Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626706 (CVE-2017-11546, CVE-2017-11547, CVE-2017-11549) - <media-sound/timidity++-2.14.0-r3: multiple vulnerabilities
Summary: <media-sound/timidity++-2.14.0-r3: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-11546, CVE-2017-11547, CVE-2017-11549
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/fulldisclosure/20...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-31 13:22 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2018-11-08 02:43 UTC (History)
1 user (show)

See Also:
Package list:
media-sound/timidity++-2.14.0-r3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-31 13:22:24 UTC
From URL:

TiMidity++ multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
TiMidity++ is an open source MIDI to WAVE converter and player.


Affected version:
=====
2.14.0


Vulnerability Description:
==========================
1.
the insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 can cause a denial of service(divide-by-zero error 
and application crash) via a crafted mid file.


./timidity timidity++_2.14.0_divide_by_zero_error.mid


----debug info:----
Program received signal SIGFPE, Arithmetic exception.
0x000000000071e9a9 in insert_note_steps () at readmidi.c:4594
4594at += current_file_info->divisions * 4 / denom;
(gdb) bt
#0  0x000000000071e9a9 in insert_note_steps () at readmidi.c:4594
#1  read_midi_file (tf=<optimized out>, fn=<optimized out>, 
    count=<optimized out>, sp=<optimized out>) at readmidi.c:4755
#2  0x0000000000650d6c in play_midi_load_file (event=<optimized out>, 
    fn=<optimized out>, nsamples=<optimized out>) at playmidi.c:8453
#3  play_midi_file (
    fn=0x60400000df90 "/home/a/Documents/test/file")
    at playmidi.c:8563
#4  0x0000000000659562 in dumb_pass_playing_list (
    number_of_files=<optimized out>, list_of_files=<optimized out>)
    at playmidi.c:8624
#5  0x0000000000846119 in timidity_play_main (nfiles=1, files=<optimized out>)
    at timidity.c:5655
#6  main (argc=<optimized out>, argv=<optimized out>) at timidity.c:5935
(gdb) disassemble 0x000000000071e9a9,0x000000000071e9ff
Dump of assembler code from 0x71e9a9 to 0x71e9ff:
=> 0x000000000071e9a9 <read_midi_file+13305>:idiv   %ecx
   0x000000000071e9ab <read_midi_file+13307>:add    %eax,%r15d
   0x000000000071e9ae <read_midi_file+13310>:mov    -0x38(%rbp),%eax
   0x000000000071e9b1 <read_midi_file+13313>:cmp    %eax,%r15d
   0x000000000071e9b4 <read_midi_file+13316>:mov    -0x48(%rbp),%rdi
   0x000000000071e9b8 <read_midi_file+13320>:mov    -0x30(%rbp),%ebx
   0x000000000071e9bb <read_midi_file+13323>:jge    0x71e9cb <read_midi_file+13339>
   0x000000000071e9bd <read_midi_file+13325>:mov    0x1bd403d(%rip),%eax        # 0x22f2a00 <readmidi_error_flag>
   0x000000000071e9c3 <read_midi_file+13331>:test   %eax,%eax
   0x000000000071e9c5 <read_midi_file+13333>:je     0x71e635 <read_midi_file+12421>
   0x000000000071e9cb <read_midi_file+13339>:mov    %fs:0x0,%rax
   0x000000000071e9d4 <read_midi_file+13348>:add    0x6cf5fd(%rip),%rax        # 0xdedfd8
   0x000000000071e9db <read_midi_file+13355>:shr    $0x3,%rax
   0x000000000071e9df <read_midi_file+13359>:mov    0x7fff8000(%rax),%al
   0x000000000071e9e5 <read_midi_file+13365>:test   %al,%al
   0x000000000071e9e7 <read_midi_file+13367>:je     0x71ea09 <read_midi_file+13401>
   0x000000000071e9e9 <read_midi_file+13369>:mov    0x6cf5e8(%rip),%rcx      ---Type <return> to continue, or q 
<return> to quit---q
Quit
(gdb) i r
rax            0x1e0480
rbx            0x11
rcx            0x00
rdx            0x00
rsi            0x78120
rdi            0xc4a00106edc13511968190172
rbp            0x7fffffffb7b00x7fffffffb7b0
rsp            0x7fffffffad200x7fffffffad20
r8             0x00
r9             0x11
r10            0x1c37d81849304
r11            0x91145
r12            0x11
r13            0xfffffffffffffffc-4
r14            0x00
r15            0x00
rip            0x71e9a90x71e9a9 <read_midi_file+13305>
eflags         0x10246[ PF ZF IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) 


POC:
timidity++_2.14.0_divide_by_zero_error.mid
CVE:
CVE-2017-11546


2.
the resample_gauss function in resample.c in TiMidity++ 2.14.0 can cause a denial of service(heap-buffer-overflow) via 
a crafted mid file.


./timidity timidity++_2.14.0_heap_buffer_overflow.mid


=================================================================
==4658==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b00004c93a at pc 0x76f1db bp 0x7fff1cc7ad30 sp 
0x7fff1cc7ad28
READ of size 2 at 0x62b00004c93a thread T0
    #0 0x76f1da in resample_gauss /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:174
    #1 0x777f2d in rs_plain /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:620
    #2 0x777f2d in normal_resample_voice /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:1303
    #3 0x772e07 in resample_voice /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:1369
    #4 0x53d527 in mix_voice /home/a/Downloads/TiMidity++-2.14.0/timidity/mix.c:134
    #5 0x689989 in do_compute_data_midi /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:6751
    #6 0x689989 in do_compute_data /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7044
    #7 0x61e337 in compute_data /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7433
    #8 0x5e95da in play_event /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7563
    #9 0x656379 in play_midi /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8297
    #10 0x656379 in play_midi_file /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8570
    #11 0x659581 in dumb_pass_playing_list /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8624
    #12 0x846158 in timidity_play_main /home/a/Downloads/TiMidity++-2.14.0/timidity/timidity.c:5655
    #13 0x846158 in main /home/a/Downloads/TiMidity++-2.14.0/timidity/timidity.c:5935
    #14 0x7f9bc0dcdec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #15 0x486fac in _start (/home/a/Downloads/TiMidity++-2.14.0/timidity/timidity+0x486fac)


0x62b00004c93b is located 0 bytes to the right of 26427-byte region [0x62b000046200,0x62b00004c93b)
allocated by thread T0 here:
    #0 0x470ec9 in __interceptor_malloc (/home/a/Downloads/TiMidity++-2.14.0/timidity/timidity+0x470ec9)
    #1 0x4acc7b in safe_malloc /home/a/Downloads/TiMidity++-2.14.0/timidity/common.c:655
    #2 0x81a948 in load_from_file /home/a/Downloads/TiMidity++-2.14.0/timidity/sndfont.c:697
    #3 0x81a948 in try_load_soundfont /home/a/Downloads/TiMidity++-2.14.0/timidity/sndfont.c:469


SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:174 
resample_gauss
Shadow bytes around the buggy address:
  0x0c56800018d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c56800018e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c56800018f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5680001900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5680001910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5680001920: 00 00 00 00 00 00 00[03]fa fa fa fa fa fa fa fa
  0x0c5680001930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680001940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680001950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680001960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680001970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==4658==ABORTING


POC:
timidity++_2.14.0_heap_buffer_overflow.mid
CVE:
CVE-2017-11547


3.
the play_midi function in playmidi.c in TiMidity++ 2.14.0 can cause a denial of service(large loop and CPU consumption) 
via a crafted mid file.


./timidity timidity++_2.14.0_large_loop.mid


-----debug info:----
(gdb) bt
#0  do_ch_freeverb (buf=<optimized out>, count=<optimized out>, 
    rev=<optimized out>) at reverb.c:1570
#1  0x000000000079cdb6 in do_ch_reverb (buf=<optimized out>, 
    count=<optimized out>) at reverb.c:1921
#2  0x0000000000690b54 in do_compute_data_midi (count=2048) at playmidi.c:6895
#3  do_compute_data (count=<optimized out>) at playmidi.c:7044
#4  0x0000000000619eaa in compute_data (count=<optimized out>)
    at playmidi.c:7197
#5  0x00000000005e95bb in play_event (ev=<optimized out>) at playmidi.c:7563
#6  0x000000000065635a in play_midi (samples=<optimized out>, 
    eventlist=<optimized out>) at playmidi.c:8297
#7  play_midi_file (fn=<optimized out>) at playmidi.c:8570
#8  0x0000000000659562 in dumb_pass_playing_list (
    number_of_files=<optimized out>, list_of_files=<optimized out>)
    at playmidi.c:8624
#9  0x0000000000846159 in timidity_play_main (nfiles=1, files=<optimized out>)
    at timidity.c:5655
#10 main (argc=<optimized out>, argv=<optimized out>) at timidity.c:5935


##playmidi.c line:8294 ==> line:8302
for(;;)
{
midi_restart_time = 1;
rc = play_event(current_event);
if(rc != RC_NONE)
    break;
if (midi_restart_time)    /* don't skip the first event if == 0 */
    current_event++;
}


POC:
timidity++_2.14.0_large_loop.mid
CVE:
CVE-2017-11549
Comment 1 Andreas Sturmlechner gentoo-dev 2018-08-22 21:31:56 UTC
It seems that other distros regard CVE-2017-11549 as notabug:

https://www.mail-archive.com/debian-qa-packages@lists.debian.org/msg56304.html
https://bugzilla.suse.com/show_bug.cgi?id=1081694
Comment 2 Larry the Git Cow gentoo-dev 2018-08-22 22:23:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a87c686d9ac9de5e0e455d15773d11307a73c66

commit 6a87c686d9ac9de5e0e455d15773d11307a73c66
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-08-22 21:56:46 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-08-22 22:23:22 +0000

    media-sound/timidity++: EAPI-6, CVE-2017-11546, CVE-2017-11547
    
    Bug: https://bugs.gentoo.org/626706
    Package-Manager: Portage-2.3.48, Repoman-2.3.10

 .../files/timidity++-2.14.0-CVE-2017-11546.patch   |  31 ++++
 .../files/timidity++-2.14.0-CVE-2017-11547.patch   |  67 +++++++
 .../files/timidity++-2.14.0-params.patch           |   4 +-
 ...ert-for-required-ctl_speana_data-function.patch |   4 +-
 .../files/timidity++-2.14.0-tcltk86.patch          |   4 +-
 media-sound/timidity++/timidity++-2.14.0-r3.ebuild | 199 +++++++++++++++++++++
 6 files changed, 303 insertions(+), 6 deletions(-)
Comment 3 Andreas Sturmlechner gentoo-dev 2018-08-25 21:56:52 UTC
Adding arches for 2.14.0-r3 on the basis that other distributions do not regard CVE-2017-11549 as vulnerability either, and consequently I could not find any patch for that.

Security, please decide there.
Comment 4 Agostino Sarubbo gentoo-dev 2018-08-28 12:52:54 UTC
amd64 stable
Comment 5 Rolf Eike Beer archtester 2018-08-30 05:38:08 UTC
Ignoring bug 557072 as it is no regression. sparc done.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-01 23:45:44 UTC
ppc stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-01 23:47:23 UTC
ppc64 stable
Comment 8 Thomas Deutschmann gentoo-dev Security 2018-09-02 23:48:46 UTC
x86 stable
Comment 9 Larry the Git Cow gentoo-dev 2018-09-15 20:05:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99790c0b7392f6240be9b93d6210bc9265c8ec13

commit 99790c0b7392f6240be9b93d6210bc9265c8ec13
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-15 19:12:56 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-15 20:04:44 +0000

    media-sound/timidity++: Drop vulnerable 2.14.0-r2
    
    Bug: https://bugs.gentoo.org/626706
    Package-Manager: Portage-2.3.48, Repoman-2.3.10

 media-sound/timidity++/timidity++-2.14.0-r2.ebuild | 185 ---------------------
 1 file changed, 185 deletions(-)
Comment 10 Andreas Sturmlechner gentoo-dev 2018-09-15 20:06:47 UTC
arm dropped, sound done.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2018-11-08 02:43:00 UTC
GLSA Vote: No

Arches and Maintainer(s), Thank you for your work.
Closing noglsa.