Bug 21706 - mp3gain new security issues CVE-2017-1440[6-9] and CVE-2017-1441[0-2]
Summary: mp3gain new security issues CVE-2017-1440[6-9] and CVE-2017-1441[0-2]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-09-14 11:58 CEST by David Walser
Modified: 2018-08-10 16:39 CEST (History)
8 users (show)

See Also:
Source RPM: mp3gain-1.5.2-8.mga6.src.rpm
CVE:
Status comment:


Attachments

David Walser 2017-09-14 11:58:45 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David Walser 2017-12-29 01:48:56 CET
No fixes, so no update for Mageia 5.

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

Comment 2 Marc Krämer 2018-01-11 23:28:10 CET
rgain is a python package (https://pypi.python.org/pypi/rgain). 
Since mp3gain is hard to fix and we move to rgain, this should be assigned to python maintainers.

CC: (none) => mageia

David Walser 2018-02-02 18:18:04 CET

Status comment: (none) => Probably won't be fixed, package should be dropped/replaced

Comment 3 Stig-Ørjan Smelror 2018-02-23 20:49:26 CET
(In reply to Marc Krämer from comment #2)
> rgain is a python package (https://pypi.python.org/pypi/rgain). 
> Since mp3gain is hard to fix and we move to rgain, this should be assigned
> to python maintainers.

Looks like rgain isn't getting any TLC either.
https://bitbucket.org/fk/rgain/issues/26/wanted-new-maintainer

Cheers,
Stig

CC: (none) => smelror

Comment 4 Mike Rambo 2018-07-24 17:37:31 CEST
Updated packages uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated mp3gain package fixes security vulnerabilities:

A NULL pointer dereference was discovered in sync_buffer in interface.c in mpglibDBL, as used in MP3Gain version 1.5.2. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service (CVE-2017-14406).

A stack-based buffer over-read was discovered in filterYule in gain_analysis.c in MP3Gain version 1.5.2. The vulnerability causes an application crash, which leads to remote denial of service (CVE-2017-14407).

A stack-based buffer over-read was discovered in dct36 in layer3.c in mpglibDBL, as used in MP3Gain version 1.5.2. The vulnerability causes an application crash, which leads to remote denial of service (CVE-2017-14408).

A buffer overflow was discovered in III_dequantize_sample in layer3.c in mpglibDBL, as used in MP3Gain version 1.5.2. The vulnerability causes an out-of-bounds write, which leads to remote denial of service or possibly code execution (CVE-2017-14409).

A buffer over-read was discovered in III_i_stereo in layer3.c in mpglibDBL, as used in MP3Gain version 1.5.2. The vulnerability causes an application crash, which leads to remote denial of service (CVE-2017-14410).

A stack-based buffer overflow was discovered in copy_mp in interface.c in mpglibDBL, as used in MP3Gain version 1.5.2. The vulnerability causes an out-of-bounds write, which leads to remote denial of service or possibly code execution (CVE-2017-14411).

An invalid memory write was discovered in copy_mp in interface.c in mpglibDBL, as used in MP3Gain version 1.5.2. The vulnerability causes a denial of service (segmentation fault and application crash) or possibly unspecified other impact (CVE-2017-14412).

Buffer overflow in the WriteMP3GainAPETag function in apetag.c in mp3gain through 1.5.2-r2 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact (CVE-2018-10777).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14406
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14407
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14409
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14411
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14412
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10777
https://sourceforge.net/p/mp3gain/bugs/40/
https://sourceforge.net/p/mp3gain/bugs/41/
https://sourceforge.net/p/mp3gain/bugs/43/
========================

Updated packages in core/updates_testing:
========================
mp3gain-1.6.2-1.mga6

from mp3gain-1.6.2-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs
Status comment: Probably won't be fixed, package should be dropped/replaced => (none)
CC: (none) => mrambo
Version: Cauldron => 6

Comment 5 Herman Viaene 2018-07-27 12:04:21 CEST
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Created two mp3 files from wav's using audacity. The wav's come from an old Philips audio cassette.
At CLI
$ mp3gain -x 01\ Welington\'s\ Sieg.mp3 
01 Welington's Sieg.mp3
Recommended "Track" dB change: -0.650000         
Recommended "Track" mp3 gain change: 0
WARNING: some clipping may occur with this gain change!
Max PCM sample at current gain: 32819.066763
Max mp3 global gain field: 210
Min mp3 global gain field: 144


Recommended "Album" dB change for all files: -1.430000
Recommended "Album" mp3 gain change for all files: -1
and
$ mp3gain -x 02\ Zapfenstreich.mp3 
02 Zapfenstreich.mp3
Recommended "Track" dB change: -3.970000         
Recommended "Track" mp3 gain change: -3
Max PCM sample at current gain: 32481.402828
Max mp3 global gain field: 210
Min mp3 global gain field: 147


Recommended "Album" dB change for all files: -1.430000
Recommended "Album" mp3 gain change for all files: -1
and 
$ mp3gain -r 01\ Welington\'s\ Sieg.mp3 02\ Zapfenstreich.mp3 
01 Welington's Sieg.mp3
No changes to 01 Welington's Sieg.mp3 are necessary
02 Zapfenstreich.mp3
Applying mp3 gain change of -3 to 02 Zapfenstreich.mp3...

Played mp3's again then, but could not really tell if there was a noticeable change.
At least it didn't spoil anything.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 6 Len Lawrence 2018-07-28 20:51:24 CEST
For what it is worth I AM following up the PoCs for 64-bits.
.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2018-07-28 21:40:41 CEST
In the light of what has been already said, e.g. http://openwall.com/lists/oss-security/2017/09/14/9, it does not look worthwhile to follow up the PoCs.

Just repeating Herman's tests for 64-bits.

Before update:
$ mp3gain LaProcession.mp3
LaProcession.mp3
Recommended "Track" dB change: -4.060000         
Recommended "Track" mp3 gain change: -3
Max PCM sample at current gain: 28658.739531
Max mp3 global gain field: 210
Min mp3 global gain field: 84
Recommended "Album" dB change for all files: -4.060000
Recommended "Album" mp3 gain change for all files: -3

Clean update.
$ mp3gain -x LaProcession.mp3
LaProcession.mp3
Recommended "Track" dB change: -4.060000         
Recommended "Track" mp3 gain change: -3
Max PCM sample at current gain: 28657.854365
Max mp3 global gain field: 210
Min mp3 global gain field: 84
Recommended "Album" dB change for all files: -4.060000
Recommended "Album" mp3 gain change for all files: -3

which is almost the same.

$ mp3gain -r LaProcession.mp3 ElBarberilloDoLavaples.mp3
LaProcession.mp3
Applying mp3 gain change of -3 to LaProcession.mp3...
ElBarberilloDoLavaples.mp3                         
Applying mp3 gain change of -1 to ElBarberilloDoLavaples.mp3...

Played those two tracks in mplayer and they sounded fine.

OK for 64-bits.
Comment 8 Brian Rockwell 2018-07-28 21:55:27 CEST
$ uname -a
Linux localhost 4.14.56-desktop-1.mga6 #1 SMP Mon Jul 16 19:36:06 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux


The following package is going to be installed:

- mp3gain-1.6.2-1.mga6.x86_64

40KB of disk space will be freed.

51KB of packages will be retrieved.


$ mp3gain -v
mp3gain version 1.6.2


$ mp3gain begin.mp3 begin_louder.mp3
begin.mp3
Delaying a frame in decoding with old libmpg123.
Recommended "Track" dB change: -2.580000         
Recommended "Track" mp3 gain change: -2
Max PCM sample at current gain: 33657.394531
Max mp3 global gain field: 255
Min mp3 global gain field: 129

begin_louder.mp3
Can't open begin_louder.mp3 for reading

Recommended "Album" dB change for all files: -2.580000
Recommended "Album" mp3 gain change for all files: -2

seemed to work and handled the error well

Next I cranked up the mp3 a bunch

$ mp3gain -g 7 begin.mp3 begin_louder.mp3
Applying gain change of 7 to begin.mp3...
                                                   
done
Applying gain change of 7 to begin_louder.mp3...

Can't open begin_louder.mp3 for modifying



----

Oh yeah that's much louder

Working as designed.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => brtians1

Len Lawrence 2018-07-29 09:24:36 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2018-08-10 15:24:29 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 9 Mageia Robot 2018-08-10 16:39:18 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0326.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.