Bug 25908 - advancecomp new security issues CVE-2019-8379 and CVE-2019-8383
Summary: advancecomp new security issues CVE-2019-8379 and CVE-2019-8383
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-19 23:33 CET by David Walser
Modified: 2020-01-05 16:39 CET (History)
5 users (show)

See Also:
Source RPM: advancecomp-2.1-4.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-12-19 23:33:02 CET 
Fedora has issued an advisory on June 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J23C6QSTJMQ467KAI6QG54AE4MZRLPQV/

The RedHat bugs have links to the upstream commits that fix the issues:
https://bugzilla.redhat.com/show_bug.cgi?id=1708561
https://bugzilla.redhat.com/show_bug.cgi?id=1708563

Mageia 7 is also affected.
David Walser 2019-12-19 23:33:17 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2019-12-20 20:39:51 CET 
Assigning to Dan as maintainer both official and actual.

Assignee: bugsquad => dan

Comment 2 Dan Fandrich 2019-12-24 17:07:13 CET 
There's a bit of confusion about which patch fixes which vulnerability (our patch from the March 2019 security release is labelled as being for CVE-2019-9210 but is listed at https://bugzilla.redhat.com/show_bug.cgi?id=1708561 as being for CVE-2019-8379), but I've added the new patch for CVE-2019-8383. All the patches mentioned in those Red Hat bugs are now applied in the Cauldron and mga7.   

advancecomp-2.1-4.1.mga7.src.rpm is now available in Core/updates_testing.

The regression test in bug #24535 is applicable to this change as well.
Comment 3 David Walser 2019-12-24 17:14:14 CET 
Thanks Dan.  I think they linked the wrong commit, but maybe the two CVEs are related.  Fedora added more to the original CVE-2019-9210 patch here, which we're missing:
https://src.fedoraproject.org/rpms/advancecomp/c/712227b41fe8bbd8bc8675627c0e0ad0ea5d1ace?branch=master
Comment 4 David Walser 2019-12-24 17:37:50 CET 
And that extra bit they added corresponds to the last commit upstream:
https://github.com/amadvance/advancecomp/commit/fcf71a89265c78fc26243574dda3a872574a5c02
Comment 5 Dan Fandrich 2019-12-27 19:22:50 CET 
That patch corresponds to our advancecomp-2.1-git-png-overread.patch which was applied last March. So, if that is all of them, it looks like we're done.
Comment 6 David Walser 2019-12-27 19:44:23 CET 
Ahh, I see that was also added in Bug 24535.  Very good then.  Thanks!
Comment 7 David Walser 2019-12-27 19:46:59 CET 
Advisory:
========================

Updated advancecomp package fixes security vulnerability:

An issue was discovered in AdvanceCOMP through 2.1. An invalid memory address
occurs in the function adv_png_unfilter_8 in lib/png.c. It can be triggered by
sending a crafted file to a binary. It allows an attacker to cause a Denial of
Service (Segmentation fault) or possibly have unspecified other impact when a
victim opens a specially crafted file (CVE-2019-8383).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8383
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J23C6QSTJMQ467KAI6QG54AE4MZRLPQV/
========================

Updated packages in core/updates_testing:
========================
advancecomp-2.1-4.1.mga7

from advancecomp-2.1-4.1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
CC: (none) => dan
Assignee: dan => qa-bugs

Comment 8 Len Lawrence 2020-01-01 20:42:29 CET 
Working on this one, having met it twice before.
Dan's regression test from bug 24535 still works before updating but that is probably irrelevant on this bug.

CC: (none) => tarazed25

Comment 9 Len Lawrence 2020-01-01 20:43:30 CET 
Sorry.  I just saw the note about the regression test - shall run it after the update.
Comment 10 Len Lawrence 2020-01-01 23:10:30 CET 
The test for CVE-2019-8383 at loginsoft.com does not come with the specially crafted file required but can be downloaded from https://sourceforge.net/p/advancemame/bugs/272/.
$ advpng -z -1 –f C__Users_pthella_Desktop_advmg_POC
Segmentation fault (core dumped)

Updated the package from testing repository.

CVE-2019-8383
$ advpng -z -1 –f C__Users_pthella_Desktop_advmg_POC
File –f doesn't exist [at void rezip_single(const string&, long long unsigned int&, long long unsigned int&):repng.cc:276]

Better.

Dan's regression test:
$ cp /usr/lib/libDrakX/icons/tradi.png /tmp && advpng -z /tmp/tradi.png && advpng -l /tmp/tradi.png && echo Looks OK 
cp: overwrite '/tmp/tradi.png'? y
       33212       20915  62% /tmp/tradi.png
       33212       20915  62%
IHDR      13 width:264 height:198 depth:8 color_type:2 compression:0 filter:0 interlace:0
IDAT   20858
IEND       0
Looks OK

Create a zip archive:
$ advzip --shrink-normal --add alaina.2 alaina/*.png
$ file alaina.2
alaina.2: Zip archive data, at least v2.0 to extract
$ advzip -l alaina.2
Archive:  alaina.2
  Length   Method    Size  Ratio   Date   Time   CRC-32    Name
 --------  ------  ------- -----   ----   ----   ------    ----
      705  Defl:X      124  82%  02-21-18 10:11  a64ba65d  Alaina001.png
[...]
 10699028         10634397   0%                            69 files

Recompress the archive:
$ advzip -z -3 alaina.2 
    10641457    10641457 100% alaina.2
    10641457    10641457 100%

A slight compression by the looks of it.

$ cp alaina.2 /tmp
$ cd /tmp
$ advzip -x alaina.2
Alaina001.png
[...]
Alaina068.png

All the original images were recovered with no obvious sign of degradation.

Back to original directory.  Create a video file from a selection of still images.
$ advmng --add 8 Huffman.mng Johansen*.png
$ file Huffman.mng 
Huffman.mng: MNG video data, 608 x 354

Neither mplayer or vlc can play the resulting file.  vlc says:
libpng error: Not a PNG file.
The probability is that the PNG files are not in the correct format (the PNG standard allows for different levels of compression IIRC).
advmng caters for lower levels of complexity - worth a try.
$ advmng --lc --add 8 Huffman.mng Johansen*.png
That did not work either.
$ advmng --vlc --add 8 Huffman.mng Johansen*.png
Nor did that.  Out of ideas.
$ advmng -l Huffman.mng > framelist
$ less framelist
MHDR      28 width:608 height:354 frequency:8 simplicity:65(bit,0,6)
IHDR      13 width:608 height:354 depth:8 color_type:2 compression:0 filter:0 interlace:0
IDAT     673
IEND       0
[...]
IHDR      13 width:608 height:354 depth:8 color_type:3 compression:0 filter:0 interlace:0
IDAT   31565
IEND       0
MEND       0

The utilities themselves all work so this is OK for 64-bits.

Whiteboard: (none) => MGA7-64-OK

Comment 11 Thomas Andrews 2020-01-03 19:38:57 CET 
Thank you, Len. Always helps to have a tester with some experience with the package.

Validating. Advisory in Comment 7.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 12 Dan Fandrich 2020-01-04 12:06:00 CET 
I've never used MNG so I can't offer any suggestions, but I also wasn't able to create an .mng file that was viewable in any of the players I tried after a few minutes of trying. It's a very seldom used format in my experience so it wouldn't surprise me if there were latent bugs in advmng or the players. In any case, this patch shouldn't (theoretically) affect .mng files any worse than .png files. The patch also affects only the advpng, advdef and advmng programs; the others should be binary identical to the previous version.
Thomas Backlund 2020-01-05 14:18:55 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 13 Mageia Robot 2020-01-05 16:39:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0008.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.