Bug 24601 - gpac new security issues CVE-2018-7752, CVE-2018-1300[56], CVE-2018-2076[0-3], CVE-2018-1000100
Summary: gpac new security issues CVE-2018-7752, CVE-2018-1300[56], CVE-2018-2076[0-3]...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-03-30 20:19 CET by David Walser
Modified: 2019-04-11 00:08 CEST (History)
5 users (show)

See Also:
Source RPM: gpac-0.7.1-5.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-03-30 20:19:22 CET
Ubuntu has issued an advisory on March 29:
https://usn.ubuntu.com/3926-1/

Mageia 6 is also affected.
David Walser 2019-03-30 20:19:30 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-03-31 10:12:36 CEST
Assigning to our registered gpac maintainer

CC: (none) => marja11
Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2019-04-01 07:18:20 CEST
Fixed both mga6 and Cauldron!
Comment 3 David Walser 2019-04-01 12:53:33 CEST
Thanks David!  Note to QA: this package is in Tainted.

Advisory:
========================

Updated gpac packages fix security vulnerabilities:

It was discovered that the GPAC MP4Box utility incorrectly handled certain
memory operations. If an user or automated system were tricked into opening a
specially crafted MP4 file, a remote attacker could use this issue to cause
MP4Box to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2018-7752, CVE-2018-13005, CVE-2018-13006, CVE-2018-20760,
CVE-2018-20761, CVE-2018-20762, CVE-2018-20763, CVE-2018-1000100).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13005
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13006
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20760
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20761
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20763
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000100
https://usn.ubuntu.com/3926-1/
========================

Updated packages in core/updates_testing:
========================
gpac-0.6.1-4.1.mga6
libgpac6-0.6.1-4.1.mga6
libgpac-devel-0.6.1-4.1.mga6

from gpac-0.6.1-4.1.mga6.src.rpm

Assignee: geiger.david68210 => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
CC: (none) => geiger.david68210

Comment 4 Len Lawrence 2019-04-05 21:45:45 CEST
mga6, x86_64

Not many explicit reproducers and not clear how to run them.  Not all the quoted files
are available publicly.

CVE-2018-20760
https://github.com/gpac/gpac/issues/1177
$ unzip crafted.zip
$ MP4Box -add crafted.srt TouringVestasCraters.mov
[iso file] Apple 'alis' box found, not supported - converting to self-pointing 'url ' 
[iso file] Apple 'alis' box found, not supported - converting to self-pointing 'url ' 
ICC colour profile not supported 
[iso file] Box "..Z." is larger than container box
[iso file] Box "avc1" size 151 invalid (read 155)
Timed Text (SRT) import - text track 640 x 480, font Serif (size 18)
Segmentation fault (core dumped)

The mismatched input files invalidate this test.

Updated the packages.
After the update this test behaved better but is probably still not valid.  No segfault
though.

$ MP4Box -add crafted.srt TouringVestasCraters.mov 
[iso file] Apple 'alis' box found, not supported - converting to self-pointing 'url ' 
[iso file] Apple 'alis' box found, not supported - converting to self-pointing 'url ' 
ICC colour profile not supported 
[iso file] Box "..Z." is larger than container box
[iso file] Box "avc1" size 151 invalid (read 155)
Timed Text (SRT) import - text track 640 x 480, font Serif (size 18)
Saving TouringVestasCraters.mov: 0.500 secs Interleaving

There is a media player:
$ which MP4Client
/bin/MP4Client
<with a gui>
$ which Osmo4
no Osmo4 in (/bin:/usr/bin......  <???>

$ MP4Client
Using config file in /home/lcl/.gpac directory
System info: 32120 MB RAM - 8 cores
Modules Found : 34 
Loading GPAC Terminal
Terminal Loaded in 245 ms
Hit 'h' for help

Deleting terminal... done (in 117 ms) - ran for 47617 ms
GPAC cleanup ...

$ MP4Client -h
Usage MP4Client [options] [filename]
	-c fileName:    user-defined configuration file. Also works with -cfg
	-rti fileName:  logs run-time info (FPS, CPU, Mem usage) to file
	-rtix fileName: same as -rti but driven by GPAC logs
	-quiet:         removes script message, buffering and downloading status
	-strict-error:  exit when the player reports its first error
[...]
$ MP4Client TitanOrbitsAnnotated.m4v
Using config file in /home/lcl/.gpac directory
System info: 32120 MB RAM - 8 cores
Modules Found : 34 
Loading GPAC Terminal
Terminal Loaded in 237 ms
Opening URL TitanOrbitsAnnotated.m4v
Service Connected
Service Disconnected
Deleting terminal... done (in 93 ms) - ran for 12984 ms
GPAC cleanup ...

The movie clip played fine.

It did not work for a container, an MKV file.
So it works well for MP4.  

MP4Box works fine also, with matched files.
$ MP4Box -add MrsBrownsBoys.srt MrsBrownsBoys.mp4
Timed Text (SRT) import - text track 896 x 504, font Serif (size 18)
Saving MrsBrownsBoys.mp4: 0.500 secs Interleaving    

The resulting file plays in MP4Client but without the subtitles.  vlc does show the
subtitles as does mplayer.

In user's home directory:
$ cd .gpac
$ cat GPAC.cfg | grep subtitle
x-subtitle/srt="srt" "SRT SubTitles" GPAC TimedText Reader
x-subtitle/sub="sub" "SUB SubTitles" GPAC TimedText Reader
x-subtitle/ttxt="ttxt" "3GPP TimedText" GPAC TimedText Reader

Under [PluginsCache] there is no sign of "GPAC TimedText Reader" so I guess the plugin
is missing.  There is no information on how to enable subtitle rendering.

Apart from that quibble the applications do work.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 5 Dave Hodgins 2019-04-10 23:15:28 CEST
Advisory committed to svn. Validating based on comment 4.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2019-04-11 00:08:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0146.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.