Bug 8066 - plib new security issue CVE-2012-4552
: plib new security issue CVE-2012-4552
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/524575/
: MGA1TOO has_procedure, MGA2-64-OK mga...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-13 13:51 CET by David Walser
Modified: 2012-11-21 20:54 CET (History)
4 users (show)

See Also:
Source RPM: plib
CVE:


Attachments

Description David Walser 2012-11-13 13:51:08 CET
Fedora has issued an advisory on November 2:
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/091937.html

All of our packages built against plib compile it in statically, so they will need to be rebuilt.
Comment 1 David Walser 2012-11-13 14:10:41 CET
The last plib update was Bug 5208.  These packages were rebuilt:
torcs
flightgear
supertuxkart
tuxkart
Comment 2 David Walser 2012-11-13 14:12:23 CET
According to a comment on the old bug, supertuxkart is actually using irrlicht instead of plib.  Either irrlicht contains the same code and needs to be fixed as well, or supertuxkart doesn't need to be rebuilt.
Comment 4 David Walser 2012-11-14 19:10:45 CET
irrlicht is not affected by this (therefore, neither is supertuxkart).
Comment 5 David Walser 2012-11-15 23:37:13 CET
In Mageia 2 and Cauldron, these also use plib:
speed-dreams
tux_aqfh
Comment 6 David Walser 2012-11-16 02:33:35 CET
Patched plib and rebuilt game packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated plib package fixes security vulnerability:

Plib is prone to stack based Buffer overflow in the error function in
ssg/ssgParser.cxx when it loads 3d model files as X (Direct x), ASC, ASE,
ATG, and OFF, if a very long error message is passed to the function
(CVE-2012-4552).

Additionally, the torcs, flightgear, tuxkart, speed-dreams, and tux_aqfh
packages have been rebuilt to include the updated library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4552
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/091937.html
========================

Updated packages in core/updates_testing:
========================
plib-devel-1.8.5-3.2.mga1
torcs-1.3.1-7.3.mga1
torcs-robots-base-1.3.1-7.3.mga1
torcs-robots-berniw-1.3.1-7.3.mga1
torcs-robots-bt-1.3.1-7.3.mga1
torcs-robots-olethros-1.3.1-7.3.mga1
flightgear-2.0.0-4.3.mga1
tuxkart-0.4.0-10.2.mga1
plib-devel-1.8.5-4.1.mga2
torcs-1.3.3-2.1.mga2
torcs-robots-base-1.3.3-2.1.mga2
torcs-robots-berniw-1.3.3-2.1.mga2
torcs-robots-bt-1.3.3-2.1.mga2
torcs-robots-olethros-1.3.3-2.1.mga2
flightgear-2.6.0-2.1.mga2
tuxkart-0.4.0-11.1.mga2
speed-dreams-2.0.0-1.1.mga2
speed-dreams-robots-hq-2.0.0-1.1.mga2
speed-dreams-robots-more-hq-2.0.0-1.1.mga2
speed-dreams-robots-wip-2.0.0-1.1.mga2
speed-dreams-devel-2.0.0-1.1.mga2
tux_aqfh-1.0.14-13.1.mga2

from SRPMS:
plib-1.8.5-3.2.mga1.src.rpm
torcs-1.3.1-7.3.mga1.src.rpm
flightgear-2.0.0-4.3.mga1.src.rpm
tuxkart-0.4.0-10.2.mga1.src.rpm
plib-1.8.5-4.1.mga2.src.rpm
torcs-1.3.3-2.1.mga2.src.rpm
flightgear-2.6.0-2.1.mga2.src.rpm
tuxkart-0.4.0-11.1.mga2.src.rpm
speed-dreams-2.0.0-1.1.mga2.src.rpm
tux_aqfh-1.0.14-13.1.mga2.src.rpm
Comment 7 claire robinson 2012-11-16 16:28:53 CET
To test this you just need to play the games with the updates applied :)
(Don't forget plib-devel itself)

For mga1..

torcs
flightgear
tuxcart

For mga2..

torcs
flightgear
tuxcart
speed-dreams
tux-aqfh
Comment 8 David Walser 2012-11-16 17:06:19 CET
Really just the games themselves need to be tested.  plib-devel just contains the static library that is included by the games when they build, but we already know that package "works" just by the fact that the game packages built.
Comment 9 Marc Lattemann 2012-11-17 14:03:30 CET
subrel for flightgear for mga2 needs a bump? 
2.6.0-2.1.mga2 is available in both: Core-Update and Core-Update_testing.
Comment 10 David Walser 2012-11-17 16:47:06 CET
Thanks, fixed.  Reposting advisory.

Advisory:
========================

Updated plib package fixes security vulnerability:

Plib is prone to stack based Buffer overflow in the error function in
ssg/ssgParser.cxx when it loads 3d model files as X (Direct x), ASC, ASE,
ATG, and OFF, if a very long error message is passed to the function
(CVE-2012-4552).

Additionally, the torcs, flightgear, tuxkart, speed-dreams, and tux_aqfh
packages have been rebuilt to include the updated library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4552
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/091937.html
========================

Updated packages in core/updates_testing:
========================
plib-devel-1.8.5-3.2.mga1
torcs-1.3.1-7.3.mga1
torcs-robots-base-1.3.1-7.3.mga1
torcs-robots-berniw-1.3.1-7.3.mga1
torcs-robots-bt-1.3.1-7.3.mga1
torcs-robots-olethros-1.3.1-7.3.mga1
flightgear-2.0.0-4.3.mga1
tuxkart-0.4.0-10.2.mga1
plib-devel-1.8.5-4.1.mga2
torcs-1.3.3-2.1.mga2
torcs-robots-base-1.3.3-2.1.mga2
torcs-robots-berniw-1.3.3-2.1.mga2
torcs-robots-bt-1.3.3-2.1.mga2
torcs-robots-olethros-1.3.3-2.1.mga2
flightgear-2.6.0-2.2.mga2
tuxkart-0.4.0-11.1.mga2
speed-dreams-2.0.0-1.1.mga2
speed-dreams-robots-hq-2.0.0-1.1.mga2
speed-dreams-robots-more-hq-2.0.0-1.1.mga2
speed-dreams-robots-wip-2.0.0-1.1.mga2
speed-dreams-devel-2.0.0-1.1.mga2
tux_aqfh-1.0.14-13.1.mga2

from SRPMS:
plib-1.8.5-3.2.mga1.src.rpm
torcs-1.3.1-7.3.mga1.src.rpm
flightgear-2.0.0-4.3.mga1.src.rpm
tuxkart-0.4.0-10.2.mga1.src.rpm
plib-1.8.5-4.1.mga2.src.rpm
torcs-1.3.3-2.1.mga2.src.rpm
flightgear-2.6.0-2.2.mga2.src.rpm
tuxkart-0.4.0-11.1.mga2.src.rpm
speed-dreams-2.0.0-1.1.mga2.src.rpm
tux_aqfh-1.0.14-13.1.mga2.src.rpm
Comment 11 Marc Lattemann 2012-11-19 20:03:50 CET
tested for mga2 64bit.
torcs, tuxkart and flightgear are working fine. Only for speed-dreams and tux_aqfh I have no sound. 

error message:
slDSP: open: Device or resource busy
WARNING: slScheduler: soundcard init failed.

However tested previous version and sound was absent as well. So no regression. So if not plib related then OK can be added to whiteboard.
Comment 12 David Walser 2012-11-19 20:22:05 CET
For the ones that have no sound, try running them through soundwrapper (i.e.):
soundwrapper tux_aqfh
Comment 13 Marc Lattemann 2012-11-19 21:18:45 CET
no change using soundwrapper.
Maybe someone else can check if this is just a problem with my local installation...
Comment 14 Dave Hodgins 2012-11-20 01:46:44 CET
On Mageia 1 i586, I'm getting
$ torcs 
Visual Properties Report
------------------------
Compatibility mode, properties unknown.
OpenGL Warning: XGetVisualInfo returned 0 visuals for 0x9070870
OpenGL Warning: Retry with 0x8002 returned 0 visuals
/usr/games/torcs: line 53:  3284 Segmentation fault      $LIBDIR/torcs-bin -l $LOCAL_CONF -L $LIBDIR -D $DATADIR $*

I'll have to install the older version to see if this is a regression or not.
Comment 15 Dave Hodgins 2012-11-20 02:25:35 CET
Testing complete on Mageia 1 x86-64.

torcs, fgfs, and tuxkart are all working, including sound.
Comment 16 Dave Hodgins 2012-11-20 02:43:41 CET
On Mageia 1 i586, with the core updates version of torcs, I'm getting
Program received signal SIGSEGV, Segmentation fault.
0xb7bacf29 in fgOpenWindow () from /usr/lib/libglut.so.3
(gdb) #0  0xb7bacf29 in fgOpenWindow () from /usr/lib/libglut.so.3
#1  0xb7baba24 in fgCreateWindow () from /usr/lib/libglut.so.3
#2  0xb7bad493 in glutCreateWindow () from /usr/lib/libglut.so.3
#3  0xb7c156f3 in GfScrInit (argc=7, argv=0xbfffef34) at screen.cpp:396
#4  0x08048c22 in ?? ()
#5  0xb7571ca6 in __libc_start_main () from /lib/i686/libc.so.6
#6  0x08048b11 in ?? ()

So this is not a regression.

I'll test flightgear and tuxkart on Mageia 1 i586 shortly.
Comment 17 Dave Hodgins 2012-11-20 03:13:34 CET
fgfs and tuxkart are both ok on Mageia 1 i586.
Comment 18 claire robinson 2012-11-21 11:53:43 CET
Testing complete mga2 32

Validating

Advisory & srpms in comment 10

Could sysadmin please push to updates

Thanks!
Comment 19 Thomas Backlund 2012-11-21 20:54:42 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0334

Note You need to log in before you can comment on or make changes to this bug.