Bug 29164 - matio incomplete fix for CVE-2019-20052
Summary: matio incomplete fix for CVE-2019-20052
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-06-21 22:11 CEST by David Walser
Modified: 2021-12-19 13:27 CET (History)
5 users (show)

See Also:
Source RPM: matio-1.5.17-4.mga8.src.rpm
CVE: CVE-2019-20052
Status comment:


Attachments

Description David Walser 2021-06-21 22:11:01 CEST
+++ This bug was initially created as a clone of Bug #27969 +++

A memory leak was discovered in Mat_VarCalloc in mat.c in matio 1.5.17 because SafeMulDims does not consider the rank==0 case.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20052

Fix is here:
https://github.com/tbeu/matio/commit/a47b7cd3aca70e9a0bddf8146eb4ab0cbd19c2c3

Upstream reference:
https://github.com/tbeu/matio/issues/131

According to our testing the issue is not actually fixed:
https://bugs.mageia.org/show_bug.cgi?id=27969#c4

This needs to be reported upstream.
David Walser 2021-06-21 22:11:19 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Incomplete fix needs to be reported upstream

Comment 1 Lewis Smith 2021-06-22 09:39:51 CEST
That earlier bug's update is ready to push, blocked by this new one - which reiterates the need to report the fault (ineffective fix) upstream. Who does this?
I just have - by appending to their bug (131), which is currently closed.
I do not know whether to leave this with Bugsquad, or assign to packagers; with its UPSTREAM status.

Status: NEW => UPSTREAM

Thomas Backlund 2021-06-23 20:15:06 CEST

Blocks: 27969 => (none)

Comment 2 Aurelien Oudelet 2021-06-28 05:54:59 CEST
Assigning globally.

Assignee: bugsquad => pkg-bugs
CC: (none) => ouaurelien

Comment 3 Nicolas Lécureuil 2021-12-18 00:25:43 CET
Fixed in mga9

Status: UPSTREAM => NEW
CC: (none) => mageia
Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => (none)

Comment 4 Nicolas Lécureuil 2021-12-18 00:31:24 CET
New version pushed in mga8

src:
    - matio-1.5.21-1.mga8

Status comment: Incomplete fix needs to be reported upstream => (none)
Assignee: pkg-bugs => qa-bugs

Comment 5 David Walser 2021-12-18 00:48:58 CET
We'll have to see if it's actually fixed.

matio-1.5.21-1.mga8
libmatio-devel-1.5.21-1.mga8
libmatio11-1.5.21-1.mga8

from matio-1.5.21-1.mga8.src.rpm
Comment 6 Len Lawrence 2021-12-18 17:40:34 CET
mga8, x64

Installed the latest core packages and checked the PoC again:
$ matdump 006-memleak
InflateRankDims: inflate returned data error
InflateVarTag: inflate returned data error
Empty
InflateRankDims: Reading dimensions expected type MAT_T_INT32
      Name: 
      Rank: 0
InflateRankDims: inflate returned data error
Segmentation fault (core dumped)

Tried updating with qarepo.  Not on my chosen mirror yet.  Trying later.
Assuming that rpms are for instance:
matio-1.5.21-1.mga8.x86_64.rpm
.....

CC: (none) => tarazed25

Comment 7 Len Lawrence 2021-12-18 21:46:03 CET
Updated the three packages.

$ matdump 006-memleak
Inflate: inflate returned data error

That is a clean result so looks like  it is fixed.

$ urpmq --whatrequires-recursive lib64matio11
lib64matio-devel
lib64matio11
matio

No more scilab.  Cannot find it either.
Back to this later.
Comment 8 Len Lawrence 2021-12-18 21:54:05 CET
We had scilab in Mageia 7 so maybe it is in Cauldron?
Comment 9 David Walser 2021-12-18 21:57:24 CET
Scilab was dropped.
Comment 10 Len Lawrence 2021-12-18 22:36:10 CET
ACK
Comment 11 Len Lawrence 2021-12-18 22:38:09 CET
Modified the 3d.c file used in bug 26883, which does not do very much but exercises matio.

#include <stdio.h>
#include <matio.h>
#include <matio_pubconf.h>

int main()
{
const int first = 2, second = 4, third = 5;
int array3d[2][4][5] = { 0 };

// fill 3d array
for (int i = 0; i < first; i++)
	for (int j = 0; j < second; j++)
		for (int k = 0; k < third; k++)
			array3d[i][j][k] = (i + 1) * (j + 1) * (k + 1);

// write
char* fieldname3d = "array3d";
const char *filename = "myfile.mat";
mat_t *matfp = NULL; //matfp contains pointer to MAT file or NULL on failure
matfp = Mat_CreateVer(filename, NULL, MAT_FT_MAT5); //or MAT_FT_MAT4 / MAT_FT_MAT73
//don't forget to close file with Mat_Close(matfp);
size_t dim3d[3] = { first, second, third };
matvar_t *variable3d = Mat_VarCreate(fieldname3d, MAT_C_INT32, MAT_T_INT32, 3, dim3d, &array3d, 0); //rank 3
Mat_VarWrite(matfp, variable3d, MAT_COMPRESSION_NONE);
Mat_Close(matfp);
Mat_VarFree(variable3d);
}

$ gcc -o 3d 3d.c $(pkg-config --libs --cflags matio)
$ ./3d
$ file myfile.mat
myfile.mat: Matlab v5 mat-file (little endian) version 0x0100
$ ll myfile.mat
-rw-r--r-- 1 lcl lcl 360 Dec 18 21:15 myfile.mat
$ rm -f myfile.mat
$ strace -o 3d.trace ./3d
$ grep matio 3d.trace
openat(AT_FDCWD, "/lib64/libmatio.so.11", O_RDONLY|O_CLOEXEC) = 3
$ 

OK on the basis of this primitive test.

Whiteboard: (none) => MGA8-64-OK

Comment 12 Thomas Andrews 2021-12-19 00:59:00 CET
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2021-12-19 11:58:51 CET

Keywords: (none) => advisory

Comment 13 Mageia Robot 2021-12-19 13:27:22 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0558.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.