openSUSE has issued an advisory on May 10: https://lists.opensuse.org/opensuse-updates/2017-05/msg00034.html Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Patches committed in SVN. Freeze activated early, so now waiting for freeze pushes to actually do the security update.
Advisory: ======================== Updated swftools package fixes security vulnerabilities: In SWFTools 0.9.2, an out-of-bounds write of heap data can occur in the function png_load() in lib/png.c. This issue can be triggered by a malformed PNG file that is mishandled by png2swf. Attackers could exploit this issue for DoS; it might cause arbitrary code execution (CVE-2017-8400). In SWFTools 0.9.2, an out-of-bounds read of heap data can occur in the function png_load() in lib/png.c. This issue can be triggered by a malformed PNG file that is mishandled by png2swf. Attackers could exploit this issue for DoS (CVE-2017-8401). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8400 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8401 https://lists.opensuse.org/opensuse-updates/2017-05/msg00034.html ======================== Updated packages in core/updates_testing: ======================== swftools-0.9.2-7.1.mga5 from swftools-0.9.2-7.1.mga5.src.rpm
Version: Cauldron => 5Assignee: matteo.pasotti => qa-bugsWhiteboard: MGA5TOO => (none)
x86_64 on mga5.1 Mate Installed swftools and gnash/lightspark before the update and tried out a few of the tools. Working fine as far as I could see except for wavtoswf which did not have mp3 audio stream support compiled in. Two specimen PNG files are available via the CVE references for PoC tests. When run against png2swf they both segfault. Installed the updated tools package. [CVE-2016-8400] $ png2swf 000004.png $ The upstream test used png2swf_dbg to obtain diagnostics but this is not part of the tools package so we must assume that the vulnerability is being handled behind the scenes and that it can do no damage. However .... [CVE-2016-8401] $ png2swf 000007.png Segmentation fault $ Apparently this was reassigned because somebody upstream asked if the issue really was fixed. We might need some feedback on this. Withholding the OK until we have a clearer idea of the status of CVE-2016-8401. Running some simple tests on the tools without fiddling with parameter values: $ jpeg2swf *.jpg $ gnash output.swf This runs a slideshow of the images in a continuous loop. ---------------------------------------------------------- $ png2swf ~/test/data/images/*.png $ lightspark output.swf This also provides a slideshow of the original png images. Note that the output file appears in the directory from which the command is issued, by default. ---------------------------------------------------------- $ font2swf -o gemelli.swf gemelli.ttf Warning: bad moveTo (0.000000,-107374182.400000) ................. Warning: bad moveTo (0.000000,-107374182.400000) $ $ ls -l *.swf -rwxr-xr-x 1 lcl lcl 108062 Jun 5 20:08 gemelli.swf $ file gemelli.swf gemelli.swf: Macromedia Flash data, version 8 No idea what you do with this. The series of warnings may occur for each glyph. ---------------------------------------------------------- Convert a series of gif files to swf format. This works for an animated gif as well but when viewed the separate frames are stacked, which looks a bit untidy. $ gif2swf -o Cassini_Saturn_flyover.swf -r 1 -l 10 3035_CassA.gif This takes a long time to execute. $ gnash Cassini_Saturn_flyover.swf Stacked frames for animated gifs. ---------------------------------------------------------- pdf2swf gets confused by wildcards so it is not possible to assemble a collection of single page PDFs into an SWF file. $ pdf2swf UsingDocker.pdf That worked fine and was pretty swift, processing 355 pages in a few seconds. By default it uses the original file name with the .swf extension. This is viewable in lightspark. ---------------------------------------------------------- swfdump provides frame by frame information on a file for frames and objects. There are also action script utilities which we should leave to programmers with an interest in them. ----------------------------------------------------------
CC: (none) => tarazed25
Whiteboard: (none) => feedback
MGA-32 on Asus A6000VM Xfce No installation issues Used at CLI $ jpeg2swf /home/tester5/Afbeeldingen/*.jpg and $ gnash output.swf runs the images OK OK for me if Len's issue gets a favorable answer.
CC: (none) => herman.viaene
Good catch, 8401 appears not fixed: https://github.com/matthiaskramm/swftools/issues/14
Still no fix for CVE-2017-8401 after 3 months: https://github.com/matthiaskramm/swftools/issues/14 Should we test and validate for CVE-2017-8400 anyway?
Yes, we should put 8401 on the shelf until a fix turns up and release the tools as they stand. I shall check how far we got with the testing and validate when the modified advisory is pushed, if that is the way we want to go.
Yeah, we can split the bug.
Whiteboard: feedback => MGA5-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: swftools default install of swftools & libzziplib0 [root@localhost wilcal]# urpmi swftools Package swftools-0.9.2-7.mga5.i586 is already installed [root@localhost wilcal]# urpmi libzziplib0 Package libzziplib0-0.13.62-5.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi gnash Package gnash-0.8.10-13.mga5.i586 is already installed [root@localhost wilcal]# urpmi lightspark Package lightspark-0.7.2-19.mga5.i586 is already installed $ png2swf image_file.png produces output.swf $ gnash output.swf displays the just created output.swf single image file $ jpeg2swf *.jpg ( 5 files ) produces a slideshow of the 5 images $ gnash --width 640 --height 480 --x-pos 300 --y-pos 300 output.swf Plays the slideshow in a 640x480 window at 300x300 CTRL-Q kills the slideshow $ lightspark output.swf Also presents a slideshow of the original .png images CTRL-Z kills the slideshow $ swfdump output.swf Displays a datadump of the images contained within the output.swf file install swftools from updates_testing [root@localhost wilcal]# urpmi swftools Package swftools-0.9.2-7.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi libzziplib0 Package libzziplib0-0.13.62-5.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi gnash Package gnash-0.8.10-13.mga5.i586 is already installed [root@localhost wilcal]# urpmi lightspark Package lightspark-0.7.2-19.mga5.i586 is already installed $ png2swf image_file.png produces output.swf $ gnash output.swf displays the just created output.swf single image file $ jpeg2swf *.jpg ( 5 files ) produces a slideshow of the 5 images $ gnash --width 640 --height 480 --x-pos 300 --y-pos 300 output.swf Plays the slideshow in a 640x480 window at 300x300 CTRL-Q kills the slideshow $ lightspark output.swf Also presents a slideshow of the original .png images CTRL-Z kills the slideshow $ swfdump output.swf Displays a datadump of the images contained within the output.swf file swftools seems to work
CC: (none) => wilcal.int
Whiteboard: MGA5-64-OK => MGA5-32-OK MGA5-64-OK
You have the honors Len
Thanks Bill. Just waiting for the *. If you see it, go ahead.
Validating, updated advisory uploaded. (In reply to Len Lawrence from comment #11) > Thanks Bill. Just waiting for the *. If you see it, go ahead. Note that you can validate anyway, we can then see on the validated list which ones still need the advisory (they don't get pushed as updates by the sysadmins' script as long as they miss the advisory anyway). --- Updated advisory: ======================== Updated swftools package fixes security vulnerability: In SWFTools 0.9.2, an out-of-bounds write of heap data can occur in the function png_load() in lib/png.c. This issue can be triggered by a malformed PNG file that is mishandled by png2swf. Attackers could exploit this issue for DoS; it might cause arbitrary code execution (CVE-2017-8400). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8400 https://lists.opensuse.org/opensuse-updates/2017-05/msg00034.html ======================== Updated packages in core/updates_testing: ======================== swftools-0.9.2-7.1.mga5
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK MGA5-64-OK => advisory MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0245.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Did someone clone the bug for the unfixed issue?
Summary: swftools new security issues CVE-2017-8400 and CVE-2017-8401 => swftools new security issues CVE-2017-8400
Summary: swftools new security issues CVE-2017-8400 => swftools new security issue CVE-2017-8400
Blocks: (none) => 21470
Blocks: 21470 => (none)
*** Bug 21470 has been marked as a duplicate of this bug. ***
CC: (none) => rverschelde