Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 634806 - <media-libs/libquicktime-1.2.4-r3: Multiple vulnerabilities (CVE-2017-{9122,9123,9124,9125,9126,9127,9128})
Summary: <media-libs/libquicktime-1.2.4-r3: Multiple vulnerabilities (CVE-2017-{9122,9...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-12143, CVE-2017-12145
  Show dependency tree
 
Reported: 2017-10-19 17:45 UTC by GLSAMaker/CVETool Bot
Modified: 2018-11-25 00:11 UTC (History)
2 users (show)

See Also:
Package list:
media-libs/libquicktime-1.2.4-r3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-19 17:45:19 UTC
CVE-2017-9128 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9128):
  The quicktime_video_width function in lqt_quicktime.c in libquicktime 1.2.4
  allows remote attackers to cause a denial of service (heap-based buffer
  over-read and application crash) via a crafted mp4 file.

CVE-2017-9127 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9127):
  The quicktime_user_atoms_read_atom function in useratoms.c in libquicktime
  1.2.4 allows remote attackers to cause a denial of service (heap-based
  buffer overflow and application crash) via a crafted mp4 file.

CVE-2017-9126 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9126):
  The quicktime_read_dref_table function in dref.c in libquicktime 1.2.4
  allows remote attackers to cause a denial of service (heap-based buffer
  overflow and application crash) via a crafted mp4 file.

CVE-2017-9125 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9125):
  The lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4
  allows remote attackers to cause a denial of service (heap-based buffer
  over-read) via a crafted mp4 file.

CVE-2017-9124 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9124):
  The quicktime_match_32 function in util.c in libquicktime 1.2.4 allows
  remote attackers to cause a denial of service (NULL pointer dereference and
  application crash) via a crafted mp4 file.

CVE-2017-9123 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9123):
  The lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4
  allows remote attackers to cause a denial of service (invalid memory read
  and application crash) via a crafted mp4 file.

CVE-2017-9122 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9122):
  The quicktime_read_moov function in moov.c in libquicktime 1.2.4 allows
  remote attackers to cause a denial of service (infinite loop and CPU
  consumption) via a crafted mp4 file.


@Maintainers could you please confirm if we are affected by any of these vulnerabilities?

Thank you
Comment 1 Larry the Git Cow gentoo-dev 2018-09-18 15:11:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8d9d005d305c0d4a8232649e3ec93535c1bacca

commit c8d9d005d305c0d4a8232649e3ec93535c1bacca
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-18 14:54:25 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-18 15:07:45 +0000

    media-libs/libquicktime: Fix CVE-2017-9122..9128
    
    Bug: https://bugs.gentoo.org/634806
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 .../libquicktime-1.2.4-CVE-2017-9122_et_al.patch   | 151 +++++++++++++++++++++
 .../libquicktime/libquicktime-1.2.4-r3.ebuild      |   1 +
 2 files changed, 152 insertions(+)
Comment 2 Andreas Sturmlechner gentoo-dev 2018-09-18 15:16:30 UTC
This patch supposedly also fixes bug 626862, according to SUSE who took no further action:

https://bugzilla.suse.com/show_bug.cgi?id=1051855
Comment 3 Stabilization helper bot gentoo-dev 2018-09-18 16:01:02 UTC
An automated check of this bug failed - repoman reported dependency errors (71 lines truncated): 

> dependency.bad media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild: DEPEND: ia64(default/linux/ia64/17.0) ['>=media-video/libav-12:0=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild: RDEPEND: ia64(default/linux/ia64/17.0) ['>=media-video/libav-12:0=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild: DEPEND: ia64(default/linux/ia64/17.0/desktop) ['>=media-video/libav-12:0=[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
Comment 4 Andreas Sturmlechner gentoo-dev 2018-09-18 16:08:08 UTC
sigh... why is that libav bug broken...
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-09-24 01:52:03 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2018-09-24 07:24:05 UTC
amd64 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2018-10-02 10:59:40 UTC
Stable on alpha.
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-14 10:01:57 UTC
ppc64 stable
Comment 9 Andreas Sturmlechner gentoo-dev 2018-10-20 12:30:26 UTC
Adding remaining arches.
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-26 23:00:06 UTC
ia64 stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2018-10-28 22:31:42 UTC
ppc stable
Comment 12 Rolf Eike Beer archtester 2018-11-08 23:03:59 UTC
sparc stable
Comment 13 Larry the Git Cow gentoo-dev 2018-11-08 23:04:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b9e63a9d14b162ee15c36f94a88453dd73ac2ba

commit 0b9e63a9d14b162ee15c36f94a88453dd73ac2ba
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-11-08 23:03:54 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-11-08 23:03:54 +0000

    media-libs/libquicktime: Security cleanup
    
    Bug: https://bugs.gentoo.org/634806
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../libquicktime/libquicktime-1.2.4-r2.ebuild      | 132 ---------------------
 1 file changed, 132 deletions(-)