Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600142 (CVE-2016-9445, CVE-2016-9446, CVE-2016-9447) - <media-libs/gst-plugins-bad-0.10.23-r4: multiple vulnerabilities (CVE-2016-{9445,9446,9447})
Summary: <media-libs/gst-plugins-bad-0.10.23-r4: multiple vulnerabilities (CVE-2016-{9...
Status: RESOLVED FIXED
Alias: CVE-2016-9445, CVE-2016-9446, CVE-2016-9447
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: gnome-3.20-stable
Blocks:
  Show dependency tree
 
Reported: 2016-11-18 01:35 UTC by pachnekrobert
Modified: 2017-06-01 05:54 UTC (History)
1 user (show)

See Also:
Package list:
=media-libs/gst-plugins-bad-0.10.23-r4 ppc ppc64 sparc
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description pachnekrobert 2016-11-18 01:35:05 UTC
Chris Evans published this vulnerability on a private blog, as far as I'm concerned there was no CVE assigned yet but it should be considered to be public. I'm unaware if upstream was directly informed.
( https://scarybeastsecurity.blogspot.com/2016/11/0day-poc-risky-design-decisions-in.html )

Affects all versions of media-libs/gst-plugins-bad in the portage tree from what I can tell. Could probably lead to code execution.

The overflow occurs in media-libs/gst-plugins-bad-*/gst/vmnc/vmncdec.c

static int
vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
    const guint8 * data, int len, gboolean decode)
{
... 
bpp = data[0];
...
dec->format.bytes_per_pixel = bpp / 8;
dec->format.width = rect->width;
dec->format.height = rect->height;
...
dec->imagedata = g_malloc (dec->format.width * dec->format.height *
      dec->format.bytes_per_pixel);

...}

bbp is of type gint and attacker controlled, valid if it is 8, 16 or 32(depth)
rect->width and rect->height are of type guint16 and can be controlled by the attacker by manipulating input files, handled by applications relying on gst-plugins-bad, no input validation. Exploitation is described on the linked website.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-11-18 06:25:23 UTC
There's gstreamer-1.10.1 available. Anybody knows if that version still has this vulnerabitlity?
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-11-18 09:21:43 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #1)
> There's gstreamer-1.10.1 available. Anybody knows if that version still has
> this vulnerabitlity?

Upstream patch:

https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe

Courtesy of Hanno's comment on the blog post.

and the patch is included in the 1.10.1 release:

https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?h=1.10
Comment 3 pachnekrobert 2016-11-18 23:20:37 UTC
CVE-2016-9445 was assigned

http://seclists.org/oss-sec/2016/q4/462
Comment 4 Mart Raudsepp gentoo-dev 2016-11-19 17:06:04 UTC
We would need to patch gst-plugins-bad-1.8.3 with a revbump here. Can't rush 1.10.1 into stable as a completely new stable cycle, which isn't even in ~arch yet.
I think just applying the patch as-is should work for 1.8.3, but I have no means to test vulnerability described here (can't read that loooong post right now, in case anything is in there).

The other relevant changes to that plugin include
https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=8cdfb13658a069
and
https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=50537e2c08cec

The security patch should be fine without including these.

I don't have the tree and upgrades up to date on my GPG machine right now, so someone can feel free to do that revbump instead of me, if just including upstream commit 93f9faad75 works and is sufficient.
Comment 5 Mart Raudsepp gentoo-dev 2016-11-19 18:31:15 UTC
(In reply to Mart Raudsepp from comment #4)
> if just including upstream commit 93f9faad75 works and is sufficient.

that commit id is the one cherry-picked to 1.10 branch, hence the difference from the link in comment #2.

Note that 0.10 seems vulnerable as well. Personally I don't care the slightest of that, and we are trying to get those SLOTs treecleaned. I would just pass
--disable-vmnc
to its configure in a revbump as the security fix there, even if the patch happens to apply as-is to there. I would also pass --disable-nsf for "fixing" CVE-2016-9447.

Also note that the g_malloc change to g_malloc0 in the same commit seems to be assigned CVE-2016-9446 separately.


So if someone could commit a revbump to 1.8.3 that adds the vmnc patch, and a 0.10 revbump that disables vmnc and nsf via configure flags (and confirms it works and these plugins aren't installed anymore), then that'd be splendid and we could move on to stabilization.
Comment 6 Mart Raudsepp gentoo-dev 2016-11-20 16:57:07 UTC
kensington made, committed, tested and pushed the ebuilds for me.

Target keywords:

gst-plugins-bad-0.10.23-r4 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
gst-plugins-bad-1.8.3-r1   alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

For 1.8.3-r1  arm, ia64, ppc, ppc64 and sparc need to do other stabilization first, to get the gstreamer 1.8 cycle stable at all.
This is handled in bug 587010, which in turn might depend partially on bug 584468 or make that partially obsolete (don't need to go for gst 1.6 versions there, but straight to 1.8.* from the direct dependent bug) in addition to the bugs marked as dependencies on 587010. Can change the -bad-1.8.3-r0 with -r1 during stabilization of course; the vulnerability segfault should happen with 1.4 and 1.6 versions as well.


* How to test gst-plugins-bad-1.8.3-r1 security fix:
wget https://security.appspot.com/security/vmnc/vmnc_width_height_int_oflow.avi
gst-play-1.0 vmnc_width_height_int_oflow.avi
- Before upgrade this should segfault, afterwards play fine (note that with old version some other process on the system might get killed too, and whatever else that sample AVI happens to try to do)

* How to test gst-plugins-bad-0.10.23-r4 removal of vulnerable code:
gst-inspect-0.10 vmncdec
gst-inspect-0.10 nsfdec

Before upgrade these should list a whole lot of information for each; after upgrade it should simply say:
No such element or plugin 'vmncdec'
No such element or plugin 'nsfdec'


Both of these have been tested to work like this on amd64 by kensington and I don't expect any difference to that on other architectures (besides maybe how the segfault potentially affects the rest of the system with the vulnerable version).
Comment 7 Agostino Sarubbo gentoo-dev 2016-11-21 12:42:56 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-11-21 12:43:45 UTC
x86 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2016-11-23 18:01:44 UTC
Stable on alpha.
Comment 10 Markus Meier gentoo-dev 2016-12-17 15:28:30 UTC
arm stable
Comment 11 Michael Palimaka (kensington) gentoo-dev 2016-12-18 17:04:31 UTC
An automated check of this bug failed - repoman reported dependency errors (134 lines truncated): 

> dependency.bad media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['>=media-libs/gstreamer-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]', '>=media-libs/gst-plugins-base-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]']
> dependency.bad media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['>=media-libs/gstreamer-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]', '>=media-libs/gst-plugins-base-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]']
> dependency.bad media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0/desktop) ['>=media-libs/gstreamer-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]', '>=media-libs/gst-plugins-base-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]']
> dependency.bad media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['>=media-libs/gstreamer-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]', '>=media-libs/gst-plugins-base-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]']
> dependency.bad media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['>=media-libs/gstreamer-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]', '>=media-libs/gst-plugins-base-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]']
> dependency.bad media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0/desktop) ['>=media-libs/gstreamer-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]', '>=media-libs/gst-plugins-base-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]']
Comment 12 Michael Palimaka (kensington) gentoo-dev 2016-12-18 17:09:30 UTC
Please disregard the previous warning, I mistakenly converted this bug to the new format without also converting the bugs it depends on.
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-20 08:07:08 UTC
Stable for HPPA.
Comment 14 Agostino Sarubbo gentoo-dev 2017-01-23 16:28:19 UTC
ia64 stable
Comment 15 Mart Raudsepp gentoo-dev 2017-01-26 04:51:21 UTC
gst-plugins-bad:1.0 cleaned up, but SLOT=0.10 cleanup remains due to waiting on media-libs/gst-plugins-bad-0.10.23-r4 for ppc/ppc64/sparc
Comment 16 Agostino Sarubbo gentoo-dev 2017-01-26 10:23:36 UTC
sparc stable
Comment 17 Agostino Sarubbo gentoo-dev 2017-01-26 11:01:46 UTC
ppc stable
Comment 18 Michael Weber (RETIRED) gentoo-dev 2017-02-22 21:33:10 UTC
ppc64 stable, last arch.
Comment 19 Mart Raudsepp gentoo-dev 2017-02-22 21:50:33 UTC
cleanup done
Comment 20 Aaron Bauman (RETIRED) gentoo-dev 2017-02-23 09:39:42 UTC
GLSA request filed.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2017-05-18 02:14:36 UTC
This issue was resolved and addressed in
 GLSA 201705-10 at https://security.gentoo.org/glsa/201705-10
by GLSA coordinator Yury German (BlueKnight).
Comment 22 Sergey 'L29Ah' Alirzaev 2017-06-01 01:00:16 UTC
glsa-check matches media-libs/gst-plugins-base-0.10.36-r2 as affected. Is it really affected?
Comment 23 Mart Raudsepp gentoo-dev 2017-06-01 05:54:53 UTC
Yes, it is vulnerable to other things, not vmnc (that plugin is selectively disabled in gst-plugins-bad:0.10). Probably at least CVE-2017-5837, CVE-2017-5839, CVE-2017-5842, CVE-2017-5844, and that's just what's in gst-plugins-base, not gstreamer or gst-plugins-good (isomp4 vulns), without which the SLOT is not really useful at all. The whole 0.10 stack is EOL since long ago and no-one cares to check its security.