Bug 24535 - advancecomp new security issue CVE-2019-9210
Summary: advancecomp new security issue CVE-2019-9210
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: has_procedure MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-03-19 22:26 CET by David Walser
Modified: 2019-04-05 20:14 CEST (History)
5 users (show)

See Also:
Source RPM: advancecomp-2.1-2.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-03-19 22:26:37 CET 
Fedora has issued an advisory on March 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DPZCDOUS5QYMW45SCXCDPCWKC4QVMPLU/

Mageia 6 may also be affected.
Comment 1 Marja Van Waes 2019-03-22 22:47:40 CET 
Assigning to our registered advancecomp maintainer.

Assignee: bugsquad => dan
CC: (none) => marja11

Comment 2 Dan Fandrich 2019-03-23 14:18:33 CET 
Fixed in Cauldron in advancecomp-2.1-4

Fixed in mga6 in advancecomp-1.20-3.3.mga6

Here is a simple regression test (this doesn't check for the bug fix but just ensures the code still works with the patch):

cp /usr/lib/libDrakX/icons/tradi.png /tmp && advpng -z /tmp/tradi.png && advpng -l /tmp/tradi.png && echo Looks ok

There should be no error messages and the last displayed line should be "Looks ok".

Advisory:
========================
advancecomp has been updated to fix a security issue that could be triggered when pressented with a malformed PNG file. advancecomp contained an integer overflow upon encountering an invalid PNG size, which could result in a buffer overflow (CVE-2019-9210), as well as a heap-based buffer over-read.

Updated packages:
========================
advancecomp-1.20-3.3.mga6.i586.rpm
advancecomp-1.20-3.3.mga6.x86_64.rpm

QA Contact: (none) => security
Version: Cauldron => 6
Whiteboard: (none) => has_procedure
Status: NEW => ASSIGNED
Assignee: dan => qa-bugs

Dan Fandrich 2019-03-23 14:19:05 CET

CC: (none) => dan

Comment 3 Len Lawrence 2019-03-28 10:46:52 CET 
mga6, x86_64

$ cp /usr/lib/libDrakX/icons/tradi.png /tmp && advpng -z /tmp/tradi.png && advpng -l /tmp/tradi.png && echo
       33212       21115  63% /tmp/tradi.png
       33212       21115  63%
IHDR      13 width:264 height:198 depth:8 color_type:2 compression:0 filter:0 interlace:0
IDAT   21058
IEND       0


After update:

$ cp /usr/lib/libDrakX/icons/tradi.png /tmp && advpng -z /tmp/tradi.png && advpng -l /tmp/tradi.png && echo Looks ok
cp: overwrite '/tmp/tradi.png'? y
       33212       21115  63% /tmp/tradi.png
       33212       21115  63%
IHDR      13 width:264 height:198 depth:8 color_type:2 compression:0 filter:0 interlace:0
IDAT   21058
IEND       0
Looks ok

It still looks like a screendump - "Mandrake", lots of green OKs.
Thanks Dan for providing that neat test.

Official site: http://www.advancemame.it/

Utilities are advzip, advpng, advmng, advdef.
Use -h for options.

Tried this from /tmp:
$ advzip -x tradi.png
Failed read end of central directory

Probably some misunderstanding on my part.

No regression according to your test so this gets a 64-bit OK.

Whiteboard: has_procedure => has_procedure
CC: (none) => tarazed25

Len Lawrence 2019-03-28 10:47:36 CET

Whiteboard: has_procedure => has_procedure MGA6-64-OK

Len Lawrence 2019-04-01 00:47:12 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2019-04-04 15:45:05 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2019-04-05 20:14:19 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0128.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.