Bug 21196 - libquicktime new security issues CVE-2017-912[2-8]
Summary: libquicktime new security issues CVE-2017-912[2-8]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga5-32-ok advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-07-07 05:06 CEST by David Walser
Modified: 2017-07-26 00:08 CEST (History)
6 users (show)

See Also:
Source RPM: libquicktime-1.2.4-10.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-07-07 05:06:55 CEST
openSUSE has issued an advisory tomorrow (July 7):
https://lists.opensuse.org/opensuse-updates/2017-07/msg00035.html

Freeze push requested for Cauldron.

Mageia 5 is also affected.
Comment 1 Marja van Waes 2017-07-07 13:46:47 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Comment 2 David Walser 2017-07-08 20:04:36 CEST
Advisory:
========================

Updated libquicktime packages fix security vulnerabilities:

A DoS in quicktime_read_moov function in moov.c via acrafted mp4 file was fixed
(CVE-2017-9122).

An invalid memory read in lqt_frame_duration via a crafted mp4 file was fixed
(CVE-2017-9123).

A NULL pointer dereference in quicktime_match_32 via a crafted mp4 file was
fixed (CVE-2017-9124).

A DoS in lqt_frame_duration function in lqt_quicktime.c via crafted mp4 file
was fixed (CVE-2017-9125).

A heap-based buffer overflow in quicktime_read_dref_table via a crafted mp4
file was fixed (CVE-2017-9126).

A heap-based buffer overflow in quicktime_user_atoms_read_atom via a crafted
mp4 file was fixed (CVE-2017-9127).

A heap-based buffer over-read in quicktime_video_width via a crafted mp4 file
was fixed (CVE-2017-9128).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9122
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9123
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9124
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9127
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9128
https://lists.opensuse.org/opensuse-updates/2017-07/msg00035.html
========================

Updated packages in core/updates_testing:
========================
libquicktime-1.2.4-10.2.mga5
libquicktime0-1.2.4-10.2.mga5
libquicktime-devel-1.2.4-10.2.mga5
libquicktime-dv-1.2.4-10.2.mga5
libquicktime-progs-1.2.4-10.2.mga5

from libquicktime-1.2.4-10.2.mga5.src.rpm
Comment 3 Brian Rockwell 2017-07-22 01:30:27 CEST
$ uname -a
Linux localhost 4.4.74-desktop586-1.mga5 #1 SMP Mon Jun 26 07:48:29 UTC 2017 i686 i686 i686 GNU/Linux


okay - looked up what uses libquicktime utilities.

I found the mjpegtools is listed as using libquicktime.

I pulled up an AVI and edited it with $ glav utility to edit an grand canyon video from my camera.

$ glav CIMG0530.AVI

I did some edits and saved them.

Next I converted it to a new format.

$ lavtrans -o gc.qt -f q edited_grand_canyon.AVI

I was able to view the qc.qt output file.

works as designed from what I can tell.
Comment 4 Lewis Smith 2017-07-24 11:22:24 CEST
Prior to testing x64.

1. Package query
After updating from Updates Testing, the result is:
 lib64quicktime0-1.2.4-10.2.mga5
 libquicktime-1.2.4-10.2.mga5
 libquicktime-progs-1.2.4-10.2.mga5
 libquicktime-x264-1.2.4-10.1.mga5.tainted
 libquicktime-faad-1.2.4-10.1.mga5.tainted
 libquicktime-lame-1.2.4-10.1.mga5.tainted
Should the x264, faad and lame pkgs remain at their previous version, or be part of this update?

2. This is one of those complicated ensembles:
* libquicktime "is a library for reading and writing QuickTime files".
* lib64quicktime0 [same description].
* libquicktime-progs "Useful tools to operate at QuickTime files"
Ignoring Codec specific pkgs, the heirarchy is:
Whatrequires libquicktime:
 libquicktime-progs
Whatrequires lib64quicktime0:
 dvgrab
 libquicktime
 libquicktime-progs
 mjpegtools
 transcode
=>
libquicktime-progs-|
 |-libquicktime----|
dvgrab-------------|
mjpegtools---------|
transcode----------|
                   |-lib64quicktime0

The programs in 'progs':
 lqtplay - simple quicktime movie player for X11      [has man page]
lqtremux, lqt_transcode, qt2text, qt2text, qtdechunk, qtdump, qtinfo, qtrechunk, qtstreamize, qtyuv4toyuv: have no man pages, command alone shows usage but seldom what it does!

It helps to have a Quicktime movie file to play with (I searched briefly in vain); and have some competence in this field, although 'lqtplay' looks good for anyone.
Comment 5 Len Lawrence 2017-07-24 11:46:15 CEST
@Lewis: comment 4
The MOV format was developed by Apple for Quicktime but I am not sure that a MOV file is essential for this test.

I have several lying about (NASA websites often publish short MOV files).  So, I could run this for mga6 and maybe mga5 32bit.

It would probably break copyright if I were to attach any of the MOV files I have here and the links are long gone.
Comment 6 Len Lawrence 2017-07-24 15:25:11 CEST
My mistake.  Does not affect mga6.
Comment 7 William Kenney 2017-07-24 17:33:03 CEST
In VirtualBox, M5.1, KDE, 64-bit

Canon cameras produce quicktime ( mov ) videos
https://en.wikipedia.org/wiki/QuickTime_File_Format
Probably one of the more popular formats.
canon.mov was shot on my Canon camera.

Attempt to run glav on a quicktime video:

[wilcal@localhost video_test]$ glav canon.mov
++: [codecinfo] Error: Cannot open plugin directory /usr/lib64/libquicktime (forgot make install?)
++: [codecs] Warning: Could not find audio Decoder for fourcc sowt
++: [codecs] Warning: quicktime_decode_audio_stub called
++: [codecs] Warning: Could not find video Decoder for fourcc avc1
++: [codecs] Warning: quicktime_decode_video_stub called
++: [codecs] Warning: quicktime_delete_stub called
++: [codecs] Warning: quicktime_delete_stub called
++: **ERROR: [lavplay] Error opening canon.mov
++: lavtools version 2.0.0

Package(s) installed and under test:
libquicktime libquicktime-dv libquicktime-progs libquicktime0 glibc-devel lib64zlib-devel

[root@localhost wilcal]# urpmi libquicktime
Package libquicktime-1.2.4-10.1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi libquicktime-dv
Package libquicktime-dv-1.2.4-10.1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi libquicktime-progs
Package libquicktime-progs-1.2.4-10.1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi libquicktime0
Package libquicktime0-1.2.4-10.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi glibc-devel
Package glibc-devel-2.20-25.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64zlib-devel
Package lib64zlib-devel-1.2.8-7.1.mga5.x86_64 is already installed

Attempt to run a quicktime video with glav:

[wilcal@localhost video_test]$ glav canon.mov
++: **ERROR: [lavplay] Error opening canon.mov
++: lavtools version 2.0.0

VLC and OpenShot do not need play/edit mov videos.
Running out of time this morning and will get back to this later today.
Comment 8 William Kenney 2017-07-24 17:37:05 CEST
[root@localhost wilcal]# urpmq --whatrequires libquicktime
libquicktime
libquicktime-dv
libquicktime-dv
libquicktime-dv
libquicktime-dv
libquicktime-dv
libquicktime-dv
libquicktime-faad
libquicktime-faad
libquicktime-lame
libquicktime-lame
libquicktime-progs
libquicktime-progs
libquicktime-progs
libquicktime-progs
libquicktime-progs
libquicktime-progs
libquicktime-x264
libquicktime-x264
Comment 9 Len Lawrence 2017-07-24 19:46:12 CEST
Just adding a third opinion for x86_64.  mga5
Installed the updates as listed.
$ rpm -qa | grep quicktime | grep 10.2
libquicktime-progs-1.2.4-10.2.mga5
libquicktime-dv-1.2.4-10.2.mga5
libquicktime-1.2.4-10.2.mga5
lib64quicktime-devel-1.2.4-10.2.mga5
lib64quicktime0-1.2.4-10.2.mga5

There are some tainted packages already, like libquicktime-lame-1.2.4-10.1.mga5.tainted
which are filtered out.  @lewis: we can probably ignore them on this update.

$ lqtplay 150504main_PIA07802.mov
Type: Quicktime
  0 audio tracks.
  1 video tracks.
    760x420, depth 24
..................

lqtplay had no trouble with MOV files from other sources:
PragmaticProgrammers screencast, FrenchMaidTV, NASA/Cassini

It also played MP4 files.

Some of the tools :-

Extract text strings:
$ qt2text rmp-4.mov 
Time: 0 (0.000000 seconds), Duration: 6771 (67.710000 seconds), String:
"Intro"
Time: 6771 (67.710000 seconds), Duration: 42612 (426.120000 seconds), String:
"instance_eval"
Time: 49383 (493.830000 seconds), Duration: 29303 (293.030000 seconds), String:
"class_eval"
..........................
Time: 167107 (1671.070000 seconds), Duration: 6543 (65.430000 seconds), String:
"Wrap Up"

Parse the file contents:
$ qtdump cassini20080814-1280.mov > dump
$ less dump
quicktime_dump
ftyp
 major brand: qt  
 minor version: 20050300
 compatible brands: qt   ^@^@^@^@ ^@^@^@^@ ^@^@^@^@ 
movie data (mdat)
 size 112080970
 start 40
movie (moov)
 movie header (mvhd)
..........................

Provide metadata information about the file:
$ qtinfo HowtoVideoPodcast.mov
Type: Quicktime
    album:     
  1 audio tracks.
    2 channels, 16 bits, sample rate 44100, length 6922240 samples, compressor mp4a.
    Sample format: Floating point.
    Channel setup: Front Left, Front Right
    Language: eng
    supported.
  1 video tracks.
    320x240, depth 24
    rate 29.969999 [2997:100] constant
    length 4704 frames
    compressor avc1.
    Native colormodel:  YUV 4:2:0 planar
    Interlace mode:     None (Progressive)
    Chroma placement: MPEG-2
    No timecodes available
    supported.
  0 text tracks.

Make a movie streamable - places the moov header at the start of the file:
$ qtstreamize 150504main_PIA07802.mov stream.mov
[mjpeg @ 0x6defa0] Changeing bps to 8
[core] Error: quicktime_make_streamable: moov size changed from 2149 to 2061 (Pos: 2061, start: 0)
$ ls -l
total 152724
-rw-r--r-- 1 lcl lcl   2585052 Jul 24 17:43 150504main_PIA07802.mov
-rw-r--r-- 1 lcl lcl   2585060 Jul 24 18:18 stream.mov

Parsed data before:
quicktime_dump
movie data (mdat)
 size 2582895
 start 8
movie (moov)
 movie header (mvhd)

Parsed data for stream file:
movie data (mdat)
 size 0
 start 0
movie (moov)
 movie header (mvhd)

Not my field but this looks OK to me.   Don't know what the [core] error means or if it is significant.  The stream.mov file plays fine with mplayer and  lqtplay.

Enough of the tools.
Comment 10 Len Lawrence 2017-07-25 10:26:20 CEST
This has been tested for 64-bits by three testers and there do not seem to be any problems so we should give this an OK.
Comment 11 Len Lawrence 2017-07-25 10:28:37 CEST
Validating this as well.  Sysadmins please push to updates.
Thanks.
Comment 12 Mageia Robot 2017-07-26 00:08:11 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0220.html

Note You need to log in before you can comment on or make changes to this bug.