Bug 5208 - plib new security issue CVE-2011-4620
Summary: plib new security issue CVE-2011-4620
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-04-03 01:29 CEST by David Walser
Modified: 2012-04-25 21:45 CEST (History)
4 users (show)

See Also:
Source RPM: plib-1.8.5-3.mga1.src.rpm
CVE:
Status comment:


Attachments
plib-1.8.5-CVE-2011-4620.diff (369 bytes, patch)
2012-04-03 01:31 CEST, David Walser
Details | Diff
patch for similar code in irrlicht (383 bytes, patch)
2012-04-03 01:39 CEST, David Walser
Details | Diff

Description David Walser 2012-04-03 01:29:26 CEST
Debian has issued an update for this, and describes it as a remotely exploitable buffer overflow vulnerability.

Mageia 1 and Cauldron are affected.  Fixing this is currently blocked by a build error on Cauldron.

In Mageia, plib is complied into the packages that use it, so for this to be fixed, they will need to be rebuilt.  Those packages are:
- torcs
- flightgear
- speed-dreams
- tuxkart
- tux_aqfh

Additionally, supertuxkart was forked from tuxkart and switched its build dependency from plib to irrlicht, which contains code that looks just like the affected code in plib, just with changed variable names.  This should probably be patched as well.  In this case, supertuxkart is dynamically linked to irrlicht, so rebuilding supertuxkart would not be required.

Finally, it looks like in Debian that plib is built as a library and that the software using plib in Debian is dynamically linked to that library, rather than having it complied in.  It would be nice if we could do the same in Cauldron at some point.

References:
http://www.debian.org/security/2012/dsa-2425.en.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4620
Comment 1 David Walser 2012-04-03 01:31:58 CEST
Created attachment 1910 [details]
plib-1.8.5-CVE-2011-4620.diff
Comment 2 David Walser 2012-04-03 01:39:22 CEST
Created attachment 1911 [details]
patch for similar code in irrlicht
David Walser 2012-04-03 01:40:26 CEST

Blocks: (none) => 5046

Remco Rijnders 2012-04-03 06:48:53 CEST

CC: (none) => stormi

Comment 3 David Walser 2012-04-03 19:58:05 CEST
OK it builds in Cauldron now.  On Mageia 1 it builds with mesaglut which pulls in libxmu-devel as a dependency, but on Cauldron it builds with freeglut which does not.

I have submitted updated plib and irrlicht packages for Cauldron.  All that needs done there is rebuilding the 5 packages that use plib.

Mageia 1 hasn't been addressed yet.
Comment 4 David Walser 2012-04-04 18:28:19 CEST
The 5 packages in Cauldron have been rebuilt.
David Walser 2012-04-04 18:29:16 CEST

Blocks: 5046 => (none)

Comment 5 David Walser 2012-04-07 04:42:39 CEST
For Mageia 1, there is only torcs, flightgear, supertuxkart, and tuxkart.

In Mageia 1, supertuxkart was built with plib (hadn't switched to irrlicht yet).
Comment 6 David Walser 2012-04-07 06:34:19 CEST
Patched (plib) and rebuilt (games) package uploaded.

Note to QA, the affected code is used for printing error messages.

Advisory:
========================

Updated plib and other packages fix security vulnerability:

Buffer overflow in the ulSetError function in util/ulError.cxx
in PLIB 1.8.5, as used in TORCS 1.3.1 and other products, allows
user-assisted remote attackers to execute arbitrary code via vectors
involving a long error message, as demonstrated by a crafted acc
file for TORCS (CVE-2011-4620).

The torcs, flightgear, supertuxkart, and tuxkart packages have been
rebuilt with the fixed plib library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4620
http://www.debian.org/security/2012/dsa-2425.en.html
========================

Updated packages in core/updates_testing:
========================
plib-devel-1.8.5-3.1.mga1
torcs-1.3.1-7.1.mga1
torcs-robots-base-1.3.1-7.1.mga1
torcs-robots-berniw-1.3.1-7.1.mga1
torcs-robots-bt-1.3.1-7.1.mga1
torcs-robots-olethros-1.3.1-7.1.mga1
flightgear-2.0.0-4.1.mga1
supertuxkart-0.7-1.1.mga1
tuxkart-0.4.0-10.1.mga1

from SRPMS:
plib-1.8.5-3.1.mga1.src.rpm
torcs-1.3.1-7.1.mga1.src.rpm
flightgear-2.0.0-4.1.mga1.src.rpm
supertuxkart-0.7-1.1.mga1.src.rpm
tuxkart-0.4.0-10.1.mga1.src.rpm

Assignee: bugsquad => qa-bugs

Comment 7 David Walser 2012-04-07 07:11:35 CEST
Hmm, supertuxkart in Mageia 1 is using irrlicht after all.  The rebuild for plib wasn't necessary (although I did fix an error in the .desktop file).

I'll upload a patched irrlicht and update the advisory.
Comment 8 David Walser 2012-04-07 07:20:37 CEST
The affected code isn't in the version of irrlicht used in Mageia 1.  This should be good to go.
Comment 9 Dave Hodgins 2012-04-07 21:48:15 CEST
Just fyi, I can't test these on my ancient hardware.  Lockups with the
ati driver, and do not work under vesa.  Someone else will have to
do the i586 testing for these.

CC: (none) => davidwhodgins

Comment 10 Manuel Hiebel 2012-04-11 22:12:34 CEST
flightgear & torcs works fine on x86_64. Don't know how to see some errors.
Comment 11 claire robinson 2012-04-20 15:11:50 CEST
torcs PoC here http://www.securityfocus.com/bid/51152/exploit

Confirmed the list of packages using plib-devel as buildrequire.
Comment 12 claire robinson 2012-04-20 16:27:26 CEST
i586

Torcs
-----
There is a segfault with torcs when choosing quick race > configure race > accept but it isn't a regression.

/usr/games/torcs: line 53: 24727 Segmentation fault      $LIBDIR/torcs-bin -l $LOCAL_CONF -L $LIBDIR -D $DATADIR $*

I'll create a bug for that.

With the compiled PoC in place of car4-trb1.acc in /usr/share/games/torcs/cars/car4-trb1/

When starting a race..

WARNING: ssgLoadAC: 'cars/car4-trb1/car4-trb1.acc' is not in AC3D format.
/usr/games/torcs: line 53: 24372 Segmentation fault      $LIBDIR/torcs-bin -l $LOCAL_CONF -L $LIBDIR -D $DATADIR $*

That is the same segfault as the one above so I'm not sure it is related to the PoC.
Comment 13 claire robinson 2012-04-20 16:56:03 CEST
Flightgear
----------

My old laptop can't really run this but with the Release version at startup it gives an error..

$ fgfs
Mesa 7.10.2 implementation error: Bad renderbuffer format: 21

Please report at bugs.freedesktop.org

It later gives several pages of these before reaching the cockpit..

i915_program_error: Bad source->Index: 12
i915_program_error: Bad source->Index: 12

No regressions sat on the runway with the update. I'll create another bug for this.
Comment 14 claire robinson 2012-04-20 17:21:23 CEST
Tuxkart Ok.
Supertuxkart Ok.

Testing complete i586
Comment 15 claire robinson 2012-04-20 17:27:39 CEST
Bug 5513 created for flightgear.
Bug 5514 created for torcs
Comment 16 David Walser 2012-04-23 04:00:39 CEST
José Jorge has fixed Bug 5514, so its SRPM is now torcs-1.3.1-7.2.mga1.
Comment 17 claire robinson 2012-04-24 18:08:20 CEST
Still to test - tuxkart & supertuxkart x86_64
Comment 18 claire robinson 2012-04-25 15:31:00 CEST
All tested OK

Validating

Please see comment 6 for Advisory and SRPM

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 19 claire robinson 2012-04-25 15:32:15 CEST
I think torcs has already been pushed after bug5514 was closed.
Comment 20 Thomas Backlund 2012-04-25 21:45:00 CEST
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.