Bug 28278 - libebml new use-after-free security issue
Summary: libebml new use-after-free security issue
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2021-02-02 19:22 CET by David Walser
Modified: 2021-03-29 02:16 CEST (History)
3 users (show)

See Also:
Source RPM: libebml-1.3.7-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-02-02 19:22:36 CET
Fedora has issued an advisory on January 31:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7COLX6WFFOI3RIOY2IOXWASU3QKAOWKO/

The issue is fixed upstream in 1.4.1.

Freeze push requested for Cauldron.

Mageia 7 is also affected.
David Walser 2021-02-02 19:22:48 CET

Status comment: (none) => Fixed upstream in 1.4.1
Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2021-02-02 21:01:45 CET
libebml-1.4.1-1.mga8 uploaded for Cauldron.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 2 Lewis Smith 2021-02-03 13:52:58 CET
Thanks for doing that already.
For M7, different committers makes for global bug assignment.

Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Lécureuil 2021-03-11 23:13:27 CET
new version pushed in mga7

src:
    - libebml-1.4.2-1.mga7
    - mkvtoolnix-32.0.0-2.1.mga7
    - libmatroska-1.5.0-2.1.mga7
    - vlc-3.0.12.1-1.1.mga7

Status comment: Fixed upstream in 1.4.1 => (none)
Assignee: pkg-bugs => qa-bugs
CC: (none) => mageia

Comment 4 David Walser 2021-03-12 20:39:56 CET
libmatroska rebuild failed.

Built so far:
libebml5-1.4.2-1.mga7
libebml-devel-1.4.2-1.mga7
mkvtoolnix-32.0.0-2.1.mga7
mkvtoolnix-gui-32.0.0-2.1.mga7
vlc-3.0.12.1-1.1.mga7
libvlc5-3.0.12.1-1.1.mga7
libvlccore9-3.0.12.1-1.1.mga7
libvlc-devel-3.0.12.1-1.1.mga7
vlc-plugin-common-3.0.12.1-1.1.mga7
vlc-plugin-zvbi-3.0.12.1-1.1.mga7
vlc-plugin-kate-3.0.12.1-1.1.mga7
vlc-plugin-libass-3.0.12.1-1.1.mga7
vlc-plugin-lua-3.0.12.1-1.1.mga7
vlc-plugin-ncurses-3.0.12.1-1.1.mga7
vlc-plugin-lirc-3.0.12.1-1.1.mga7
svlc-3.0.12.1-1.1.mga7
vlc-plugin-aa-3.0.12.1-1.1.mga7
vlc-plugin-sdl-3.0.12.1-1.1.mga7
vlc-plugin-shout-3.0.12.1-1.1.mga7
vlc-plugin-opengl-3.0.12.1-1.1.mga7
vlc-plugin-vdpau-3.0.12.1-1.1.mga7
vlc-plugin-projectm-3.0.12.1-1.1.mga7
vlc-plugin-theora-3.0.12.1-1.1.mga7
vlc-plugin-twolame-3.0.12.1-1.1.mga7
vlc-plugin-fluidsynth-3.0.12.1-1.1.mga7
vlc-plugin-gme-3.0.12.1-1.1.mga7
vlc-plugin-schroedinger-3.0.12.1-1.1.mga7
vlc-plugin-speex-3.0.12.1-1.1.mga7
vlc-plugin-flac-3.0.12.1-1.1.mga7
vlc-plugin-dv-3.0.12.1-1.1.mga7
vlc-plugin-mod-3.0.12.1-1.1.mga7
vlc-plugin-mpc-3.0.12.1-1.1.mga7
vlc-plugin-sid-3.0.12.1-1.1.mga7
vlc-plugin-sndio-3.0.12.1-1.1.mga7
vlc-plugin-pulse-3.0.12.1-1.1.mga7
vlc-plugin-jack-3.0.12.1-1.1.mga7
vlc-plugin-rist-3.0.12.1-1.1.mga7
vlc-plugin-upnp-3.0.12.1-1.1.mga7
vlc-plugin-gnutls-3.0.12.1-1.1.mga7
vlc-plugin-libnotify-3.0.12.1-1.1.mga7
vlc-plugin-chromaprint-3.0.12.1-1.1.mga7
vlc-plugin-samba-3.0.12.1-1.1.mga7

Assignee: qa-bugs => mageia
Status comment: (none) => libmatroska needs rebuilt against updated libebml

Comment 5 Nicolas Lécureuil 2021-03-12 20:46:53 CET
build fixed

Assignee: mageia => qa-bugs

Comment 6 David Walser 2021-03-12 20:48:13 CET
(In reply to David Walser from comment #4)
> libmatroska rebuild failed.

which now produces:
libmatroska6-1.5.0-2.1.mga7
libmatroska-devel-1.5.0-2.1.mga7
David Walser 2021-03-12 20:48:20 CET

Status comment: libmatroska needs rebuilt against updated libebml => (none)

Comment 7 David Walser 2021-03-14 15:53:33 CET
Advisory:
========================

Updated libebml packages fix security vulnerability:

Heap use-after-free when parsing malformed file.

The mkvtoolnix, libmatroska, and vlc packages have been rebuilt for the
updated libebml.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7COLX6WFFOI3RIOY2IOXWASU3QKAOWKO/
Comment 8 Morgan Leijström 2021-03-14 23:46:07 CET
mga7-64 Plasma Nvidia
Sloppy test:  I updated all from list in comment 4 & 6  that was installed,
Clean update, and i can still play videos, and found a couple dated bugs from mga6 have been fixed and marked them so...

CC: (none) => fri

Comment 9 Thomas Andrews 2021-03-28 23:01:32 CEST
These install and work OK, but shouldn't there also be tainted versions?

Keywords: (none) => feedback
CC: (none) => andrewsfarm

Comment 10 David Walser 2021-03-29 02:16:58 CEST
At least of vlc, yes.

Note You need to log in before you can comment on or make changes to this bug.