpm
Comment 3 Len Lawrence 2017-06-05 22:00:39 CEST
x86_64 on mga5.1 Mate

Installed swftools and gnash/lightspark before the update and tried out a few of the tools.  Working fine as far as I could see except for wavtoswf which did not have mp3 audio stream support compiled in.
Two specimen PNG files are available via the CVE references for PoC tests.
When run against png2swf they both segfault.

Installed the updated tools package.

$ png2swf 000004.png

The upstream test used png2swf_dbg to obtain diagnostics but this is not part of the tools package so we must assume that the vulnerability is being handled behind the scenes and that it can do no damage.  However ....

$ png2swf 000007.png
Segmentation fault
Apparently this was reassigned because somebody upstream asked if the issue really was fixed.  We might need some feedback on this.  Withholding the OK until we have a clearer idea of the status of CVE-2016-8401.

Running some simple tests on the tools without fiddling with parameter values:

$ jpeg2swf *.jpg
$ gnash output.swf
This runs a slideshow of the images in a continuous loop.
$ png2swf ~/test/data/images/*.png
$ lightspark output.swf
This also provides a slideshow of the original png images.  Note that the output file appears in the directory from which the command is issued, by default.
$ font2swf -o gemelli.swf gemelli.ttf
Warning: bad moveTo (0.000000,-107374182.400000)
Warning: bad moveTo (0.000000,-107374182.400000)
$ ls -l *.swf
-rwxr-xr-x 1 lcl lcl 108062 Jun  5 20:08 gemelli.swf
$ file gemelli.swf
gemelli.swf: Macromedia Flash data, version 8

No idea what you do with this.  The series of warnings may occur for each glyph.
Convert a series of gif files to swf format.  This works for an animated gif as well but when viewed the separate frames are stacked, which looks a bit untidy.
$ gif2swf -o Cassini_Saturn_flyover.swf -r 1 -l 10 3035_CassA.gif 
This takes a long time to execute.
$ gnash Cassini_Saturn_flyover.swf
Stacked frames for animated gifs.
pdf2swf gets confused by wildcards so it is not possible to assemble a collection of single page PDFs into an SWF file.
$ pdf2swf UsingDocker.pdf
That worked fine and was pretty swift, processing 355 pages in a few seconds.
By default it uses the original file name with the .swf extension.  This is viewable in lightspark.
swfdump provides frame by frame information on a file for frames and objects.
There are also action script utilities which we should leave to programmers with an interest in them.
Comment 4 Herman Viaene 2017-06-06 14:43:37 CEST
MGA-32 on Asus A6000VM Xfce
No installation issues
Used at CLI
$ jpeg2swf /home/tester5/Afbeeldingen/*.jpg
$ gnash output.swf 
runs the images OK
OK for me if Len's issue gets a favorable answer.
Comment 5 David Walser 2017-06-10 14:44:12 CEST
Good catch, 8401 appears not fixed:

Note You need to log in before you can comment on or make changes to this bug.