Bug 22740 - libcdio new security issues CVE-2017-1819[89] and CVE-2017-18201
Summary: libcdio new security issues CVE-2017-1819[89] and CVE-2017-18201
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 22902
  Show dependency treegraph
 
Reported: 2018-03-11 14:59 CET by David Walser
Modified: 2018-04-22 21:59 CEST (History)
4 users (show)

See Also:
Source RPM: libcdio-0.94-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-03-11 14:59:07 CET
Fedora has issued an advisory on March 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NHBEK7JWO4GCS73UAOQOUFGTMIIMYYTR/

The issues were fixed upstream in 1.0.0 and 2.0.0.

Mageia 5 is also affected.
David Walser 2018-03-11 14:59:24 CET

Whiteboard: (none) => MGA5TOO
Status comment: (none) => Patches available from Fedora

Comment 1 Marja Van Waes 2018-03-12 06:13:56 CET
Assigning to the registered maintainer.

QA Contact: (none) => security
Component: RPM Packages => Security
CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Shlomi Fish 2018-04-13 19:53:12 CEST
2.0.0 was submitted to mga7 fixing this.
David Walser 2018-04-14 02:11:20 CEST

Blocks: (none) => 22902

Comment 3 David Walser 2018-04-14 02:15:05 CEST
Patched version also submitted by Shlomi to fix this for Mageia 6.

Advisory:
========================

Updated libcdio packages fix security vulnerabilities:

A heap corruption bug was found in the way libcdio handled processing of ISO
files. An attacker could potentially use this flaw to crash applications using
libcdio by tricking them into processing crafted ISO files, thus resulting in
local DoS (CVE-2017-18198).

A NULL pointer dereference flaw was found in the way libcdio handled processing
of ISO files. An attacker could potentially use this flaw to crash applications
using libcdio by tricking them into processing crafted ISO files
(CVE-2017-18199).

A double-free flaw was found in the way libcdio handled processing of ISO files.
An attacker could potentially use this flaw to crash applications using libcdio
by tricking them into processing crafted ISO files (CVE-2017-18201).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18201
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NHBEK7JWO4GCS73UAOQOUFGTMIIMYYTR/
========================

Updated packages in core/updates_testing:
========================
libcdio-apps-0.94-1.1.mga6
libcdio16-0.94-1.1.mga6
libcdio-devel-0.94-1.1.mga6
libcdio-static-devel-0.94-1.1.mga6
libiso9660_10-0.94-1.1.mga6
libcdio++0-0.94-1.1.mga6
libudf0-0.94-1.1.mga6

from libcdio-0.94-1.1.mga6.src.rpm

CC: (none) => shlomif
Whiteboard: MGA5TOO => (none)
Assignee: shlomif => qa-bugs
Status comment: Patches available from Fedora => (none)

Comment 4 Len Lawrence 2018-04-15 19:18:18 CEST
Mageia 6, x86_64

Pre-updates:

CVE-2017-18198
PoC at https://savannah.gnu.org/bugs/?52265
$ iso-info -i cdio.print_iso9660_recurse.iso-info.257.crash
This output information about the file.  It was punctuated by many 'broken byte order' messages and ended with
++ WARN: Bad directory information for 0000000000000000000000000
Error getting above directory information

CVE-2017-18199
PoC at https://savannah.gnu.org/bugs/?52264
$ iso-info -i cdio.realloc_symlink.rock.69.crash
....................................
ISO 9660 image: cdio.realloc_symlink.rock.69.crash
System      : LINUX
Volume      : CDROM
Volume Set  :                                                                                                                 ����
No Joliet extensions
__________________________________
ISO-9660 Information
++ WARN: from_733: broken byte order
++ WARN: Symlink component flag not implemented
Segmentation fault (core dumped)

CVE-2017-18201
No PoC file available but https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887640 talks about running cd-info with commercial music CDs and gdb.  I tried a Cyndi Lauper disk without gdb and saw only normal information - no aborts or double-free errors.
A valgrind report looked clean; tail-end:

==5875== HEAP SUMMARY:
==5875==     in use at exit: 0 bytes in 0 blocks
==5875==   total heap usage: 4,503 allocs, 4,503 frees, 511,229 bytes allocated
==5875== 
==5875== All heap blocks were freed -- no leaks are possible
==5875== 
==5875== For counts of detected and suppressed errors, rerun with: -v
==5875== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

------------------------------------------------------------------------------

Updated the packages:

- lib64cdio++0-0.94-1.1.mga6.x86_64
- lib64cdio-devel-0.94-1.1.mga6.x86_64
- lib64cdio-static-devel-0.94-1.1.mga6.x86_64
- lib64cdio16-0.94-1.1.mga6.x86_64
- lib64iso9660_10-0.94-1.1.mga6.x86_64
- lib64udf0-0.94-1.1.mga6.x86_64
- libcdio-apps-0.94-1.1.mga6.x86_64

CVE-2017-18198
$ iso-info -i cdio.print_iso9660_recurse.iso-info.257.crash
Returned a much shorter report with a more precise error message:
ISO-9660 Information
++ WARN: from_733: broken byte order
++ WARN: Invalid directory stat at offset 212
Error getting above directory information

That looks like a good result.

CVE-2017-18199
$ iso-info -i cdio.realloc_symlink.rock.69.crash

Again, a terse report ending with this:
ISO-9660 Information
++ WARN: from_733: broken byte order
++ WARN: Invalid directory stat at offset 0
Error getting above directory information

No segfault, so this is good.

$ cd-info /dev/sr0
worked as before ending with a full track listing.

Not sure how to test functionality of the libraries other than obtaining reports.

$ iso-info -i Mageia-5.1-i586-DVD.iso
This generated a complete listing of all the files contained in the iso file, 4441 lines.

ISO 9660 image: Mageia-5.1-i586-DVD.iso
Application : Mageia 5.1
Preparer    : Mageia BCD
Publisher   : Mageia
System      : Mageia
Volume      : Mageia-5.1-i586
Volume Set  : Mageia 5.1 - i586 DVD
Joliet Level: 3
__________________________________
ISO-9660 Information
       80 /autorun.inf
     2048 /boot.catalog
     2048 /dosutils
.......................
    38360 /isolinux/welcome.jpg
    12735 /isolinux/xh.hlp
    11597 /isolinux/zh_CN.hlp
    10644 /isolinux/zh_TW.hlp
 27351224 /isolinux/i386/all.rdz
  4374752 /isolinux/i386/vmlinuz

Hoping this is enough for an OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Len Lawrence 2018-04-17 23:56:40 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Lewis Smith 2018-04-22 20:46:41 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2018-04-22 21:59:57 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0209.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.