Bug 24175 - libmp4v2 new security issue CVE-2018-14054
Summary: libmp4v2 new security issue CVE-2018-14054
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-01-13 19:05 CET by David Walser
Modified: 2019-01-23 16:51 CET (History)
8 users (show)

See Also:
Source RPM: libmp4v2-2.1.0-0.2.mga7.src.rpm
CVE:
Status comment:


Attachments
corrupted mp4 file (98 bytes, video/mp4)
2019-01-17 04:50 CET, Adrien Guichard
Details
Sane mp4 file (374.64 KB, video/mp4)
2019-01-17 04:50 CET, Adrien Guichard
Details
SPEC patch (658 bytes, patch)
2019-01-17 05:00 CET, Adrien Guichard
Details | Diff
source patch (543 bytes, patch)
2019-01-17 05:00 CET, Adrien Guichard
Details | Diff
spec file patch for mga6 (576 bytes, patch)
2019-01-18 08:20 CET, Adrien Guichard
Details | Diff
spec file patch for mga6 fixed (679 bytes, patch)
2019-01-18 08:24 CET, Adrien Guichard
Details | Diff

Description David Walser 2019-01-13 19:05:25 CET
There is a double-free issue in libmp4v2:
https://www.openwall.com/lists/oss-security/2019/01/09/2
https://www.openwall.com/lists/oss-security/2018/07/13/1

There is no fix available at this time.

Mageia 6 is also affected.
David Walser 2019-01-13 19:05:33 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-01-13 19:28:04 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing the only committers from the past two years.

CC: (none) => cjw, marja11, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 Adrien Guichard 2019-01-15 00:28:49 CET
I try to take care of this CVE. 

According to 

https://www.openwall.com/lists/oss-security/2018/07/13/1

> ========= Fix =========
> 
> One way to fix the bug is to clear the dangling pointer after the the first free.

So, we need to set to null pAtom before launching the exception in src/mp4atom.cpp.

I will write a patch and test it before sharing.

CC: (none) => guichard.adrien

Comment 3 Adrien Guichard 2019-01-17 04:50:19 CET
Created attachment 10669 [details]
corrupted mp4 file
Comment 4 Adrien Guichard 2019-01-17 04:50:43 CET
Created attachment 10670 [details]
Sane mp4 file
Comment 5 Adrien Guichard 2019-01-17 04:55:46 CET
Valgrind on corrupted file ()showing the double free :
$ valgrind .libs/mp4info ../../c1.mp4      
==32083== Memcheck, a memory error detector
==32083== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==32083== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==32083== Command: .libs/mp4info ../../c1.mp4
==32083== 
.libs/mp4info version trunk-r507
../../c1.mp4:
==32083== Invalid free() / delete / delete[] / realloc()
==32083==    at 0x4835900: free (vg_replace_malloc.c:540)
==32083==    by 0x48D72DC: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:338)
==32083==    by 0x48D7308: mp4v2::impl::MP4StringProperty::~MP4StringProperty() (mp4property.cpp:340)
==32083==    by 0x48BCDD7: mp4v2::impl::MP4Atom::~MP4Atom() (mp4atom.cpp:66)
==32083==    by 0x489A732: ~MP4Mp4vAtom (atoms.h:264)
==32083==    by 0x489A732: mp4v2::impl::MP4Mp4vAtom::~MP4Mp4vAtom() (atoms.h:264)
==32083==    by 0x4870797: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) [clone .cold.82] (mp4atom.cpp:199)
==32083==    by 0x48BFA90: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:430)
==32083==    by 0x48C1287: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:236)
==32083==    by 0x48C9D8C: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==32083==    by 0x48CD428: mp4v2::impl::MP4File::Read(char const*, MP4FileProvider_s const*) (mp4file.cpp:96)
==32083==    by 0x48B94A7: MP4Read (mp4.cpp:102)
==32083==    by 0x48D63CC: MP4FileInfo (mp4info.cpp:614)
==32083==  Address 0x4ee1b90 is 0 bytes inside a block of size 33 free'd
==32083==    at 0x4835900: free (vg_replace_malloc.c:540)
==32083==    by 0x48D86ED: Read (mp4property.cpp:395)
==32083==    by 0x48D86ED: mp4v2::impl::MP4StringProperty::Read(mp4v2::impl::MP4File&, unsigned int) (mp4property.cpp:377)
==32083==    by 0x48C0108: mp4v2::impl::MP4Atom::ReadProperties(unsigned int, unsigned int) (mp4atom.cpp:378)
==32083==    by 0x48C1262: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:232)
==32083==    by 0x48BF7E5: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:195)
==32083==    by 0x48BFA90: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:430)
==32083==    by 0x48C1287: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:236)
==32083==    by 0x48C9D8C: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==32083==    by 0x48CD428: mp4v2::impl::MP4File::Read(char const*, MP4FileProvider_s const*) (mp4file.cpp:96)
==32083==    by 0x48B94A7: MP4Read (mp4.cpp:102)
==32083==    by 0x48D63CC: MP4FileInfo (mp4info.cpp:614)
==32083==    by 0x40239C: main (mp4info.cpp:77)
==32083==  Block was alloc'd at
==32083==    at 0x48369A2: calloc (vg_replace_malloc.c:762)
==32083==    by 0x48DB01F: MP4Malloc (mp4util.h:56)
==32083==    by 0x48DB01F: MP4Calloc (mp4util.h:65)
==32083==    by 0x48DB01F: mp4v2::impl::MP4StringProperty::SetValue(char const*, unsigned int) (mp4property.cpp:364)
==32083==    by 0x489A3DE: mp4v2::impl::MP4Mp4vAtom::MP4Mp4vAtom(mp4v2::impl::MP4File&) (atom_mp4v.cpp:50)
==32083==    by 0x48BE6B9: mp4v2::impl::MP4Atom::factory(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) (mp4atom.cpp:916)
==32083==    by 0x48BF57E: mp4v2::impl::MP4Atom::CreateAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) (mp4atom.cpp:78)
==32083==    by 0x48BF74A: mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) (mp4atom.cpp:168)
==32083==    by 0x48BFA90: mp4v2::impl::MP4Atom::ReadChildAtoms() (mp4atom.cpp:430)
==32083==    by 0x48C1287: mp4v2::impl::MP4Atom::Read() (mp4atom.cpp:236)
==32083==    by 0x48C9D8C: mp4v2::impl::MP4File::ReadFromFile() (mp4file.cpp:430)
==32083==    by 0x48CD428: mp4v2::impl::MP4File::Read(char const*, MP4FileProvider_s const*) (mp4file.cpp:96)
==32083==    by 0x48B94A7: MP4Read (mp4.cpp:102)
==32083==    by 0x48D63CC: MP4FileInfo (mp4info.cpp:614)
==32083== 
ReadBytes: read failed: errno: 0 (src/mp4file_io.cpp,94)
.libs/mp4info: can't open ../../c1.mp4
==32083== 
==32083== HEAP SUMMARY:
==32083==     in use at exit: 27 bytes in 1 blocks
==32083==   total heap usage: 1,529 allocs, 1,529 frees, 175,272 bytes allocated
==32083== 
==32083== LEAK SUMMARY:
==32083==    definitely lost: 27 bytes in 1 blocks
==32083==    indirectly lost: 0 bytes in 0 blocks
==32083==      possibly lost: 0 bytes in 0 blocks
==32083==    still reachable: 0 bytes in 0 blocks
==32083==         suppressed: 0 bytes in 0 blocks
==32083== Rerun with --leak-check=full to see details of leaked memory
==32083== 
==32083== For counts of detected and suppressed errors, rerun with: -v
==32083== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

If I add value = NULL line 396 in mp4property.cpp
$ valgrind .libs/mp4info ../../c1.mp4 
==354== Memcheck, a memory error detector
==354== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==354== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==354== Command: .libs/mp4info ../../c1.mp4
==354== 
.libs/mp4info version trunk-r507
../../c1.mp4:
ReadBytes: read failed: errno: 0 (src/mp4file_io.cpp,94)
.libs/mp4info: can't open ../../c1.mp4
==354== 
==354== HEAP SUMMARY:
==354==     in use at exit: 27 bytes in 1 blocks
==354==   total heap usage: 1,529 allocs, 1,528 frees, 175,272 bytes allocated
==354== 
==354== LEAK SUMMARY:
==354==    definitely lost: 27 bytes in 1 blocks
==354==    indirectly lost: 0 bytes in 0 blocks
==354==      possibly lost: 0 bytes in 0 blocks
==354==    still reachable: 0 bytes in 0 blocks
==354==         suppressed: 0 bytes in 0 blocks
==354== Rerun with --leak-check=full to see details of leaked memory
==354== 
==354== For counts of detected and suppressed errors, rerun with: -v
==354== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)


I do not use the script mp4info, but directly mp4info binary file :
$ ldd .libs/mp4info 
        linux-vdso.so.1 (0x00007ffd6c36b000)
        libmp4v2.so.2 => /home/auo/mgarepo3/libmp4v2/BUILD/mp4v2-trunk/.libs/libmp4v2.so.2 (0x00007f080e143000)
        libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f080df75000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f080df5b000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f080dd92000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f080dc11000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f080e269000)
Comment 6 Adrien Guichard 2019-01-17 05:00:10 CET
Created attachment 10671 [details]
SPEC patch
Comment 7 Adrien Guichard 2019-01-17 05:00:31 CET
Created attachment 10672 [details]
source patch
Comment 8 José Jorge 2019-01-17 17:31:00 CET
(In reply to Adrien Guichard from comment #7)
> Created attachment 10672 [details]
> source patch

Applies in cauldron, so fixed  in libmp4v2-2.1.0-0.2.mga7.src.rpm.

CC: (none) => lists.jjorge
Status: NEW => ASSIGNED

José Jorge 2019-01-17 17:31:30 CET

Assignee: pkg-bugs => guichard.adrien

Comment 9 Adrien Guichard 2019-01-18 08:20:37 CET
Created attachment 10675 [details]
spec file patch for mga6
Adrien Guichard 2019-01-18 08:22:52 CET

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 10 Adrien Guichard 2019-01-18 08:24:50 CET
Created attachment 10676 [details]
spec file patch for mga6 fixed

Attachment 10675 is obsolete: 0 => 1

Comment 11 David Walser 2019-01-18 21:11:23 CET
libmp4v2_2-2.0.0-9.1.mga6
libmp4v2-devel-2.0.0-9.1.mga6
libmp4v2-utils-2.0.0-9.1.mga6

from libmp4v2-2.0.0-9.1.mga6.src.rpm
Comment 12 Adrien Guichard 2019-01-19 02:45:04 CET
We applied a patch to libmp4v2 to avoid a double free when parsing a corrupted file. A sample file is attached to this BR


Suggested advisory:
========================

This release address a potential security issue in libmp4v2 for Mageia 6: CVE-2018-14054:
libmp4v2: Double free in the MP4StringProperty class in mp4property.cpp

References: https://www.openwall.com/lists/oss-security/2019/01/09/2
========================

Updated packages in {core}/updates_testing:
========================
libmp4v2_2-2.0.0-9.1.mga6
libmp4v2-devel-2.0.0-9.1.mga6
libmp4v2-utils-2.0.0-9.1.mga6

from libmp4v2-2.0.0-9.1.mga6.src.rpm

Assignee: guichard.adrien => qa-bugs

Comment 13 PC LX 2019-01-19 20:01:48 CET
Installed and tested without issues.

Tested using the attached corrupted mp4 file. The old version makes an invalid free() call that is fixed in the new version.

System: Mageia 6, x86_64, Intel CPU.

Before the update:

$ uname -a
Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep mp4v2 | sort -u
lib64mp4v2_2-2.0.0-9.mga6
libmp4v2-utils-2.0.0-9.mga6
$ valgrind mp4info c1.mp4
==13869== Memcheck, a memory error detector
==13869== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==13869== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==13869== Command: mp4info c1.mp4
==13869== 
mp4info version 2.0.0
c1.mp4:
==13869== Invalid free() / delete / delete[] / realloc()
==13869==    at 0x4C29060: free (vg_replace_malloc.c:530)
==13869==    by 0x4EB3819: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EB3858: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E991F7: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E6D842: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CA2B: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CC77: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CF21: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EA0D50: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EA1858: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E90A97: MP4Read (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EB2D3C: MP4FileInfo (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==  Address 0x5dcd730 is 0 bytes inside a block of size 33 free'd
==13869==    at 0x4C29060: free (vg_replace_malloc.c:530)
==13869==    by 0x4EB3CC9: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E99853: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CF12: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9C882: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CC77: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CF21: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EA0D50: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EA1858: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E90A97: MP4Read (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EB2D3C: MP4FileInfo (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x401EF7: ??? (in /usr/bin/mp4info)
==13869==  Block was alloc'd at
==13869==    at 0x4C29CF8: calloc (vg_replace_malloc.c:711)
==13869==    by 0x4EB631F: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E6D44B: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9BA99: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9C5BE: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9C7C7: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CC77: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E9CF21: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EA0D50: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EA1858: ??? (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4E90A97: MP4Read (in /usr/lib64/libmp4v2.so.2.0.0)
==13869==    by 0x4EB2D3C: MP4FileInfo (in /usr/lib64/libmp4v2.so.2.0.0)
==13869== 
ReadBytes: read failed: errno: 0 (src/mp4file_io.cpp,94)
mp4info: can't open c1.mp4
==13869== 
==13869== HEAP SUMMARY:
==13869==     in use at exit: 72,731 bytes in 2 blocks
==13869==   total heap usage: 1,529 allocs, 1,528 frees, 174,273 bytes allocated
==13869== 
==13869== LEAK SUMMARY:
==13869==    definitely lost: 27 bytes in 1 blocks
==13869==    indirectly lost: 0 bytes in 0 blocks
==13869==      possibly lost: 0 bytes in 0 blocks
==13869==    still reachable: 72,704 bytes in 1 blocks
==13869==         suppressed: 0 bytes in 0 blocks
==13869== Rerun with --leak-check=full to see details of leaked memory
==13869== 
==13869== For counts of detected and suppressed errors, rerun with: -v
==13869== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

-------------------------------------

After the update.

$ rpm -qa | grep mp4v2 | sort -u
lib64mp4v2_2-2.0.0-9.1.mga6
libmp4v2-utils-2.0.0-9.1.mga6
$ valgrind mp4info c1.mp4
==14482== Memcheck, a memory error detector
==14482== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==14482== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==14482== Command: mp4info c1.mp4
==14482== 
mp4info version 2.0.0
c1.mp4:
ReadBytes: read failed: errno: 0 (src/mp4file_io.cpp,94)
mp4info: can't open c1.mp4
==14482== 
==14482== HEAP SUMMARY:
==14482==     in use at exit: 72,731 bytes in 2 blocks
==14482==   total heap usage: 1,529 allocs, 1,527 frees, 174,273 bytes allocated
==14482== 
==14482== LEAK SUMMARY:
==14482==    definitely lost: 27 bytes in 1 blocks
==14482==    indirectly lost: 0 bytes in 0 blocks
==14482==      possibly lost: 0 bytes in 0 blocks
==14482==    still reachable: 72,704 bytes in 1 blocks
==14482==         suppressed: 0 bytes in 0 blocks
==14482== Rerun with --leak-check=full to see details of leaked memory
==14482== 
==14482== For counts of detected and suppressed errors, rerun with: -v
==14482== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

CC: (none) => mageia

Comment 14 Lewis Smith 2019-01-20 15:42:39 CET
(In reply to PC LX from comment #13)
> Tested using the attached corrupted mp4 file.
1st attachment, "corrupted mp4 file":
 https://bugs.mageia.org/attachment.cgi?id=10669

> The old version makes an
> invalid free() call that is fixed in the new version.
= MGA6-64-OK + validation. Super test, thank you.
Doing advisory from comment 12.

CC: (none) => lewyssmith, sysadmin-bugs
Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update

Comment 15 Mageia Robot 2019-01-23 16:51:46 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0048.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.