Bug 22815 - ming new security issues CVE-2017-8782, CVE-2017-998[89], CVE-2017-11704, CVE-2017-1172[89], CVE-2017-1173[0-4], CVE-2017-16883, CVE-2017-16898, CVE-2018-5251, CVE-2018-5294, CVE-2018-6315, CVE-2018-6359
Summary: ming new security issues CVE-2017-8782, CVE-2017-998[89], CVE-2017-11704, CVE...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-21 19:52 CET by David Walser
Modified: 2018-04-30 21:09 CEST (History)
4 users (show)

See Also:
Source RPM: ming-0.4.5-14.mga6.src.rpm
CVE:
Status comment:


Attachments
Pre-update PoC tests (5.82 KB, text/plain)
2018-04-23 12:50 CEST, Len Lawrence
Details

Description David Walser 2018-03-21 19:52:35 CET
Fedora has issued an advisory on March 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Z65NZJOBGTBW6Y3JD3IX5GIEKCRY7DQD/

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-21 19:53:05 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-03-22 17:32:07 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC'ing ns80

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, nicolas.salguero

Comment 2 Nicolas Salguero 2018-04-20 16:52:41 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

The readString function in util/read.c and util/old/read.c in libming 0.4.8 allows remote attackers to cause a denial of service via a large file that is mishandled by listswf, listaction, etc. This occurs because of an integer overflow that leads to a memory allocation error. (CVE-2017-8782)

The readEncUInt30 function in util/read.c in libming 0.4.8 mishandles memory allocation. A crafted input will lead to a remote denial of service (NULL pointer dereference) attack against parser.c. (CVE-2017-9988)

util/outputtxt.c in libming 0.4.8 mishandles memory allocation. A crafted input will lead to a remote denial of service (NULL pointer dereference) attack. (CVE-2017-9989)

A heap-based buffer over-read was found in the function decompileIF in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11704)

A heap-based buffer over-read was found in the function OpCode (called from decompileSETMEMBER) in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11728)

A heap-based buffer over-read was found in the function OpCode (called from decompileINCR_DECR line 1440) in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11729)

A heap-based buffer over-read was found in the function OpCode (called from decompileINCR_DECR line 1474) in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11730)

An invalid memory read vulnerability was found in the function OpCode (called from isLogicalOp and decompileIF) in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11731)

A heap-based buffer overflow vulnerability was found in the function dcputs (called from decompileIMPLEMENTS) in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11732)

A null pointer dereference vulnerability was found in the function stackswap (called from decompileSTACKSWAP) in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11733)

A heap-based buffer over-read was found in the function decompileCALLFUNCTION in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-11734)

The outputSWF_TEXT_RECORD function in util/outputscript.c in libming <= 0.4.8 is vulnerable to a NULL pointer dereference, which may allow attackers to cause a denial of service via a crafted swf file. (CVE-2017-16883)

The printMP3Headers function in util/listmp3.c in libming v0.4.8 or earlier is vulnerable to a global buffer overflow, which may allow attackers to cause a denial of service via a crafted file, a different vulnerability than CVE-2016-9264. (CVE-2017-16898)

In libming 0.4.8, there is an integer signedness error vulnerability (left shift of a negative value) in the readSBits function (util/read.c). Remote attackers can leverage this vulnerability to cause a denial of service via a crafted swf file. (CVE-2018-5251)

In libming 0.4.8, there is an integer overflow (caused by an out-of-range left shift) in the readUInt32 function (util/read.c). Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted swf file. (CVE-2018-5294)

The outputSWF_TEXT_RECORD function (util/outputscript.c) in libming through 0.4.8 is vulnerable to an integer overflow and resultant out-of-bounds read, which may allow attackers to cause a denial of service or unspecified other impact via a crafted SWF file. (CVE-2018-6315)

The decompileIF function (util/decompile.c) in libming through 0.4.8 is vulnerable to a use-after-free, which may allow attackers to cause a denial of service or unspecified other impact via a crafted SWF file. (CVE-2018-6359)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8782
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9988
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9989
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11704
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11728
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11730
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11731
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16883
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16898
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5251
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5294
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6315
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6359
========================

Updated package in core/updates_testing:
========================
lib(64)ming1-0.4.5-14.1.mga6
lib(64)ming-devel-0.4.5-14.1.mga6
perl-SWF-0.4.5-14.1.mga6
python-SWF-0.4.5-14.1.mga6
ming-utils-0.4.5-14.1.mga6

from SRPMS:
ming-0.4.5-14.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Nicolas Salguero 2018-04-20 16:52:56 CEST

Source RPM: ming-0.4.5-15.mga7.src.rpm => ming-0.4.5-14.mga6.src.rpm

Comment 3 Len Lawrence 2018-04-23 00:07:34 CEST
Trying the PoCs for this on Mageia 6, x86_64

CC: (none) => tarazed25

Comment 4 Len Lawrence 2018-04-23 01:30:45 CEST
About halfway through the list.  To be continued...
Comment 5 Len Lawrence 2018-04-23 12:50:35 CEST
Created attachment 10101 [details]
Pre-update PoC tests
Comment 6 Len Lawrence 2018-04-23 13:08:36 CEST
Attached the initial PoC report because it is so verbose.

Ran the update and then tested the PoC files again, reporting the last few lines of the terminal output in each case.
Looking at the CVEs in the same order as the pre-updates tests.

CVE-2017-9988
$ listswf POC1
parseABC_NS_SET_INFO: Failed to allocate 124659734696 bytes

CVE-2017-9989
$ listswf POC2
readBytes: Failed to allocate 28407657705 bytes

CVE-2017-11704
$ swftocxx heap-buffer-overflow-in_decompileIF out
<no difference>

CVE-2017-11728
$ swftocxx heap-buffer-overflow-in_OpCode_by_decompileSETMEMBER out
Stack blown!! - pop

CVE-2017-11729
$ swftocxx heap-buffer-overflow-in_OpCode_by_decompileINCR_DECR out
Stack blown!! - pop

CVE-2017-11730
$ swftocxx heap-buffer-overflow-in_OpCode_by_decompileINCR_DECR_2 out
Stack blown!! - pop

CVE-2017-11731
$ swftocxx invalid-memory-read-in_OpCode out
<no difference>

CVE-2017-11732
$ swftocxx heap-buffer-overflow-in_dcputs
Stack blown!! - pop

CVE-2017-11733
$ swftocxx null-ptr-in_stackswap out
Stack blown!! - pop

CVE-2017-11734
$ swftocxx heap-buffer-overflow-in_decompileCALLFUNCTION out
<no difference>

CVE-2017-16883
$ swftocxx invalid-memory-read-in_outputSWF_TEXT_RECORD out
<no difference>

CVE-2017-16898
$ listmp3 global-buffer-overflow_in_printMP3Headers
invalid bitrate 15

CVE-2018-5251
$ listswf libming_0-4-8_listswf_negative-shift-exponent_readSBits.swf out
<no difference>

CVE-2018-5294
$ listswf libming_0-4-8_listswf_integer-overflow_readUInt32.swf
<no difference>

CVE-2018-6315
$ swftocxx null_outputSWF_TEXT_RECORD out
This reports "stream out of sync" and finishes without segfaulting.

CVE-2018-6359
$ swftocxx free_decompileIF /dev/null
Stack blown!! - pop

So, some of the tests were useful.
Comment 7 Len Lawrence 2018-04-23 13:28:07 CEST
Using utility tests from an earlier bug as a basis for current testing.
libming utils:
listswf, swftocxx, swftoperl, swftophp, swftopython

$ swftopython surfacefly_spirit.swf > flyover.py
$ head flyover.py
#!/usr/bin/python
from ming import *
Ming_useSWFVersion(6);
m =  SWFMovie();
Ming_setScale(1.0);
m.setRate(25.000000);
m.setDimension(12800, 7200);

$ head test.php
<?php
$m = new SWFMovie(6);
ming_setscale(1.0);
$m->setRate(25.000000);
..................
$ head test.pl
#!/usr/bin/perl -w
# Generated by swftoperl converter included with ming. Have fun. 

# Change this to your needs. If you installed perl-ming global you don't need this.
#use lib("/home/peter/mystuff/lib/site_perl");

# We import all because our converter is not so clever to select only needed. ;-)
use SWF qw(:ALL);
# Just copy from a sample, needed to use Constants like SWFFILL_RADIAL_GRADIENT
use SWF::Constants qw(:Text :Button :DisplayItem :Fill);
$ listswf surfacefly_spirit.swf > listing
$ head listing
File version: 6
File size: 20003889
Frame size: (0,12800)x(0,7200)
Frame rate: 25.000000 / sec.
Total frames: 65535
................
$ swftocxx surfacefly_spirit.swf > c++
$ head c++
#include <mingpp.h>
main(){
SWFMovie* m = new SWFMovie(6);
Ming_setScale(1.0);
m->setRate(25.000000);
m->setDimension(12800, 7200);
m->setFrames(65535);

These all look fine.

As in the past where PoC test results were equivocal, particularly where ASAN is involved, we shall assume that the patches are all successful.

Good for 64-bits.

Whiteboard: (none) => MGA6-64-OK

Comment 8 Lewis Smith 2018-04-23 20:41:43 CEST
Fantastic work, Len.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2018-04-30 21:09:00 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0212.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.