Bug 28278 - libebml new use-after-free security issue and CVE-2021-3405
Summary: libebml new use-after-free security issue and CVE-2021-3405
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 28930
  Show dependency treegraph
 
Reported: 2021-02-02 19:22 CET by David Walser
Modified: 2021-06-08 16:34 CEST (History)
6 users (show)

See Also:
Source RPM: libebml-1.3.7-1.mga7.src.rpm
CVE: CVE-2021-3405
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-02-02 19:22:36 CET 
Fedora has issued an advisory on January 31:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7COLX6WFFOI3RIOY2IOXWASU3QKAOWKO/

The issue is fixed upstream in 1.4.1.

Freeze push requested for Cauldron.

Mageia 7 is also affected.
David Walser 2021-02-02 19:22:48 CET

Status comment: (none) => Fixed upstream in 1.4.1
Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2021-02-02 21:01:45 CET 
libebml-1.4.1-1.mga8 uploaded for Cauldron.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 2 Lewis Smith 2021-02-03 13:52:58 CET 
Thanks for doing that already.
For M7, different committers makes for global bug assignment.

Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Lécureuil 2021-03-11 23:13:27 CET 
new version pushed in mga7

src:
    - libebml-1.4.2-1.mga7
    - mkvtoolnix-32.0.0-2.1.mga7
    - libmatroska-1.5.0-2.1.mga7
    - vlc-3.0.12.1-1.1.mga7

CC: (none) => mageia
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 1.4.1 => (none)

Comment 4 David Walser 2021-03-12 20:39:56 CET 
libmatroska rebuild failed.

Built so far:
libebml5-1.4.2-1.mga7
libebml-devel-1.4.2-1.mga7
mkvtoolnix-32.0.0-2.1.mga7
mkvtoolnix-gui-32.0.0-2.1.mga7
vlc-3.0.12.1-1.1.mga7
libvlc5-3.0.12.1-1.1.mga7
libvlccore9-3.0.12.1-1.1.mga7
libvlc-devel-3.0.12.1-1.1.mga7
vlc-plugin-common-3.0.12.1-1.1.mga7
vlc-plugin-zvbi-3.0.12.1-1.1.mga7
vlc-plugin-kate-3.0.12.1-1.1.mga7
vlc-plugin-libass-3.0.12.1-1.1.mga7
vlc-plugin-lua-3.0.12.1-1.1.mga7
vlc-plugin-ncurses-3.0.12.1-1.1.mga7
vlc-plugin-lirc-3.0.12.1-1.1.mga7
svlc-3.0.12.1-1.1.mga7
vlc-plugin-aa-3.0.12.1-1.1.mga7
vlc-plugin-sdl-3.0.12.1-1.1.mga7
vlc-plugin-shout-3.0.12.1-1.1.mga7
vlc-plugin-opengl-3.0.12.1-1.1.mga7
vlc-plugin-vdpau-3.0.12.1-1.1.mga7
vlc-plugin-projectm-3.0.12.1-1.1.mga7
vlc-plugin-theora-3.0.12.1-1.1.mga7
vlc-plugin-twolame-3.0.12.1-1.1.mga7
vlc-plugin-fluidsynth-3.0.12.1-1.1.mga7
vlc-plugin-gme-3.0.12.1-1.1.mga7
vlc-plugin-schroedinger-3.0.12.1-1.1.mga7
vlc-plugin-speex-3.0.12.1-1.1.mga7
vlc-plugin-flac-3.0.12.1-1.1.mga7
vlc-plugin-dv-3.0.12.1-1.1.mga7
vlc-plugin-mod-3.0.12.1-1.1.mga7
vlc-plugin-mpc-3.0.12.1-1.1.mga7
vlc-plugin-sid-3.0.12.1-1.1.mga7
vlc-plugin-sndio-3.0.12.1-1.1.mga7
vlc-plugin-pulse-3.0.12.1-1.1.mga7
vlc-plugin-jack-3.0.12.1-1.1.mga7
vlc-plugin-rist-3.0.12.1-1.1.mga7
vlc-plugin-upnp-3.0.12.1-1.1.mga7
vlc-plugin-gnutls-3.0.12.1-1.1.mga7
vlc-plugin-libnotify-3.0.12.1-1.1.mga7
vlc-plugin-chromaprint-3.0.12.1-1.1.mga7
vlc-plugin-samba-3.0.12.1-1.1.mga7

Status comment: (none) => libmatroska needs rebuilt against updated libebml
Assignee: qa-bugs => mageia

Comment 5 Nicolas Lécureuil 2021-03-12 20:46:53 CET 
build fixed

Assignee: mageia => qa-bugs

Comment 6 David Walser 2021-03-12 20:48:13 CET 
(In reply to David Walser from comment #4)
> libmatroska rebuild failed.

which now produces:
libmatroska6-1.5.0-2.1.mga7
libmatroska-devel-1.5.0-2.1.mga7
David Walser 2021-03-12 20:48:20 CET

Status comment: libmatroska needs rebuilt against updated libebml => (none)

Comment 7 David Walser 2021-03-14 15:53:33 CET 
Advisory:
========================

Updated libebml packages fix security vulnerability:

Heap use-after-free when parsing malformed file.

The mkvtoolnix, libmatroska, and vlc packages have been rebuilt for the
updated libebml.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7COLX6WFFOI3RIOY2IOXWASU3QKAOWKO/
Comment 8 Morgan Leijström 2021-03-14 23:46:07 CET 
mga7-64 Plasma Nvidia
Sloppy test:  I updated all from list in comment 4 & 6  that was installed,
Clean update, and i can still play videos, and found a couple dated bugs from mga6 have been fixed and marked them so...

CC: (none) => fri

Comment 9 Thomas Andrews 2021-03-28 23:01:32 CEST 
These install and work OK, but shouldn't there also be tainted versions?

Keywords: (none) => feedback
CC: (none) => andrewsfarm

Comment 10 David Walser 2021-03-29 02:16:58 CEST 
At least of vlc, yes.
Comment 11 David Walser 2021-05-28 00:42:28 CEST 
1.4.2, which we're updating to here, also fixes a heap overflow (CVE-2021-3405):
https://www.debian.org/lts/security/2021/dla-2629

Summary: libebml new use-after-free security issue => libebml new use-after-free security issue and CVE-2021-3405

Comment 12 David Walser 2021-05-29 01:58:39 CEST 
(In reply to David Walser from comment #11)
> 1.4.2, which we're updating to here, also fixes a heap overflow
> (CVE-2021-3405):
> https://www.debian.org/lts/security/2021/dla-2629

Fedora has issued an advisory for this on March 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JNHQI6MDOECJ2HT5GCLEX2DMJFEOWPW7/
David Walser 2021-05-31 01:37:54 CEST

Blocks: (none) => 28930

Comment 13 David Walser 2021-05-31 01:38:40 CEST 
VLC update to 3.0.14 pending in Bug 28930, so it needs to be rebuilt anyway.  The rest of this bug can be validated (sans the vlc package).

Keywords: feedback => (none)

Comment 14 Len Lawrence 2021-05-31 12:26:51 CEST 
mga7, x86_64

$ rpm -qa | grep ebml
lib64ebml4-1.3.7-1.mga7

Had a look at https://github.com/Matroska-Org/libebml/issues/74 to see if the PoC could be run without debuginfo sources.  gdb complains immediately but launches vlc.  
The upstream test appears to be on a 32-bit system.

Updated libebml.
$ rpm -qa | grep ebml
lib64ebml4-1.3.7-1.mga7
lib64ebml5-1.4.2-1.mga7

Noting comment 13, we can short circuit this bug.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Len Lawrence 2021-05-31 12:28:29 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 15 Aurelien Oudelet 2021-06-07 09:46:18 CEST 
Advisory:
========================

Updated libebml packages fix security vulnerabilities:

Heap use-after-free when parsing malformed file.

A flaw was found in libebml before 1.4.2. A heap overflow bug exists in the implementation of EbmlString::ReadData and EbmlUnicodeString::ReadData in libebml (CVE-2021-3405).

The mkvtoolnix, libmatroska packages have been rebuilt for the
updated libebml.

(Note in adv: VLC update to 3.0.14 pending in Bug 28930, so it needs to be rebuilt anyway.  The rest of this bug can be validated (sans the vlc package)).

References:
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3405
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7COLX6WFFOI3RIOY2IOXWASU3QKAOWKO/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JNHQI6MDOECJ2HT5GCLEX2DMJFEOWPW7/
 - https://www.debian.org/lts/security/2021/dla-2629
========================

Updated packages in 7/core/updates_testing:
========================
lib(64)ebml5-1.4.2-1.mga7
lib(64)ebml-devel-1.4.2-1.mga7
mkvtoolnix-32.0.0-2.1.mga7
mkvtoolnix-gui-32.0.0-2.1.mga7
lib(64)matroska6-1.5.0-2.1.mga7
lib(64)matroska-devel-1.5.0-2.1.mga7

from SRPM:
libebml-1.4.2-1.mga7
mkvtoolnix-32.0.0-2.1.mga7
libmatroska-1.5.0-2.1.mga7

CVE: (none) => CVE-2021-3405
Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 16 Mageia Robot 2021-06-08 16:34:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0226.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.