Bug 24208 - libcaca new security issues CVE-2018-2054[4-9]
Summary: libcaca new security issues CVE-2018-2054[4-9]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-01-19 17:13 CET by David Walser
Modified: 2019-01-23 16:51 CET (History)
8 users (show)

See Also:
Source RPM: libcaca-0.99-0.beta18.13.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-01-19 17:13:30 CET 
Ubuntu has issued an advisory on January 15:
https://usn.ubuntu.com/3860-1/

Mageia 6 is also affected.
David Walser 2019-01-19 17:13:48 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-01-19 19:25:23 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

CC: (none) => geiger.david68210, marja11, pterjan, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2019-01-21 04:27:25 CET 
Advisory:
========================

Updated libcaca packages fix security vulnerabilities:

It was discovered that libcaca incorrectly handled certain images. An attacker
could possibly use this issue to cause a denial of service (CVE-2018-20544).

It was discovered that libcaca incorrectly handled certain images. An attacker
could possibly use this issue to execute arbitrary code (CVE-2018-20545,
CVE-2018-20548, CVE-2018-20459).

It was discovered that libcaca incorrectly handled certain images. An attacker
could possibly use this issue to access sensitive information (CVE-2018-20546,
CVE-2018-20547).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20545
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20546
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20548
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20549
https://usn.ubuntu.com/3860-1/
========================

Updated packages in core/updates_testing:
========================
libcaca0-0.99-0.beta18.13.1.mga6
libcaca-devel-0.99-0.beta18.13.1.mga6
caca-utils-0.99-0.beta18.13.1.mga6
ruby-caca-0.99-0.beta18.13.1.mga6
python-caca-0.99-0.beta18.13.1.mga6

from libcaca-0.99-0.beta18.13.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 Pascal Terjan 2019-01-21 12:26:15 CET 
Just for the record some of those are in code not used in our package (only used when not built with imlib2 support) but this is not very important and I haven't had time to see which ones are really fixed by the update
Comment 4 Len Lawrence 2019-01-21 20:04:48 CET 
@Pascal, re comment 3
The PoC may throw some light on that so I shall check those shortly.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2019-01-22 01:32:03 CET 
Mageia 6, x86_64

*Before update*

Looked for POC tests.
-------------------------------------------------------------------------
CVE-2018-20544
https://bugzilla.redhat.com/show_bug.cgi?id=1652627
$ img2txt POC6
img2txt: unable to load POC6
$ file POC6
POC6: PC bitmap, Windows 3.x format, 32 x 65503 x 1

This gives the impression of having already been fixed.
-------------------------------------------------------------------------
CVE-2018-20545
https://bugzilla.redhat.com/show_bug.cgi?id=1652621
$ img2txt POC0
img2txt: unable to load POC0

The ASAN test upstream led to an abort so this has probably already been fixed.
-------------------------------------------------------------------------
CVE-2018-20546
https://bugzilla.redhat.com/show_bug.cgi?id=1652622
$ img2txt POC1
img2txt: unable to load POC1

Upstream test generated ABORT.  Probably good already.
-------------------------------------------------------------------------
CVE-2018-20547
https://bugzilla.redhat.com/show_bug.cgi?id=1652624
$ img2txt POC3
img2txt: unable to load POC3

More of the same.
-------------------------------------------------------------------------
CVE-2018-20548
https://bugzilla.redhat.com/show_bug.cgi?id=1652625
$ img2txt POC4
img2txt: unable to load POC4

Repeat earlier two remarks.  Maybe good.
-------------------------------------------------------------------------
CVE-2018-20549
https://bugzilla.redhat.com/show_bug.cgi?id=1652628
$ img2txt POC7
img2txt: unable to load POC7

It seems likely that all the reproducers are returning good results.  As none of them abort they look good but there is some uncertainty about what we should expect to see for a successful test.
More on this later.
Comment 6 Len Lawrence 2019-01-22 01:34:04 CET 
Additional note running on from comment 5.
$ file POC*
POC0: PC bitmap, Windows 3.x format, 65536 x 65536 x 4
POC1: PC bitmap, Windows 3.x format, 132 x 4353 x 60675
POC3: PC bitmap, OS/2 1.x format, 127 x 0
POC4: PC bitmap, Windows 3.x format, 65536 x 65536 x 1
POC6: PC bitmap, Windows 3.x format, 32 x 65503 x 1
POC7: PC bitmap, Windows 3.x format, 65535 x 32 x 16388
Comment 7 Herman Viaene 2019-01-22 11:12:00 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
At CLI:
$ img2txt dsc00107.jpg
produces as  feedback rows of code which gets some colors in the MATE terminal and the whole gives a (of course) very crude impression of the original picture.
Redirecting the output to a file
$ img2txt dsc00107.jpg > cacatest.txt
gives a file which displays absolute rubbish with Pluma. That does not seem to be the end of the command.
OK for me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 8 Len Lawrence 2019-01-22 18:55:39 CET 
Tried img2txt as in comment 7 and generated a very low resolution text image of an original coloured JPEG, viewed by running cat.

$ urpmq --whatrequires lib64caca0 | sort -u
caca-utils
gstreamer0.10-caca
gstreamer1.0-caca
lib64caca0
lib64caca-devel
lib64mpv1
lib64xine2
mplayer
mpv
ruby-caca
toilet
vlc-plugin-common
xine-ui-aa

So, used by various players.  Not sure we should investigate toilet.
$ urpmq -i caca-utils
This package contains utilities and demonstration programs for libcaca, the
Colour AsCii Art library.

cacaview - simple viewer in terminal
cacaball - animated ASCII metaballs
cacafire - flaming ASCII art
cacamoir - animated moiré circles
cacaplas - plasma effect
cacademo - demonstration of rendering features

Used cacaview on the original test JPEG.  That performed the img2txt operation and showed the result in a text window.  Help provided by ? - used g and G to modify gamma.  Not obvious how to save the result.
cacafire and cacademo work but the other three animations appear to be missing but looking in /usr/bin turns up cacaclock, cacaplay and cacaserver and a link to caca-config.
cacaplay plays *.caca animations.  It has a man page.
cacaclock is supposed to show the current time but requires a font argument.  Could not figure out what the specification is for a font.
$ cacaclock -d %R --font=Larabiefont
Could not open font
$ cacaclock -d %R --font=lucidasans-18
Could not open font

ruby-caca is a ruby binding for caca; python-caca is probably similar.
From the man page (3) for ruby-caca-api:
$ irb -rcaca
irb(main):001:0> Caca.constants
=> [:BLACK, :BLUE, :GREEN, :CYAN, :RED, :MAGENTA, :BROWN, :LIGHTGRAY, :DARKGRAY, :LIGHTBLUE, :LIGHTGREEN, :LIGHTCYAN, :LIGHTRED, :LIGHTMAGENTA, :YELLOW, :WHITE, :DEFAULT, :TRANSPARENT, :BOLD, :ITALICS, :UNDERLINE, :BLINK, :Canvas, :Dither, :Font, :Display, :Event]

$ ruby -rcaca -e 'p Caca::Canvas.export_list'
[["caca", "native libcaca format"], ["ansi", "ANSI"], ["utf8", "UTF-8 with ANSI escape codes"], ["utf8cr", "UTF-8 with ANSI escape codes and MS-DOS \\r"], ["html", "HTML"], ["html3", "backwards-compatible HTML"], ["bbfr", "BBCode (French)"], ["irc", "IRC with mIRC colours"], ["ps", "PostScript document"], ["svg", "SVG vector image"], ["tga", "TGA image"], ["troff", "troff source"]]

I had to massage this oneliner to get the same result as the man page.
$ ruby -rcaca -e 'c=Caca::Canvas.new(6, 3).fill_box(0,0,3,3,0x23);c2=Caca::Canvas.new(1,1).put_str(0,0,"x"); c.blit(1,1,c2); puts c.export_to_memory("irc")'
###   
#x#   
###   

$ ruby -rcaca -e 'puts Caca::Canvas.new(6,3).draw_thin_polyline([[0,0], [0,2],[5,2],[0,0]]).export_to_memory("irc")'
-.    
| `.  
----`-

$ ruby -rcaca -e 'p Caca::Font.list'
["Monospace 9", "Monospace Bold 12"]

$ cat linetest.rb
require 'caca'

c = Caca::Canvas.new( 20, 10 )
c.put_str( 2, 3, "plop!" )
c.draw_thin_polyline( [[0,0], [0,2], [5,2], [0,0]] )
d = Caca::Display.new(c)
d.title = "Test !"
d.refresh

Esc = 0x1b.chr

# Redefine Event::Key#quit? so that q, Q, and Esc become exit keys
# Note that the ^[ combination was not interpreted as Esc so Esc failed
# to do anything.
module Caca
  class Event::Key
    def quit?
      "qQ#{Esc}".split( '' ).member?( @ch.chr )
    end
  end
end

while( ( e = d.get_event( Caca::Event, -1 ) ) && !e.quit? )
  p e
  d.refresh
end

Running linetest.rb generated a text window - q, Q or Esc exited the demo.

$ ruby linetest.rb.

So it looks like the ruby binding is working fine.
Giving this a 64-bit OK.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 9 Lewis Smith 2019-01-22 20:39:18 CET 
Thanks to you both. Advisory from comment 2.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 10 Mageia Robot 2019-01-23 16:51:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0050.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.