There is a double-free issue in libmp4v2: https://www.openwall.com/lists/oss-security/2019/01/09/2 https://www.openwall.com/lists/oss-security/2018/07/13/1 There is no fix available at this time. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing the only committers from the past two years.
CC: (none) => cjw, marja11, smelrorAssignee: bugsquad => pkg-bugs
I try to take care of this CVE. According to https://www.openwall.com/lists/oss-security/2018/07/13/1 > ========= Fix ========= > > One way to fix the bug is to clear the dangling pointer after the the first free. So, we need to set to null pAtom before launching the exception in src/mp4atom.cpp. I will write a patch and test it before sharing.
CC: (none) => guichard.adrien
Created attachment 10669 [details] corrupted mp4 file
Created attachment 10670 [details] Sane mp4 file
Valgrind on corrupted file ()showing the double free : $ valgrind .libs/mp4info ../../c1.mp4 ==32083== Memcheck, a memory error detector ==32083== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==32083== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==32083== Command: .libs/mp4info ../../c1.mp4 ==32083== .libs/mp4info version trunk-r507 ../../c1.mp4: ==32083== Invalid free() / delete / delete[] / realloc() ==32083== at 0x4835900: free (vg_replace_malloc.c:540) ==32083== by 0x48D72DC: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:338) ==32083== by 0x48D7308: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:340) ==32083== by 0x48BCDD7: mp4v2::impl::MP4Atom::~MP4Atom() (mp4atom.cpp:66) ==32083== by 0x489A732: ~MP4Mp4vAtom (atoms.h:264) ==32083== by 0x489A732: mp4v2::impl::MP4Mp4vAtom::~MP4Mp4vAtom() (atoms.h:264) ==32083== by 0x4870797: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) [clone .cold.82] (mp4atom.cpp:199) ==32083== by 0x48BFA90: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:430) ==32083== by 0x48C1287: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:236) ==32083== by 0x48C9D8C: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430) ==32083== by 0x48CD428: mp4v2::impl::MP4File::Read(char const*, MP4FileProvider_s const*) (mp4file.cpp:96) ==32083== by 0x48B94A7: MP4Read (mp4.cpp:102) ==32083== by 0x48D63CC: MP4FileInfo (mp4info.cpp:614) ==32083== Address 0x4ee1b90 is 0 bytes inside a block of size 33 free'd ==32083== at 0x4835900: free (vg_replace_malloc.c:540) ==32083== by 0x48D86ED: Read (mp4property.cpp:395) ==32083== by 0x48D86ED: mp4v2::impl::MP4StringProperty::Read(mp4v2::impl::MP4File&, unsigned int) (mp4property.cpp:377) ==32083== by 0x48C0108: mp4v2::impl::MP4Atom::ReadProperties(unsigned int, unsigned int) (mp4atom.cpp:378) ==32083== by 0x48C1262: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:232) ==32083== by 0x48BF7E5: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:195) ==32083== by 0x48BFA90: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:430) ==32083== by 0x48C1287: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:236) ==32083== by 0x48C9D8C: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430) ==32083== by 0x48CD428: mp4v2::impl::MP4File::Read(char const*, MP4FileProvider_s const*) (mp4file.cpp:96) ==32083== by 0x48B94A7: MP4Read (mp4.cpp:102) ==32083== by 0x48D63CC: MP4FileInfo (mp4info.cpp:614) ==32083== by 0x40239C: main (mp4info.cpp:77) ==32083== Block was alloc'd at ==32083== at 0x48369A2: calloc (vg_replace_malloc.c:762) ==32083== by 0x48DB01F: MP4Malloc (mp4util.h:56) ==32083== by 0x48DB01F: MP4Calloc (mp4util.h:65) ==32083== by 0x48DB01F: mp4v2::impl::MP4StringProperty::SetValue(char const*, unsigned int) (mp4property.cpp:364) ==32083== by 0x489A3DE: mp4v2::impl::MP4Mp4vAtom::MP4Mp4vAtom(mp4v2::impl::MP4File&) (atom_mp4v.cpp:50) ==32083== by 0x48BE6B9: mp4v2::impl::MP4Atom::factory(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) (mp4atom.cpp:916) ==32083== by 0x48BF57E: mp4v2::impl::MP4Atom::CreateAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) (mp4atom.cpp:78) ==32083== by 0x48BF74A: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:168) ==32083== by 0x48BFA90: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:430) ==32083== by 0x48C1287: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:236) ==32083== by 0x48C9D8C: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430) ==32083== by 0x48CD428: mp4v2::impl::MP4File::Read(char const*, MP4FileProvider_s const*) (mp4file.cpp:96) ==32083== by 0x48B94A7: MP4Read (mp4.cpp:102) ==32083== by 0x48D63CC: MP4FileInfo (mp4info.cpp:614) ==32083== ReadBytes: read failed: errno: 0 (src/mp4file_io.cpp,94) .libs/mp4info: can't open ../../c1.mp4 ==32083== ==32083== HEAP SUMMARY: ==32083== in use at exit: 27 bytes in 1 blocks ==32083== total heap usage: 1,529 allocs, 1,529 frees, 175,272 bytes allocated ==32083== ==32083== LEAK SUMMARY: ==32083== definitely lost: 27 bytes in 1 blocks ==32083== indirectly lost: 0 bytes in 0 blocks ==32083== possibly lost: 0 bytes in 0 blocks ==32083== still reachable: 0 bytes in 0 blocks ==32083== suppressed: 0 bytes in 0 blocks ==32083== Rerun with --leak-check=full to see details of leaked memory ==32083== ==32083== For counts of detected and suppressed errors, rerun with: -v ==32083== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) If I add value = NULL line 396 in mp4property.cpp $ valgrind .libs/mp4info ../../c1.mp4 ==354== Memcheck, a memory error detector ==354== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==354== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==354== Command: .libs/mp4info ../../c1.mp4 ==354== .libs/mp4info version trunk-r507 ../../c1.mp4: ReadBytes: read failed: errno: 0 (src/mp4file_io.cpp,94) .libs/mp4info: can't open ../../c1.mp4 ==354== ==354== HEAP SUMMARY: ==354== in use at exit: 27 bytes in 1 blocks ==354== total heap usage: 1,529 allocs, 1,528 frees, 175,272 bytes allocated ==354== ==354== LEAK SUMMARY: ==354== definitely lost: 27 bytes in 1 blocks ==354== indirectly lost: 0 bytes in 0 blocks ==354== possibly lost: 0 bytes in 0 blocks ==354== still reachable: 0 bytes in 0 blocks ==354== suppressed: 0 bytes in 0 blocks ==354== Rerun with --leak-check=full to see details of leaked memory ==354== ==354== For counts of detected and suppressed errors, rerun with: -v ==354== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) I do not use the script mp4info, but directly mp4info binary file : $ ldd .libs/mp4info linux-vdso.so.1 (0x00007ffd6c36b000) libmp4v2.so.2 => /home/auo/mgarepo3/libmp4v2/BUILD/mp4v2-trunk/.libs/libmp4v2.so.2 (0x00007f080e143000) libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f080df75000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f080df5b000) libc.so.6 => /lib64/libc.so.6 (0x00007f080dd92000) libm.so.6 => /lib64/libm.so.6 (0x00007f080dc11000) /lib64/ld-linux-x86-64.so.2 (0x00007f080e269000)
Created attachment 10671 [details] SPEC patch
Created attachment 10672 [details] source patch
(In reply to Adrien Guichard from comment #7) > Created attachment 10672 [details] > source patch Applies in cauldron, so fixed in libmp4v2-2.1.0-0.2.mga7.src.rpm.
CC: (none) => lists.jjorgeStatus: NEW => ASSIGNED
Assignee: pkg-bugs => guichard.adrien
Created attachment 10675 [details] spec file patch for mga6
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Created attachment 10676 [details] spec file patch for mga6 fixed
Attachment 10675 is obsolete: 0 => 1
libmp4v2_2-2.0.0-9.1.mga6 libmp4v2-devel-2.0.0-9.1.mga6 libmp4v2-utils-2.0.0-9.1.mga6 from libmp4v2-2.0.0-9.1.mga6.src.rpm
We applied a patch to libmp4v2 to avoid a double free when parsing a corrupted file. A sample file is attached to this BR Suggested advisory: ======================== This release address a potential security issue in libmp4v2 for Mageia 6: CVE-2018-14054: libmp4v2: Double free in the MP4StringProperty class in mp4property.cpp References: https://www.openwall.com/lists/oss-security/2019/01/09/2 ======================== Updated packages in {core}/updates_testing: ======================== libmp4v2_2-2.0.0-9.1.mga6 libmp4v2-devel-2.0.0-9.1.mga6 libmp4v2-utils-2.0.0-9.1.mga6 from libmp4v2-2.0.0-9.1.mga6.src.rpm
Assignee: guichard.adrien => qa-bugs
Installed and tested without issues. Tested using the attached corrupted mp4 file. The old version makes an invalid free() call that is fixed in the new version. System: Mageia 6, x86_64, Intel CPU. Before the update: $ uname -a Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep mp4v2 | sort -u lib64mp4v2_2-2.0.0-9.mga6 libmp4v2-utils-2.0.0-9.mga6 $ valgrind mp4info c1.mp4 ==13869== Memcheck, a memory error detector ==13869== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==13869== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info ==13869== Command: mp4info c1.mp4 ==13869== mp4info version 2.0.0 c1.mp4: ==13869== Invalid free() / delete / delete[] / realloc() ==13869== at 0x4C29060: free (vg_replace_malloc.c:530) ==13869== by 0x4EB3819: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4EB3858: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E991F7: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E6D842: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E9CA2B: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E9CC77: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E9CF21: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4EA0D50: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4EA1858: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E90A97: MP4Read (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4EB2D3C: MP4FileInfo (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== Address 0x5dcd730 is 0 bytes inside a block of size 33 free'd ==13869== at 0x4C29060: free (vg_replace_malloc.c:530) ==13869== by 0x4EB3CC9: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E99853: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E9CF12: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E9C882: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E9CC77: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E9CF21: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4EA0D50: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4EA1858: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E90A97: MP4Read (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4EB2D3C: MP4FileInfo (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x401EF7: ??? (in /usr/bin/mp4info) ==13869== Block was alloc'd at ==13869== at 0x4C29CF8: calloc (vg_replace_malloc.c:711) ==13869== by 0x4EB631F: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E6D44B: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E9BA99: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E9C5BE: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E9C7C7: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E9CC77: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E9CF21: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4EA0D50: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4EA1858: ??? (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4E90A97: MP4Read (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== by 0x4EB2D3C: MP4FileInfo (in /usr/lib64/libmp4v2.so.2.0.0) ==13869== ReadBytes: read failed: errno: 0 (src/mp4file_io.cpp,94) mp4info: can't open c1.mp4 ==13869== ==13869== HEAP SUMMARY: ==13869== in use at exit: 72,731 bytes in 2 blocks ==13869== total heap usage: 1,529 allocs, 1,528 frees, 174,273 bytes allocated ==13869== ==13869== LEAK SUMMARY: ==13869== definitely lost: 27 bytes in 1 blocks ==13869== indirectly lost: 0 bytes in 0 blocks ==13869== possibly lost: 0 bytes in 0 blocks ==13869== still reachable: 72,704 bytes in 1 blocks ==13869== suppressed: 0 bytes in 0 blocks ==13869== Rerun with --leak-check=full to see details of leaked memory ==13869== ==13869== For counts of detected and suppressed errors, rerun with: -v ==13869== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ------------------------------------- After the update. $ rpm -qa | grep mp4v2 | sort -u lib64mp4v2_2-2.0.0-9.1.mga6 libmp4v2-utils-2.0.0-9.1.mga6 $ valgrind mp4info c1.mp4 ==14482== Memcheck, a memory error detector ==14482== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==14482== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info ==14482== Command: mp4info c1.mp4 ==14482== mp4info version 2.0.0 c1.mp4: ReadBytes: read failed: errno: 0 (src/mp4file_io.cpp,94) mp4info: can't open c1.mp4 ==14482== ==14482== HEAP SUMMARY: ==14482== in use at exit: 72,731 bytes in 2 blocks ==14482== total heap usage: 1,529 allocs, 1,527 frees, 174,273 bytes allocated ==14482== ==14482== LEAK SUMMARY: ==14482== definitely lost: 27 bytes in 1 blocks ==14482== indirectly lost: 0 bytes in 0 blocks ==14482== possibly lost: 0 bytes in 0 blocks ==14482== still reachable: 72,704 bytes in 1 blocks ==14482== suppressed: 0 bytes in 0 blocks ==14482== Rerun with --leak-check=full to see details of leaked memory ==14482== ==14482== For counts of detected and suppressed errors, rerun with: -v ==14482== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
CC: (none) => mageia
(In reply to PC LX from comment #13) > Tested using the attached corrupted mp4 file. 1st attachment, "corrupted mp4 file": https://bugs.mageia.org/attachment.cgi?id=10669 > The old version makes an > invalid free() call that is fixed in the new version. = MGA6-64-OK + validation. Super test, thank you. Doing advisory from comment 12.
Whiteboard: (none) => MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0048.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED