A security issue in libass has been announced on September 29: https://www.openwall.com/lists/oss-security/2020/09/29/2 The issue has been fixed in upstream git on October 8: https://github.com/libass/libass/pull/432/commits/676f9dc5b52ef406c5527bdadbcb947f11392929 A CVE is not yet assigned. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Hi, thanks reporting this. No registred maintainer. Assigning globally. CC'd recent commiter. (Please set the status to 'assigned' if you are working on it)
CC: (none) => geiger.david68210Keywords: (none) => TriagedAssignee: bugsquad => pkg-bugs
CVE: (none) => CVE-2020-26682Summary: libass new integer overflow security issue => libass new integer overflow security issue (CVE-2020-26682)CC: (none) => nicolas.salguero
Reference for the CVE assignment: https://www.openwall.com/lists/oss-security/2020/11/19/7
Fixed upstream in 0.15.0, updated in Cauldron by me on November 17. https://github.com/libass/libass/releases/tag/0.15.0 Upstream patch for the CVE does not apply cleanly to 0.14.0. Perhaps best to update it for Mageia 7.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7Source RPM: libass-0.14.0-3.mga8.src.rpm => libass-0.14.0-2.mga7.src.rpm
Status comment: (none) => Fixed upstream in 0.15.0
Suggested advisory: ======================== The updated packages fix a security vulnerability: In libass 0.14.0, the `ass_outline_construct`'s call to `outline_stroke` causes a signed integer overflow. (CVE-2020-26682) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26682 https://www.openwall.com/lists/oss-security/2020/09/29/2 https://www.openwall.com/lists/oss-security/2020/11/19/7 ======================== Updated packages in core/updates_testing: ======================== lib(64)ass9-0.15.0-1.mga7 lib(64)ass-devel-0.15.0-1.mga7 from SRPM: libass-0.15.0-1.mga7.src.rpm
Keywords: Triaged => (none)Assignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 0.15.0 => (none)Status: NEW => ASSIGNED
mga7, x86_64 CVE-2020-26682 https://github.com/libass/libass/issues/431 $ chmod +x libass_fuzzer $ gdb libass_fuzzer .... (gdb) r poc ... Fontconfig error: Cannot load default config file libass_fuzzer: ass_outline.c:1354: _Bool outline_stroke(ASS_Outline *, ASS_Outline *, const ASS_Outline *, int, int, int): Assertion `rad >= eps' failed. Program received signal SIGABRT, Aborted. 0x00007ffff7c7ba7a in raise () from /lib64/libc.so.6 Missing separate debuginfos, use: debuginfo-install libgcc1-8.4.0-1.mga7.x86_64 (gdb) quit The analysis which follows in the upstream test cannot be preformed here because debug info is unavailable. Updated the packages and looked at the PoC again. $ gdb libass_fuzzer .... Reading symbols from libass_fuzzer...done. (gdb) r poc ...... Reading 11249 bytes from poc Fontconfig warning: line 5: unknown element "its:rules" ..... Fontconfig error: Cannot load default config file libass_fuzzer: ass_outline.c:1354: _Bool outline_stroke(ASS_Outline *, ASS_Outline *, const ASS_Outline *, int, int, int): Assertion `rad >= eps' failed. Program received signal SIGABRT, Aborted. 0x00007ffff7c7ba7a in raise () from /lib64/libc.so.6 Missing separate debuginfos, use: debuginfo-install libgcc1-8.4.0-1.mga7.x86_64 (gdb) quit No SIGABRT this time, which is encouraging. Ran a trace on vlc while playing a film with subtitles. Everything working properly. $ grep ass vlc.trace stat("/usr/lib64/vlc/plugins/codec/liblibass_plugin.so", {st_mode=S_IFREG|0755, st_size=19664, ...}) = 0 Giving this an OK.
CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK
Validating Advisory pushed to SVN.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0017.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED