Fedora has issued an advisory on March 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z65NZJOBGTBW6Y3JD3IX5GIEKCRY7DQD/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing ns80
Assignee: bugsquad => pkg-bugsCC: (none) => marja11, nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: The readString function in util/read.c and util/old/read.c in libming 0.4.8 allows remote attackers to cause a denial of service via a large file that is mishandled by listswf, listaction, etc. This occurs because of an integer overflow that leads to a memory allocation error. (CVE-2017-8782) The readEncUInt30 function in util/read.c in libming 0.4.8 mishandles memory allocation. A crafted input will lead to a remote denial of service (NULL pointer dereference) attack against parser.c. (CVE-2017-9988) util/outputtxt.c in libming 0.4.8 mishandles memory allocation. A crafted input will lead to a remote denial of service (NULL pointer dereference) attack. (CVE-2017-9989) A heap-based buffer over-read was found in the function decompileIF in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11704) A heap-based buffer over-read was found in the function OpCode (called from decompileSETMEMBER) in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11728) A heap-based buffer over-read was found in the function OpCode (called from decompileINCR_DECR line 1440) in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11729) A heap-based buffer over-read was found in the function OpCode (called from decompileINCR_DECR line 1474) in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11730) An invalid memory read vulnerability was found in the function OpCode (called from isLogicalOp and decompileIF) in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11731) A heap-based buffer overflow vulnerability was found in the function dcputs (called from decompileIMPLEMENTS) in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11732) A null pointer dereference vulnerability was found in the function stackswap (called from decompileSTACKSWAP) in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11733) A heap-based buffer over-read was found in the function decompileCALLFUNCTION in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11734) The outputSWF_TEXT_RECORD function in util/outputscript.c in libming <= 0.4.8 is vulnerable to a NULL pointer dereference, which may allow attackers to cause a denial of service via a crafted swf file. (CVE-2017-16883) The printMP3Headers function in util/listmp3.c in libming v0.4.8 or earlier is vulnerable to a global buffer overflow, which may allow attackers to cause a denial of service via a crafted file, a different vulnerability than CVE-2016-9264. (CVE-2017-16898) In libming 0.4.8, there is an integer signedness error vulnerability (left shift of a negative value) in the readSBits function (util/read.c). Remote attackers can leverage this vulnerability to cause a denial of service via a crafted swf file. (CVE-2018-5251) In libming 0.4.8, there is an integer overflow (caused by an out-of-range left shift) in the readUInt32 function (util/read.c). Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted swf file. (CVE-2018-5294) The outputSWF_TEXT_RECORD function (util/outputscript.c) in libming through 0.4.8 is vulnerable to an integer overflow and resultant out-of-bounds read, which may allow attackers to cause a denial of service or unspecified other impact via a crafted SWF file. (CVE-2018-6315) The decompileIF function (util/decompile.c) in libming through 0.4.8 is vulnerable to a use-after-free, which may allow attackers to cause a denial of service or unspecified other impact via a crafted SWF file. (CVE-2018-6359) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8782 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9988 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9989 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11728 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11729 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11730 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11731 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11732 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11733 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11734 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16883 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16898 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5251 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5294 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6315 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6359 ======================== Updated package in core/updates_testing: ======================== lib(64)ming1-0.4.5-14.1.mga6 lib(64)ming-devel-0.4.5-14.1.mga6 perl-SWF-0.4.5-14.1.mga6 python-SWF-0.4.5-14.1.mga6 ming-utils-0.4.5-14.1.mga6 from SRPMS: ming-0.4.5-14.1.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
Source RPM: ming-0.4.5-15.mga7.src.rpm => ming-0.4.5-14.mga6.src.rpm
Trying the PoCs for this on Mageia 6, x86_64
CC: (none) => tarazed25
About halfway through the list. To be continued...
Created attachment 10101 [details] Pre-update PoC tests
Attached the initial PoC report because it is so verbose. Ran the update and then tested the PoC files again, reporting the last few lines of the terminal output in each case. Looking at the CVEs in the same order as the pre-updates tests. CVE-2017-9988 $ listswf POC1 parseABC_NS_SET_INFO: Failed to allocate 124659734696 bytes CVE-2017-9989 $ listswf POC2 readBytes: Failed to allocate 28407657705 bytes CVE-2017-11704 $ swftocxx heap-buffer-overflow-in_decompileIF out <no difference> CVE-2017-11728 $ swftocxx heap-buffer-overflow-in_OpCode_by_decompileSETMEMBER out Stack blown!! - pop CVE-2017-11729 $ swftocxx heap-buffer-overflow-in_OpCode_by_decompileINCR_DECR out Stack blown!! - pop CVE-2017-11730 $ swftocxx heap-buffer-overflow-in_OpCode_by_decompileINCR_DECR_2 out Stack blown!! - pop CVE-2017-11731 $ swftocxx invalid-memory-read-in_OpCode out <no difference> CVE-2017-11732 $ swftocxx heap-buffer-overflow-in_dcputs Stack blown!! - pop CVE-2017-11733 $ swftocxx null-ptr-in_stackswap out Stack blown!! - pop CVE-2017-11734 $ swftocxx heap-buffer-overflow-in_decompileCALLFUNCTION out <no difference> CVE-2017-16883 $ swftocxx invalid-memory-read-in_outputSWF_TEXT_RECORD out <no difference> CVE-2017-16898 $ listmp3 global-buffer-overflow_in_printMP3Headers invalid bitrate 15 CVE-2018-5251 $ listswf libming_0-4-8_listswf_negative-shift-exponent_readSBits.swf out <no difference> CVE-2018-5294 $ listswf libming_0-4-8_listswf_integer-overflow_readUInt32.swf <no difference> CVE-2018-6315 $ swftocxx null_outputSWF_TEXT_RECORD out This reports "stream out of sync" and finishes without segfaulting. CVE-2018-6359 $ swftocxx free_decompileIF /dev/null Stack blown!! - pop So, some of the tests were useful.
Using utility tests from an earlier bug as a basis for current testing. libming utils: listswf, swftocxx, swftoperl, swftophp, swftopython $ swftopython surfacefly_spirit.swf > flyover.py $ head flyover.py #!/usr/bin/python from ming import * Ming_useSWFVersion(6); m = SWFMovie(); Ming_setScale(1.0); m.setRate(25.000000); m.setDimension(12800, 7200); $ head test.php <?php $m = new SWFMovie(6); ming_setscale(1.0); $m->setRate(25.000000); .................. $ head test.pl #!/usr/bin/perl -w # Generated by swftoperl converter included with ming. Have fun. # Change this to your needs. If you installed perl-ming global you don't need this. #use lib("/home/peter/mystuff/lib/site_perl"); # We import all because our converter is not so clever to select only needed. ;-) use SWF qw(:ALL); # Just copy from a sample, needed to use Constants like SWFFILL_RADIAL_GRADIENT use SWF::Constants qw(:Text :Button :DisplayItem :Fill); $ listswf surfacefly_spirit.swf > listing $ head listing File version: 6 File size: 20003889 Frame size: (0,12800)x(0,7200) Frame rate: 25.000000 / sec. Total frames: 65535 ................ $ swftocxx surfacefly_spirit.swf > c++ $ head c++ #include <mingpp.h> main(){ SWFMovie* m = new SWFMovie(6); Ming_setScale(1.0); m->setRate(25.000000); m->setDimension(12800, 7200); m->setFrames(65535); These all look fine. As in the past where PoC test results were equivocal, particularly where ASAN is involved, we shall assume that the patches are all successful. Good for 64-bits.
Whiteboard: (none) => MGA6-64-OK
Fantastic work, Len.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0212.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED