openSUSE has issued an advisory today (March 18): https://lists.opensuse.org/opensuse-updates/2018-03/msg00067.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing two committers.
CC: (none) => balcaen.john, cjw, marja11Assignee: bugsquad => pkg-bugs
Fedora has issued an advisory for this today (April 5): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZK57C6F3KURSFSWNO7UZNEXO2BSEWJEK/
Suggested advisory: ======================== The updated packages fix security vulnerabilities: id3_utf16_deserialize() in utf16.c in libid3tag through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd number of bytes, triggering an endless loop allocating memory until an OOM condition is reached, leading to denial-of-service (DoS). (CVE-2004-2779) field.c in the libid3tag 0.15.0b library allows context-dependent attackers to cause a denial of service (CPU consumption) via an ID3_FIELD_TYPE_STRINGLIST field that ends in '\0', which triggers an infinite loop. (CVE-2008-2109) The id3_ucs4_length function in ucs4.c in libid3tag 0.15.1b allows remote attackers to cause a denial of service (NULL Pointer Dereference and application crash) via a crafted mp3 file. (CVE-2017-11550) The id3_field_parse function in field.c in libid3tag 0.15.1b allows remote attackers to cause a denial of service (OOM) via a crafted MP3 file. (CVE-2017-11551) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2779 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2109 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11550 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11551 ======================== Updated package in core/updates_testing: ======================== lib(64)id3tag0-0.15.1b-17.1.mga6 lib(64)id3tag-devel-0.15.1b-17.1.mga6 from SRPMS: libid3tag-0.15.1b-17.1.mga6.src.rpm
Version: Cauldron => 6CC: (none) => nicolas.salgueroWhiteboard: MGA6TOO => (none)Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsSource RPM: libid3tag-0.15.1b-18.mga7.src.rpm => libid3tag-0.15.1b-17.mga6.src.rpm
Thanks Nicolas! Adding a Mageia 5 build too. libid3tag0-0.15.1b-16.1.mga5 libid3tag-devel-0.15.1b-16.1.mga5 from libid3tag-0.15.1b-16.1.mga5.src.rpm
Whiteboard: (none) => MGA5TOO
MGA5-32 on Dell Latitude D600 Xfce No installation issues. what-requires shows a.o. audacity. strace on audacity shows call to libid3tag.so.0 and audacity seems to be OK opening a .wav file.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
Created attachment 10105 [details] 3 test files for 3/4 of the CVEs PoCs CVE-2004-2779 no test file. CVE-2008-2109 mp3 test file: test.mp3 https://bugs.gentoo.org/attachment.cgi?id=143861 used with madplay. The problem occurs when parsing an ID3_FIELD_TYPE_STRINGLIST field, specifically when data to be parsed is ended with '\0'. In this case, **ptr == 0, but the condition end - *ptr is 1 so loop continues infinitely. CVE-2017-11550 test: http://seclists.org/fulldisclosure/2017/Jul/att-85/poc_zip.bin I found this bug when I test mpg321 0.3.2 which used the libid3tag library. ./mpg321 libid3tag_0.15.1b_null_pointer_dereference.mp3 Includes also file libid3tag_0.15.1b_OOM.mp3 with no usage example. CVE-2017-11551: same as 11550.
Testing M6 x64 Other programs than Audacity to try: - moc : Console audio player for Linux/UNIX - mpg321 : a command-line MP3 player BEFORE update: lib64id3tag0-0.15.1b-17.mga6 Running from the directory containing the test file. $ mocp Running the server... Trying JACK... Trying ALSA... displayed its curses interface, and played the identical jingle of each file. $ mpg321 libid3tag_0.15.1b_null_pointer_dereference.mp3 High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3. Version 0.3.2-1 (2012/03/25). Written and copyrights by Joe Drew, now maintained by Nanakos Chrysostomos and others. Uses code from various people. See 'README' for more! THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK! Segmentation fault (core dumped) $ mpg321 libid3tag_0.15.1b_OOM.mp3 High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3. Version 0.3.2-1 (2012/03/25). Written and copyrights by Joe Drew, now maintained by Nanakos Chrysostomos and others. Uses code from various people. See 'README' for more! THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK! Title : ExifTool Test Artist : Phil Harvey Album : ���������� Year : 2005 Comment : My Comments Genre : Testing Playing MPEG stream from libid3tag_0.15.1b_OOM.mp3 ... [0:00] Decoding of libid3tag_0.15.1b_OOM.mp3 finished. but did not play anything. $ mpg321 test.mp3 Similar to above, but played the jingle. ---------------------------------------- AFTER update to: lib64id3tag0-0.15.1b-17.1.mga6.x86_64 (note sub-version jump from comment 4). Essentially, all results same as before - good & bad. $ mocp again played all 3 files OK. $ strace mocp 2>&1 | grep libid3tag open("/lib64/libid3tag.so.0", O_RDONLY|O_CLOEXEC) = 3 $ mpg321 libid3tag_0.15.1b_null_pointer_dereference.mp3 Same output as previously *including*: Segmentation fault (core dumped) [Note] $ strace mpg321 libid3tag_0.15.1b_null_pointer_dereference.mp3 2>&1 | grep libid3tag execve("/usr/bin/mpg321", ["mpg321", "libid3tag_0.15.1b_null_pointer_d"...], 0x7ffc6685a828 /* 73 vars */) = 0 open("/lib64/libid3tag.so.0", O_RDONLY|O_CLOEXEC) = 3 open("libid3tag_0.15.1b_null_pointer_dereference.mp3", O_RDONLY) = 3 $ mpg321 libid3tag_0.15.1b_OOM.mp3 Same output as previously, again no sound. $ mpg321 test.mp3 Same output as before, again played the jingle. $ strace mpg321 test.mp3 2>&1 | grep libid3tag open("/lib64/libid3tag.so.0", O_RDONLY|O_CLOEXEC) = 3 Unsure about the segfault: all one can say is 'no reversion'. Willing to OK & validate on that basis, but prefer a second opinion, hence 'feedback'.
Keywords: (none) => feedback
Sounds like CVE-2017-11550 isn't fixed from Lewis's test.
Suggested advisory: ======================== The updated packages fix security vulnerabilities: id3_utf16_deserialize() in utf16.c in libid3tag through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd number of bytes, triggering an endless loop allocating memory until an OOM condition is reached, leading to denial-of-service (DoS). (CVE-2004-2779) field.c in the libid3tag 0.15.0b library allows context-dependent attackers to cause a denial of service (CPU consumption) via an ID3_FIELD_TYPE_STRINGLIST field that ends in '\0', which triggers an infinite loop. (CVE-2008-2109) The id3_ucs4_length function in ucs4.c in libid3tag 0.15.1b allows remote attackers to cause a denial of service (NULL Pointer Dereference and application crash) via a crafted mp3 file. (CVE-2017-11550) The id3_field_parse function in field.c in libid3tag 0.15.1b allows remote attackers to cause a denial of service (OOM) via a crafted MP3 file. (CVE-2017-11551) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2779 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2109 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11550 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11551 ======================== Updated package in 5/core/updates_testing: ======================== lib(64)id3tag0-0.15.1b-16.2.mga5 lib(64)id3tag-devel-0.15.1b-16.2.mga5 from SRPMS: libid3tag-0.15.1b-16.2.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== lib(64)id3tag0-0.15.1b-17.2.mga6 lib(64)id3tag-devel-0.15.1b-17.2.mga6 from SRPMS: libid3tag-0.15.1b-17.2.mga6.src.rpm
Keywords: feedback => (none)Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO
Thanks Nicolas! I ran Lewis's three tests with mpg321 and no segfaults or other weird behavior. Looks good on Mageia 5 x864_64.
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
@Nicolas Wanting to re-do M6/64, I cannot see lib64id3tag0-0.15.1b-17.2 in updates testing, core/nonfree/tainted enabled. Tried from MCC-Update System, and: # urpmi --search-media 'updates testing' lib64id3tag0 Pecyn lib64id3tag0-0.15.1b-17.1.mga6.x86_64 [already installed] # urpmi --search-media 'updates testing' lib64id3tag0-0.15.1b-17.2 [No package named] lib64id3tag0-0.15.1b-17.2
CC: (none) => lewyssmith
(In reply to Lewis Smith from comment #11) > @Nicolas > Wanting to re-do M6/64, I cannot see lib64id3tag0-0.15.1b-17.2 in updates > testing, core/nonfree/tainted enabled. Tried from MCC-Update System, and: > # urpmi --search-media 'updates testing' lib64id3tag0 > Pecyn lib64id3tag0-0.15.1b-17.1.mga6.x86_64 [already installed] > > # urpmi --search-media 'updates testing' lib64id3tag0-0.15.1b-17.2 > [No package named] lib64id3tag0-0.15.1b-17.2 I can find those packages in some French mirrors like http://fr2.rpmfind.net
Testing M6 x64 Got the new package at last: a weekend mirror problem. lib64id3tag0-0.15.1b-17.2.mga6 Re-running comment 7 AFTER update: $ mocp played all 3 files OK. $ mpg321 libid3tag_0.15.1b_null_pointer_dereference.mp3 ... Title : ExifTool Test Artist : Phil Harvey Album : Phil's Greatest Hits Year : Comment : Genre : Playing MPEG stream from libid3tag_0.15.1b_null_pointer_dereference.mp3 ... [0:00] Decoding of libid3tag_0.15.1b_null_pointer_dereference.mp3 finished. No sound O/P, but no segfault, so *that* is cured. $ mpg321 libid3tag_0.15.1b_OOM.mp3 ... Title : ExifTool Test Artist : Phil Harvey Album : ���������� Year : 2005 Comment : My Comments Genre : Testing Playing MPEG stream from libid3tag_0.15.1b_OOM.mp3 ... [0:00] Decoding of libid3tag_0.15.1b_OOM.mp3 finished. No sound, as per previous tests. But OK. $ mpg321 test.mp3 ... Title : �� Artist : aiko Album : aikosingles Year : Comment : Genre : JPop Playing MPEG stream from test.mp3 ... MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo [0:05] Decoding of test.mp3 finished. Played the jingle. Update looks good. Oking, validating, advisorying.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0223.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED