Fedora has issued an advisory on June 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J23C6QSTJMQ467KAI6QG54AE4MZRLPQV/ The RedHat bugs have links to the upstream commits that fix the issues: https://bugzilla.redhat.com/show_bug.cgi?id=1708561 https://bugzilla.redhat.com/show_bug.cgi?id=1708563 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assigning to Dan as maintainer both official and actual.
Assignee: bugsquad => dan
There's a bit of confusion about which patch fixes which vulnerability (our patch from the March 2019 security release is labelled as being for CVE-2019-9210 but is listed at https://bugzilla.redhat.com/show_bug.cgi?id=1708561 as being for CVE-2019-8379), but I've added the new patch for CVE-2019-8383. All the patches mentioned in those Red Hat bugs are now applied in the Cauldron and mga7. advancecomp-2.1-4.1.mga7.src.rpm is now available in Core/updates_testing. The regression test in bug #24535 is applicable to this change as well.
Thanks Dan. I think they linked the wrong commit, but maybe the two CVEs are related. Fedora added more to the original CVE-2019-9210 patch here, which we're missing: https://src.fedoraproject.org/rpms/advancecomp/c/712227b41fe8bbd8bc8675627c0e0ad0ea5d1ace?branch=master
And that extra bit they added corresponds to the last commit upstream: https://github.com/amadvance/advancecomp/commit/fcf71a89265c78fc26243574dda3a872574a5c02
That patch corresponds to our advancecomp-2.1-git-png-overread.patch which was applied last March. So, if that is all of them, it looks like we're done.
Ahh, I see that was also added in Bug 24535. Very good then. Thanks!
Advisory: ======================== Updated advancecomp package fixes security vulnerability: An issue was discovered in AdvanceCOMP through 2.1. An invalid memory address occurs in the function adv_png_unfilter_8 in lib/png.c. It can be triggered by sending a crafted file to a binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file (CVE-2019-8383). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8383 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J23C6QSTJMQ467KAI6QG54AE4MZRLPQV/ ======================== Updated packages in core/updates_testing: ======================== advancecomp-2.1-4.1.mga7 from advancecomp-2.1-4.1.mga7.src.rpm
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)CC: (none) => danAssignee: dan => qa-bugs
Working on this one, having met it twice before. Dan's regression test from bug 24535 still works before updating but that is probably irrelevant on this bug.
CC: (none) => tarazed25
Sorry. I just saw the note about the regression test - shall run it after the update.
The test for CVE-2019-8383 at loginsoft.com does not come with the specially crafted file required but can be downloaded from https://sourceforge.net/p/advancemame/bugs/272/. $ advpng -z -1 –f C__Users_pthella_Desktop_advmg_POC Segmentation fault (core dumped) Updated the package from testing repository. CVE-2019-8383 $ advpng -z -1 –f C__Users_pthella_Desktop_advmg_POC File –f doesn't exist [at void rezip_single(const string&, long long unsigned int&, long long unsigned int&):repng.cc:276] Better. Dan's regression test: $ cp /usr/lib/libDrakX/icons/tradi.png /tmp && advpng -z /tmp/tradi.png && advpng -l /tmp/tradi.png && echo Looks OK cp: overwrite '/tmp/tradi.png'? y 33212 20915 62% /tmp/tradi.png 33212 20915 62% IHDR 13 width:264 height:198 depth:8 color_type:2 compression:0 filter:0 interlace:0 IDAT 20858 IEND 0 Looks OK Create a zip archive: $ advzip --shrink-normal --add alaina.2 alaina/*.png $ file alaina.2 alaina.2: Zip archive data, at least v2.0 to extract $ advzip -l alaina.2 Archive: alaina.2 Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 705 Defl:X 124 82% 02-21-18 10:11 a64ba65d Alaina001.png [...] 10699028 10634397 0% 69 files Recompress the archive: $ advzip -z -3 alaina.2 10641457 10641457 100% alaina.2 10641457 10641457 100% A slight compression by the looks of it. $ cp alaina.2 /tmp $ cd /tmp $ advzip -x alaina.2 Alaina001.png [...] Alaina068.png All the original images were recovered with no obvious sign of degradation. Back to original directory. Create a video file from a selection of still images. $ advmng --add 8 Huffman.mng Johansen*.png $ file Huffman.mng Huffman.mng: MNG video data, 608 x 354 Neither mplayer or vlc can play the resulting file. vlc says: libpng error: Not a PNG file. The probability is that the PNG files are not in the correct format (the PNG standard allows for different levels of compression IIRC). advmng caters for lower levels of complexity - worth a try. $ advmng --lc --add 8 Huffman.mng Johansen*.png That did not work either. $ advmng --vlc --add 8 Huffman.mng Johansen*.png Nor did that. Out of ideas. $ advmng -l Huffman.mng > framelist $ less framelist MHDR 28 width:608 height:354 frequency:8 simplicity:65(bit,0,6) IHDR 13 width:608 height:354 depth:8 color_type:2 compression:0 filter:0 interlace:0 IDAT 673 IEND 0 [...] IHDR 13 width:608 height:354 depth:8 color_type:3 compression:0 filter:0 interlace:0 IDAT 31565 IEND 0 MEND 0 The utilities themselves all work so this is OK for 64-bits.
Whiteboard: (none) => MGA7-64-OK
Thank you, Len. Always helps to have a tester with some experience with the package. Validating. Advisory in Comment 7.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
I've never used MNG so I can't offer any suggestions, but I also wasn't able to create an .mng file that was viewable in any of the players I tried after a few minutes of trying. It's a very seldom used format in my experience so it wouldn't surprise me if there were latent bugs in advmng or the players. In any case, this patch shouldn't (theoretically) affect .mng files any worse than .png files. The patch also affects only the advpng, advdef and advmng programs; the others should be binary identical to the previous version.
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0008.html
Status: NEW => RESOLVEDResolution: (none) => FIXED