openSUSE has issued an advisory today (February 24): https://lists.opensuse.org/opensuse-updates/2018-02/msg00099.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOOStatus comment: (none) => Patches available from openSUSE
Assigning to the registered maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
CC: (none) => smelrorCVE: (none) => CVE-2017-11546 CVE-2017-11547Assignee: shlomif => smelror
Advisory ======== This update fixes 2 security issues. CVE-2017-11546: The insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted mid file. NOTE: a crash might be relevant when using the --background option. CVE-2017-11547: The resample_gauss function in resample.c in TiMidity++ 2.14.0 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted mid file. NOTE: a crash might be relevant when using the --background option. NOTE: the TiMidity++ README.alsaseq documentation suggests a setuid-root installation. References ========== https://lists.opensuse.org/opensuse-updates/2018-02/msg00099.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11546 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11547 Files ===== The following has been uploaded to core/updates_testing TiMidity++-2.14.0-9.1.mga6 TiMidity++-interfaces-extra-2.14.0-9.1.mga6 from TiMidity++-2.14.0-9.1.mga6.src.rpm
An update has also been pushed to Cauldron. The openSUSE advisory contains a PoC. Cheers, Stig
Assignee: smelror => qa-bugs
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Thanks! I added a Mageia 5 build and tested it. Reformatting advisory. Advisory: ======================== Updated TiMidity++ packages fix security vulnerabilities: The insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted mid file. NOTE: a crash might be relevant when using the --background option (CVE-2017-11546). The resample_gauss function in resample.c in TiMidity++ 2.14.0 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted mid file. NOTE: a crash might be relevant when using the --background option. NOTE: the TiMidity++ README.alsaseq documentation suggests a setuid-root installation (CVE-2017-11547). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11546 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11547 https://lists.opensuse.org/opensuse-updates/2018-02/msg00099.html ======================== Updated packages in core/updates_testing: ======================== TiMidity++-2.14.0-6.1.mga5 TiMidity++-interfaces-extra-2.14.0-6.1.mga5 TiMidity++-2.14.0-9.1.mga6 TiMidity++-interfaces-extra-2.14.0-9.1.mga6 from SRPMS: TiMidity++-2.14.0-6.1.mga5.src.rpm TiMidity++-2.14.0-9.1.mga6.src.rpm I tested the two relevant PoC's (Mageia 5 x86_64). The second played the MIDI file and didn't appear to crash, even before the update. Before: $ timidity timidity++_2.14.0_divide_by_zero_error.mid Playing timidity++_2.14.0_divide_by_zero_error.mid MIDI file: timidity++_2.14.0_divide_by_zero_error.mid Format: 1 Tracks: 8 Divisions: 120 Floating point exception $ timidity timidity++_2.14.0_heap_buffer_overflow.mid Playing timidity++_2.14.0_heap_buffer_overflow.mid MIDI file: timidity++_2.14.0_heap_buffer_overflow.mid Format: 1 Tracks: 8 Divisions: 120 Warning: timidity++_2.14.0_heap_buffer_overflow.mid: Too shorten midi file. Last 31 MIDI events are ignored Playing time: ~6 seconds Notes cut: 0 Notes lost totally: 0 After (both MIDIs play fine): $ timidity timidity++_2.14.0_divide_by_zero_error.mid Playing timidity++_2.14.0_divide_by_zero_error.mid MIDI file: timidity++_2.14.0_divide_by_zero_error.mid Format: 1 Tracks: 8 Divisions: 120 Last 13 MIDI events are ignored Playing time: ~8 seconds Notes cut: 0 Notes lost totally: 0 $ timidity timidity++_2.14.0_heap_buffer_overflow.mid Playing timidity++_2.14.0_heap_buffer_overflow.mid MIDI file: timidity++_2.14.0_heap_buffer_overflow.mid Format: 1 Tracks: 8 Divisions: 120 Warning: timidity++_2.14.0_heap_buffer_overflow.mid: Too shorten midi file. Last 31 MIDI events are ignored Playing time: ~6 seconds Notes cut: 0 Notes lost totally: 0
Status comment: Patches available from openSUSE => (none)Whiteboard: (none) => MGA5TOO MGA5-64-OK
Advisory from comment 4.
Keywords: (none) => advisory
Created attachment 10006 [details] 3 PoCs (In reply to Stig-Ørjan Smelror from comment #3) > The openSUSE advisory contains a PoC. Leads to, eventually! Attached here. The zip file contains: poc/ poc/timidity++_2.14.0_divide_by_zero_error.mid poc/timidity++_2.14.0_heap_buffer_overflow.mid poc/timidity++_2.14.0_large_loop.mid to be run: $ timidity <filename>
Testing M6 x64 BEFORE the update: TiMidity++-2.14.0-9.mga6 TiMidity++-interfaces-extra-2.14.0-9.mga6 $ timidity timidity++_2.14.0_divide_by_zero_error.mid Playing timidity++_2.14.0_divide_by_zero_error.mid MIDI file: timidity++_2.14.0_divide_by_zero_error.mid Format: 1 Tracks: 8 Divisions: 120 Floating point exception (core dumped) $ timidity timidity++_2.14.0_large_loop.mid Playing timidity++_2.14.0_large_loop.mid MIDI file: timidity++_2.14.0_large_loop.mid Format: 1 Tracks: 8 Divisions: 120 timidity++_2.14.0_large_loop.mid: Illigal Variable-length quantity format. No instrument mapped to drum set 0, program 0 - this instrument will not be heard No instrument mapped to drum set 0, program 30 - this instrument will not be heard ^C $ timidity timidity++_2.14.0_heap_buffer_overflow.mid Playing timidity++_2.14.0_heap_buffer_overflow.mid MIDI file: timidity++_2.14.0_heap_buffer_overflow.mid Format: 1 Tracks: 8 Divisions: 120 Warning: timidity++_2.14.0_heap_buffer_overflow.mid: Too shorten midi file. No instrument mapped to drum set 0, program 35 - this instrument will not be heard Last 31 MIDI events are ignored Playing time: ~6 seconds Notes cut: 0 Notes lost totally: 0 As David found, no crash. AFTER update: TiMidity++-2.14.0-9.1.mga6 TiMidity++-interfaces-extra-2.14.0-9.1.mga6 $ timidity timidity++_2.14.0_divide_by_zero_error.mid Playing timidity++_2.14.0_divide_by_zero_error.mid MIDI file: timidity++_2.14.0_divide_by_zero_error.mid Format: 1 Tracks: 8 Divisions: 120 No instrument mapped to drum set 0, program 35 - this instrument will not be heard Last 13 MIDI events are ignored Playing time: ~8 seconds Notes cut: 0 Notes lost totally: 0 NO core dump, OK. $ timidity timidity++_2.14.0_large_loop.mid O/P identical to before, no regression. $ timidity timidity++_2.14.0_heap_buffer_overflow.mid O/P identical to before, no crash, regression. OKing this update. Validating.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0152.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED