Bug 29392 - libass new security issue CVE-2020-36430
Summary: libass new security issue CVE-2020-36430
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-08-20 17:52 CEST by David Walser
Modified: 2021-08-27 17:31 CEST (History)
3 users (show)

See Also:
Source RPM: libass-0.15.0-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-08-20 17:52:17 CEST 
SUSE has issued an advisory today (August 20):
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009325.html

The issue is fixed upstream in 0.15.1.

Advisory:
========================

Updated libass packages fix security vulnerability:

libass 0.15.x before 0.15.1 has a heap-based buffer overflow in decode_chars
(called from decode_font and process_text) because the wrong integer data type
is used for subtraction (CVE-2020-36430).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36430
https://lists.suse.com/pipermail/sle-security-updates/2021-August/009325.html
========================

Updated packages in core/updates_testing:
========================
libass9-0.15.1-1.mga8
libass-devel-0.15.1-1.mga8

from libass-0.15.1-1.mga8.src.rpm
Comment 1 David Walser 2021-08-20 18:00:05 CEST 
openSUSE has issued an advisory for this today (August 20):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/TQ4DQBQAAUJIVKVW7IIROTEKRYDSFT2S/

We can use that reference in the advisory instead.
Comment 2 Len Lawrence 2021-08-26 14:07:43 CEST 
mga8, x64

Poked around to see if there was any way to test the overflow issue but as is fairly usual these days the PoC are part of a cluster-fuzz framework.  Not only do we not want to get into a rebuilding situation but the final product differs from the release candidate.

Installed the vlc-plugin-libass and ran a trace on vlc while playing a film with subtitles enabled.
That showed that liblibass_plugin.so was being opened.  The plugin requires lib64ass9.

Updated the two packages.
Ran the vlc test to confirm that the libass plugin was opened.
The requires list indicates that mplayer uses the library directly.
Verified that by running mplayer under strace.
$ grep libass mplayer.trace
openat(AT_FDCWD, "/lib64/libass.so.9", O_RDONLY|O_CLOEXEC) = 3

This looks OK for 64-bits.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 3 Thomas Andrews 2021-08-26 20:59:06 CEST 
Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2021-08-27 17:01:42 CEST

Keywords: (none) => advisory

Comment 4 Mageia Robot 2021-08-27 17:31:21 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0413.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.