openSUSE has issued an advisory tomorrow (July 7): https://lists.opensuse.org/opensuse-updates/2017-07/msg00035.html Freeze push requested for Cauldron. Mageia 5 is also affected.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Advisory: ======================== Updated libquicktime packages fix security vulnerabilities: A DoS in quicktime_read_moov function in moov.c via acrafted mp4 file was fixed (CVE-2017-9122). An invalid memory read in lqt_frame_duration via a crafted mp4 file was fixed (CVE-2017-9123). A NULL pointer dereference in quicktime_match_32 via a crafted mp4 file was fixed (CVE-2017-9124). A DoS in lqt_frame_duration function in lqt_quicktime.c via crafted mp4 file was fixed (CVE-2017-9125). A heap-based buffer overflow in quicktime_read_dref_table via a crafted mp4 file was fixed (CVE-2017-9126). A heap-based buffer overflow in quicktime_user_atoms_read_atom via a crafted mp4 file was fixed (CVE-2017-9127). A heap-based buffer over-read in quicktime_video_width via a crafted mp4 file was fixed (CVE-2017-9128). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9122 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9123 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9124 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9125 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9127 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9128 https://lists.opensuse.org/opensuse-updates/2017-07/msg00035.html ======================== Updated packages in core/updates_testing: ======================== libquicktime-1.2.4-10.2.mga5 libquicktime0-1.2.4-10.2.mga5 libquicktime-devel-1.2.4-10.2.mga5 libquicktime-dv-1.2.4-10.2.mga5 libquicktime-progs-1.2.4-10.2.mga5 from libquicktime-1.2.4-10.2.mga5.src.rpm
Assignee: pkg-bugs => qa-bugs
$ uname -a Linux localhost 4.4.74-desktop586-1.mga5 #1 SMP Mon Jun 26 07:48:29 UTC 2017 i686 i686 i686 GNU/Linux okay - looked up what uses libquicktime utilities. I found the mjpegtools is listed as using libquicktime. I pulled up an AVI and edited it with $ glav utility to edit an grand canyon video from my camera. $ glav CIMG0530.AVI I did some edits and saved them. Next I converted it to a new format. $ lavtrans -o gc.qt -f q edited_grand_canyon.AVI I was able to view the qc.qt output file. works as designed from what I can tell.
CC: (none) => brtians1Whiteboard: (none) => mga5-32-ok
Whiteboard: mga5-32-ok => mga5-32-ok advisoryCC: (none) => lewyssmith
Prior to testing x64. 1. Package query After updating from Updates Testing, the result is: lib64quicktime0-1.2.4-10.2.mga5 libquicktime-1.2.4-10.2.mga5 libquicktime-progs-1.2.4-10.2.mga5 libquicktime-x264-1.2.4-10.1.mga5.tainted libquicktime-faad-1.2.4-10.1.mga5.tainted libquicktime-lame-1.2.4-10.1.mga5.tainted Should the x264, faad and lame pkgs remain at their previous version, or be part of this update? 2. This is one of those complicated ensembles: * libquicktime "is a library for reading and writing QuickTime files". * lib64quicktime0 [same description]. * libquicktime-progs "Useful tools to operate at QuickTime files" Ignoring Codec specific pkgs, the heirarchy is: Whatrequires libquicktime: libquicktime-progs Whatrequires lib64quicktime0: dvgrab libquicktime libquicktime-progs mjpegtools transcode => libquicktime-progs-| |-libquicktime----| dvgrab-------------| mjpegtools---------| transcode----------| |-lib64quicktime0 The programs in 'progs': lqtplay - simple quicktime movie player for X11 [has man page] lqtremux, lqt_transcode, qt2text, qt2text, qtdechunk, qtdump, qtinfo, qtrechunk, qtstreamize, qtyuv4toyuv: have no man pages, command alone shows usage but seldom what it does! It helps to have a Quicktime movie file to play with (I searched briefly in vain); and have some competence in this field, although 'lqtplay' looks good for anyone.
@Lewis: comment 4 The MOV format was developed by Apple for Quicktime but I am not sure that a MOV file is essential for this test. I have several lying about (NASA websites often publish short MOV files). So, I could run this for mga6 and maybe mga5 32bit. It would probably break copyright if I were to attach any of the MOV files I have here and the links are long gone.
CC: (none) => tarazed25
CC: (none) => wilcal.int
My mistake. Does not affect mga6.
In VirtualBox, M5.1, KDE, 64-bit Canon cameras produce quicktime ( mov ) videos https://en.wikipedia.org/wiki/QuickTime_File_Format Probably one of the more popular formats. canon.mov was shot on my Canon camera. Attempt to run glav on a quicktime video: [wilcal@localhost video_test]$ glav canon.mov ++: [codecinfo] Error: Cannot open plugin directory /usr/lib64/libquicktime (forgot make install?) ++: [codecs] Warning: Could not find audio Decoder for fourcc sowt ++: [codecs] Warning: quicktime_decode_audio_stub called ++: [codecs] Warning: Could not find video Decoder for fourcc avc1 ++: [codecs] Warning: quicktime_decode_video_stub called ++: [codecs] Warning: quicktime_delete_stub called ++: [codecs] Warning: quicktime_delete_stub called ++: **ERROR: [lavplay] Error opening canon.mov ++: lavtools version 2.0.0 Package(s) installed and under test: libquicktime libquicktime-dv libquicktime-progs libquicktime0 glibc-devel lib64zlib-devel [root@localhost wilcal]# urpmi libquicktime Package libquicktime-1.2.4-10.1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi libquicktime-dv Package libquicktime-dv-1.2.4-10.1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi libquicktime-progs Package libquicktime-progs-1.2.4-10.1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi libquicktime0 Package libquicktime0-1.2.4-10.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi glibc-devel Package glibc-devel-2.20-25.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi lib64zlib-devel Package lib64zlib-devel-1.2.8-7.1.mga5.x86_64 is already installed Attempt to run a quicktime video with glav: [wilcal@localhost video_test]$ glav canon.mov ++: **ERROR: [lavplay] Error opening canon.mov ++: lavtools version 2.0.0 VLC and OpenShot do not need play/edit mov videos. Running out of time this morning and will get back to this later today.
[root@localhost wilcal]# urpmq --whatrequires libquicktime libquicktime libquicktime-dv libquicktime-dv libquicktime-dv libquicktime-dv libquicktime-dv libquicktime-dv libquicktime-faad libquicktime-faad libquicktime-lame libquicktime-lame libquicktime-progs libquicktime-progs libquicktime-progs libquicktime-progs libquicktime-progs libquicktime-progs libquicktime-x264 libquicktime-x264
Just adding a third opinion for x86_64. mga5 Installed the updates as listed. $ rpm -qa | grep quicktime | grep 10.2 libquicktime-progs-1.2.4-10.2.mga5 libquicktime-dv-1.2.4-10.2.mga5 libquicktime-1.2.4-10.2.mga5 lib64quicktime-devel-1.2.4-10.2.mga5 lib64quicktime0-1.2.4-10.2.mga5 There are some tainted packages already, like libquicktime-lame-1.2.4-10.1.mga5.tainted which are filtered out. @lewis: we can probably ignore them on this update. $ lqtplay 150504main_PIA07802.mov Type: Quicktime 0 audio tracks. 1 video tracks. 760x420, depth 24 .................. lqtplay had no trouble with MOV files from other sources: PragmaticProgrammers screencast, FrenchMaidTV, NASA/Cassini It also played MP4 files. Some of the tools :- Extract text strings: $ qt2text rmp-4.mov Time: 0 (0.000000 seconds), Duration: 6771 (67.710000 seconds), String: "Intro" Time: 6771 (67.710000 seconds), Duration: 42612 (426.120000 seconds), String: "instance_eval" Time: 49383 (493.830000 seconds), Duration: 29303 (293.030000 seconds), String: "class_eval" .......................... Time: 167107 (1671.070000 seconds), Duration: 6543 (65.430000 seconds), String: "Wrap Up" Parse the file contents: $ qtdump cassini20080814-1280.mov > dump $ less dump quicktime_dump ftyp major brand: qt minor version: 20050300 compatible brands: qt ^@^@^@^@ ^@^@^@^@ ^@^@^@^@ movie data (mdat) size 112080970 start 40 movie (moov) movie header (mvhd) .......................... Provide metadata information about the file: $ qtinfo HowtoVideoPodcast.mov Type: Quicktime album: 1 audio tracks. 2 channels, 16 bits, sample rate 44100, length 6922240 samples, compressor mp4a. Sample format: Floating point. Channel setup: Front Left, Front Right Language: eng supported. 1 video tracks. 320x240, depth 24 rate 29.969999 [2997:100] constant length 4704 frames compressor avc1. Native colormodel: YUV 4:2:0 planar Interlace mode: None (Progressive) Chroma placement: MPEG-2 No timecodes available supported. 0 text tracks. Make a movie streamable - places the moov header at the start of the file: $ qtstreamize 150504main_PIA07802.mov stream.mov [mjpeg @ 0x6defa0] Changeing bps to 8 [core] Error: quicktime_make_streamable: moov size changed from 2149 to 2061 (Pos: 2061, start: 0) $ ls -l total 152724 -rw-r--r-- 1 lcl lcl 2585052 Jul 24 17:43 150504main_PIA07802.mov -rw-r--r-- 1 lcl lcl 2585060 Jul 24 18:18 stream.mov Parsed data before: quicktime_dump movie data (mdat) size 2582895 start 8 movie (moov) movie header (mvhd) Parsed data for stream file: movie data (mdat) size 0 start 0 movie (moov) movie header (mvhd) Not my field but this looks OK to me. Don't know what the [core] error means or if it is significant. The stream.mov file plays fine with mplayer and lqtplay. Enough of the tools.
This has been tested for 64-bits by three testers and there do not seem to be any problems so we should give this an OK.
Whiteboard: mga5-32-ok advisory => mga5-32-ok advisory MGA5-64-OK
Validating this as well. Sysadmins please push to updates. Thanks.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0220.html
Status: NEW => RESOLVEDResolution: (none) => FIXED