Bug 22902 - libcdio new security issues CVE-2017-1819[89] and CVE-2017-18201
Summary: libcdio new security issues CVE-2017-1819[89] and CVE-2017-18201
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on: 22740
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-14 02:11 CEST by David Walser
Modified: 2018-05-09 20:34 CEST (History)
1 user (show)

See Also:
Source RPM: libcdio-0.92-3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-04-14 02:11:20 CEST
+++ This bug was initially created as a clone of Bug #22740 +++

Fedora has issued an advisory on March 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NHBEK7JWO4GCS73UAOQOUFGTMIIMYYTR/

The issues were fixed upstream in 1.0.0 and 2.0.0.

Patches don't apply cleanly to Mageia 5, so saving this for when they can be rediffed.
Comment 1 David Walser 2018-05-04 05:14:42 CEST
Testing info at:
https://bugs.mageia.org/show_bug.cgi?id=22740#c4

Advisory:
========================

Updated libcdio packages fix security vulnerabilities:

A heap corruption bug was found in the way libcdio handled processing of ISO
files. An attacker could potentially use this flaw to crash applications using
libcdio by tricking them into processing crafted ISO files, thus resulting in
local DoS (CVE-2017-18198).

A NULL pointer dereference flaw was found in the way libcdio handled processing
of ISO files. An attacker could potentially use this flaw to crash applications
using libcdio by tricking them into processing crafted ISO files
(CVE-2017-18199).

A double-free flaw was found in the way libcdio handled processing of ISO files.
An attacker could potentially use this flaw to crash applications using libcdio
by tricking them into processing crafted ISO files (CVE-2017-18201).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18199
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18201
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NHBEK7JWO4GCS73UAOQOUFGTMIIMYYTR/
========================

Updated packages in core/updates_testing:
========================
libcdio-apps-0.92-3.1.mga5
libcdio15-0.92-3.1.mga5
libcdio-devel-0.92-3.1.mga5
libcdio-static-devel-0.92-3.1.mga5
libiso9660_9-0.92-3.1.mga5
libcdio++0-0.92-3.1.mga5
libudf0-0.92-3.1.mga5

from libcdio-0.92-3.1.mga5.src.rpm

Assignee: shlomif => qa-bugs
Keywords: (none) => has_procedure

Comment 2 Lewis Smith 2018-05-06 22:47:36 CEST
Testing M5 x64 real hardware, using Len's very helpful POCs and test commands as indicated by David:
 https://bugs.mageia.org/show_bug.cgi?id=22740#c4
This bug is essentially a re-run of the former one, that for M6, this for M5.
CVE-2017-18198 test file URL is:
 https://savannah.gnu.org/bugs/download.php?file_id=42234
CVE-2017-18199 test file URL is:
 https://savannah.gnu.org/bugs/download.php?file_id=42233

libcdio-apps has:
/usr/bin/cd-drive     show CD-ROM drive characteristics                                                         
/usr/bin/cd-info      shows Information about a CD or CD-image
/usr/bin/cd-read      reads Information from a CD or CD-image
/usr/bin/cdda-player  ???
/usr/bin/iso-info     shows Information about an ISO 9660 image
/usr/bin/iso-read     reads portions of an ISO 9660 image
/usr/bin/mmc-tool     ???

 BEFORE this update:
lib64cdio++0-0.92-3.mga5
lib64cdio15-0.92-3.mga5
lib64iso9660_9-0.92-3.mga5
lib64udf0-0.92-3.mga5
libcdio-apps-0.92-3.mga5

 $ iso-info -i cdio.print_iso9660_recurse.iso-info.257.crash
iso-info version 0.92 x86_64-mageia-linux-gnu
...
ISO 9660 image: cdio.print_iso9660_recurse.iso-info.257.crash
System      : LINQX
Volume      : CDROM
No Joliet extensions
 [NOT the same result as before, no WARN, no Error].

 $ iso-info -i cdio.realloc_symlink.rock.69.crash
iso-info version 0.92 x86_64-mageia-linux-gnu
...
__________________________________
ISO 9660 image: cdio.realloc_symlink.rock.69.crash
System      : LINUX
Volume      : CDROM
Volume Set  :                                                                                                                 ����
No Joliet extensions
 [NOT the same result as before, no WARNs, no segfault].

 $ cd-info /dev/sr0         [with a music CD]
cd-info version 0.92 x86_64-mageia-linux-gnu
...
CD location   : /dev/sr0
CD driver name: GNU/Linux
   access mode: IOCTL
...lots of info about the device
Media Catalog Number (MCN): 0000007479472
Last CD Session LSN: 0
audio status: invalid
__________________________________
CD Analysis Report
Audio CD, CDDB disc ID is fe0f4914
...lots of info about the CD
No CD-TEXT on Disc.

====================================
 AFTER the update:
- lib64cdio++0-0.92-3.1.mga5.x86_64
- lib64cdio15-0.92-3.1.mga5.x86_64
- lib64iso9660_9-0.92-3.1.mga5.x86_64
- lib64udf0-0.92-3.1.mga5.x86_64
- libcdio-apps-0.92-3.1.mga5.x86_64

 $ iso-info -i cdio.print_iso9660_recurse.iso-info.257.crash
O/P identical to before.
 $ iso-info -i cdio.realloc_symlink.rock.69.crash
O/P identical to before.
 $ cd-info /dev/sr0
O/P identical to before.
 all of which only shows no errors, no reversion.
---
 $ iso-info -l -i /mnt/common/Mageia/Mageia-6-Live-Xfce-i586.iso
...
__________________________________
ISO 9660 image: /mnt/common/Mageia/Mageia-6-Live-Xfce-i586.iso
Application : GNU xorriso 1.4.8
Preparer    : drakiso
Publisher   : Mageia
System      : Linux
Volume      : Mageia-6-Live-Xfce-i586
Joliet Level: 3
__________________________________
ISO-9660 Information
... [like ls -l listing of all the directories/files in the ISO]

 $ cd-drive
cd-drive version 0.92 x86_64-mageia-linux-gnu
...
lots of info about the device and its driver.

All this looks OK, but I am puzzled about the result differences from the earlier Mageia 6 tests. Here, all results were the same before & after the update - which seems OK.

Whiteboard: (none) => MGA5-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2018-05-09 20:34:07 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0225.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.