Chris Evans published this vulnerability on a private blog, as far as I'm concerned there was no CVE assigned yet but it should be considered to be public. I'm unaware if upstream was directly informed. ( https://scarybeastsecurity.blogspot.com/2016/11/0day-poc-risky-design-decisions-in.html ) Affects all versions of media-libs/gst-plugins-bad in the portage tree from what I can tell. Could probably lead to code execution. The overflow occurs in media-libs/gst-plugins-bad-*/gst/vmnc/vmncdec.c static int vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect, const guint8 * data, int len, gboolean decode) { ... bpp = data[0]; ... dec->format.bytes_per_pixel = bpp / 8; dec->format.width = rect->width; dec->format.height = rect->height; ... dec->imagedata = g_malloc (dec->format.width * dec->format.height * dec->format.bytes_per_pixel); ...} bbp is of type gint and attacker controlled, valid if it is 8, 16 or 32(depth) rect->width and rect->height are of type guint16 and can be controlled by the attacker by manipulating input files, handled by applications relying on gst-plugins-bad, no input validation. Exploitation is described on the linked website.
There's gstreamer-1.10.1 available. Anybody knows if that version still has this vulnerabitlity?
(In reply to Lars Wendler (Polynomial-C) from comment #1) > There's gstreamer-1.10.1 available. Anybody knows if that version still has > this vulnerabitlity? Upstream patch: https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe Courtesy of Hanno's comment on the blog post. and the patch is included in the 1.10.1 release: https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?h=1.10
CVE-2016-9445 was assigned http://seclists.org/oss-sec/2016/q4/462
We would need to patch gst-plugins-bad-1.8.3 with a revbump here. Can't rush 1.10.1 into stable as a completely new stable cycle, which isn't even in ~arch yet. I think just applying the patch as-is should work for 1.8.3, but I have no means to test vulnerability described here (can't read that loooong post right now, in case anything is in there). The other relevant changes to that plugin include https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=8cdfb13658a069 and https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=50537e2c08cec The security patch should be fine without including these. I don't have the tree and upgrades up to date on my GPG machine right now, so someone can feel free to do that revbump instead of me, if just including upstream commit 93f9faad75 works and is sufficient.
(In reply to Mart Raudsepp from comment #4) > if just including upstream commit 93f9faad75 works and is sufficient. that commit id is the one cherry-picked to 1.10 branch, hence the difference from the link in comment #2. Note that 0.10 seems vulnerable as well. Personally I don't care the slightest of that, and we are trying to get those SLOTs treecleaned. I would just pass --disable-vmnc to its configure in a revbump as the security fix there, even if the patch happens to apply as-is to there. I would also pass --disable-nsf for "fixing" CVE-2016-9447. Also note that the g_malloc change to g_malloc0 in the same commit seems to be assigned CVE-2016-9446 separately. So if someone could commit a revbump to 1.8.3 that adds the vmnc patch, and a 0.10 revbump that disables vmnc and nsf via configure flags (and confirms it works and these plugins aren't installed anymore), then that'd be splendid and we could move on to stabilization.
kensington made, committed, tested and pushed the ebuilds for me. Target keywords: gst-plugins-bad-0.10.23-r4 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 gst-plugins-bad-1.8.3-r1 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 For 1.8.3-r1 arm, ia64, ppc, ppc64 and sparc need to do other stabilization first, to get the gstreamer 1.8 cycle stable at all. This is handled in bug 587010, which in turn might depend partially on bug 584468 or make that partially obsolete (don't need to go for gst 1.6 versions there, but straight to 1.8.* from the direct dependent bug) in addition to the bugs marked as dependencies on 587010. Can change the -bad-1.8.3-r0 with -r1 during stabilization of course; the vulnerability segfault should happen with 1.4 and 1.6 versions as well. * How to test gst-plugins-bad-1.8.3-r1 security fix: wget https://security.appspot.com/security/vmnc/vmnc_width_height_int_oflow.avi gst-play-1.0 vmnc_width_height_int_oflow.avi - Before upgrade this should segfault, afterwards play fine (note that with old version some other process on the system might get killed too, and whatever else that sample AVI happens to try to do) * How to test gst-plugins-bad-0.10.23-r4 removal of vulnerable code: gst-inspect-0.10 vmncdec gst-inspect-0.10 nsfdec Before upgrade these should list a whole lot of information for each; after upgrade it should simply say: No such element or plugin 'vmncdec' No such element or plugin 'nsfdec' Both of these have been tested to work like this on amd64 by kensington and I don't expect any difference to that on other architectures (besides maybe how the segfault potentially affects the rest of the system with the vulnerable version).
amd64 stable
x86 stable
Stable on alpha.
arm stable
An automated check of this bug failed - repoman reported dependency errors (134 lines truncated): > dependency.bad media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['>=media-libs/gstreamer-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]', '>=media-libs/gst-plugins-base-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]'] > dependency.bad media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['>=media-libs/gstreamer-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]', '>=media-libs/gst-plugins-base-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]'] > dependency.bad media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0/desktop) ['>=media-libs/gstreamer-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]', '>=media-libs/gst-plugins-base-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]'] > dependency.bad media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0) ['>=media-libs/gstreamer-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]', '>=media-libs/gst-plugins-base-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]'] > dependency.bad media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild: RDEPEND: ia64(default/linux/ia64/13.0) ['>=media-libs/gstreamer-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]', '>=media-libs/gst-plugins-base-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]'] > dependency.bad media-libs/gst-plugins-bad/gst-plugins-bad-1.8.3-r1.ebuild: DEPEND: ia64(default/linux/ia64/13.0/desktop) ['>=media-libs/gstreamer-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]', '>=media-libs/gst-plugins-base-1.8.3:1.0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?,introspection?]']
Please disregard the previous warning, I mistakenly converted this bug to the new format without also converting the bugs it depends on.
Stable for HPPA.
ia64 stable
gst-plugins-bad:1.0 cleaned up, but SLOT=0.10 cleanup remains due to waiting on media-libs/gst-plugins-bad-0.10.23-r4 for ppc/ppc64/sparc
sparc stable
ppc stable
ppc64 stable, last arch.
cleanup done
GLSA request filed.
This issue was resolved and addressed in GLSA 201705-10 at https://security.gentoo.org/glsa/201705-10 by GLSA coordinator Yury German (BlueKnight).
glsa-check matches media-libs/gst-plugins-base-0.10.36-r2 as affected. Is it really affected?
Yes, it is vulnerable to other things, not vmnc (that plugin is selectively disabled in gst-plugins-bad:0.10). Probably at least CVE-2017-5837, CVE-2017-5839, CVE-2017-5842, CVE-2017-5844, and that's just what's in gst-plugins-base, not gstreamer or gst-plugins-good (isomp4 vulns), without which the SLOT is not really useful at all. The whole 0.10 stack is EOL since long ago and no-one cares to check its security.