626706 – (CVE-2017-11546, CVE-2017-11547, CVE-2017-11549) <media-sound/timidity++-2.14.0-r3: multiple vulnerabilities

Bug 626706 (CVE-2017-11546, CVE-2017-11547, CVE-2017-11549) - <media-sound/timidity++-2.14.0-r3: multiple vulnerabilities

Summary: <media-sound/timidity++-2.14.0-r3: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2017-11546, CVE-2017-11547, CVE-2017-11549

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://seclists.org/fulldisclosure/20...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-07-31 13:22 UTC by Christopher Díaz Riveros (RETIRED)
Modified:	2018-11-08 02:43 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	media-sound/timidity++-2.14.0-r3
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-07-31 13:22:24 UTC

From URL:

TiMidity++ multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
TiMidity++ is an open source MIDI to WAVE converter and player.


Affected version:
=====
2.14.0


Vulnerability Description:
==========================
1.
the insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 can cause a denial of service(divide-by-zero error 
and application crash) via a crafted mid file.


./timidity timidity++_2.14.0_divide_by_zero_error.mid


----debug info:----
Program received signal SIGFPE, Arithmetic exception.
0x000000000071e9a9 in insert_note_steps () at readmidi.c:4594
4594at += current_file_info->divisions * 4 / denom;
(gdb) bt
#0  0x000000000071e9a9 in insert_note_steps () at readmidi.c:4594
#1  read_midi_file (tf=<optimized out>, fn=<optimized out>, 
    count=<optimized out>, sp=<optimized out>) at readmidi.c:4755
#2  0x0000000000650d6c in play_midi_load_file (event=<optimized out>, 
    fn=<optimized out>, nsamples=<optimized out>) at playmidi.c:8453
#3  play_midi_file (
    fn=0x60400000df90 "/home/a/Documents/test/file")
    at playmidi.c:8563
#4  0x0000000000659562 in dumb_pass_playing_list (
    number_of_files=<optimized out>, list_of_files=<optimized out>)
    at playmidi.c:8624
#5  0x0000000000846119 in timidity_play_main (nfiles=1, files=<optimized out>)
    at timidity.c:5655
#6  main (argc=<optimized out>, argv=<optimized out>) at timidity.c:5935
(gdb) disassemble 0x000000000071e9a9,0x000000000071e9ff
Dump of assembler code from 0x71e9a9 to 0x71e9ff:
=> 0x000000000071e9a9 <read_midi_file+13305>:idiv   %ecx
   0x000000000071e9ab <read_midi_file+13307>:add    %eax,%r15d
   0x000000000071e9ae <read_midi_file+13310>:mov    -0x38(%rbp),%eax
   0x000000000071e9b1 <read_midi_file+13313>:cmp    %eax,%r15d
   0x000000000071e9b4 <read_midi_file+13316>:mov    -0x48(%rbp),%rdi
   0x000000000071e9b8 <read_midi_file+13320>:mov    -0x30(%rbp),%ebx
   0x000000000071e9bb <read_midi_file+13323>:jge    0x71e9cb <read_midi_file+13339>
   0x000000000071e9bd <read_midi_file+13325>:mov    0x1bd403d(%rip),%eax        # 0x22f2a00 <readmidi_error_flag>
   0x000000000071e9c3 <read_midi_file+13331>:test   %eax,%eax
   0x000000000071e9c5 <read_midi_file+13333>:je     0x71e635 <read_midi_file+12421>
   0x000000000071e9cb <read_midi_file+13339>:mov    %fs:0x0,%rax
   0x000000000071e9d4 <read_midi_file+13348>:add    0x6cf5fd(%rip),%rax        # 0xdedfd8
   0x000000000071e9db <read_midi_file+13355>:shr    $0x3,%rax
   0x000000000071e9df <read_midi_file+13359>:mov    0x7fff8000(%rax),%al
   0x000000000071e9e5 <read_midi_file+13365>:test   %al,%al
   0x000000000071e9e7 <read_midi_file+13367>:je     0x71ea09 <read_midi_file+13401>
   0x000000000071e9e9 <read_midi_file+13369>:mov    0x6cf5e8(%rip),%rcx      ---Type <return> to continue, or q 
<return> to quit---q
Quit
(gdb) i r
rax            0x1e0480
rbx            0x11
rcx            0x00
rdx            0x00
rsi            0x78120
rdi            0xc4a00106edc13511968190172
rbp            0x7fffffffb7b00x7fffffffb7b0
rsp            0x7fffffffad200x7fffffffad20
r8             0x00
r9             0x11
r10            0x1c37d81849304
r11            0x91145
r12            0x11
r13            0xfffffffffffffffc-4
r14            0x00
r15            0x00
rip            0x71e9a90x71e9a9 <read_midi_file+13305>
eflags         0x10246[ PF ZF IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) 


POC:
timidity++_2.14.0_divide_by_zero_error.mid
CVE:
CVE-2017-11546


2.
the resample_gauss function in resample.c in TiMidity++ 2.14.0 can cause a denial of service(heap-buffer-overflow) via 
a crafted mid file.


./timidity timidity++_2.14.0_heap_buffer_overflow.mid


=================================================================
==4658==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b00004c93a at pc 0x76f1db bp 0x7fff1cc7ad30 sp 
0x7fff1cc7ad28
READ of size 2 at 0x62b00004c93a thread T0
    #0 0x76f1da in resample_gauss /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:174
    #1 0x777f2d in rs_plain /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:620
    #2 0x777f2d in normal_resample_voice /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:1303
    #3 0x772e07 in resample_voice /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:1369
    #4 0x53d527 in mix_voice /home/a/Downloads/TiMidity++-2.14.0/timidity/mix.c:134
    #5 0x689989 in do_compute_data_midi /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:6751
    #6 0x689989 in do_compute_data /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7044
    #7 0x61e337 in compute_data /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7433
    #8 0x5e95da in play_event /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:7563
    #9 0x656379 in play_midi /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8297
    #10 0x656379 in play_midi_file /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8570
    #11 0x659581 in dumb_pass_playing_list /home/a/Downloads/TiMidity++-2.14.0/timidity/playmidi.c:8624
    #12 0x846158 in timidity_play_main /home/a/Downloads/TiMidity++-2.14.0/timidity/timidity.c:5655
    #13 0x846158 in main /home/a/Downloads/TiMidity++-2.14.0/timidity/timidity.c:5935
    #14 0x7f9bc0dcdec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #15 0x486fac in _start (/home/a/Downloads/TiMidity++-2.14.0/timidity/timidity+0x486fac)


0x62b00004c93b is located 0 bytes to the right of 26427-byte region [0x62b000046200,0x62b00004c93b)
allocated by thread T0 here:
    #0 0x470ec9 in __interceptor_malloc (/home/a/Downloads/TiMidity++-2.14.0/timidity/timidity+0x470ec9)
    #1 0x4acc7b in safe_malloc /home/a/Downloads/TiMidity++-2.14.0/timidity/common.c:655
    #2 0x81a948 in load_from_file /home/a/Downloads/TiMidity++-2.14.0/timidity/sndfont.c:697
    #3 0x81a948 in try_load_soundfont /home/a/Downloads/TiMidity++-2.14.0/timidity/sndfont.c:469


SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/TiMidity++-2.14.0/timidity/resample.c:174 
resample_gauss
Shadow bytes around the buggy address:
  0x0c56800018d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c56800018e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c56800018f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5680001900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5680001910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5680001920: 00 00 00 00 00 00 00[03]fa fa fa fa fa fa fa fa
  0x0c5680001930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680001940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680001950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680001960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5680001970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==4658==ABORTING


POC:
timidity++_2.14.0_heap_buffer_overflow.mid
CVE:
CVE-2017-11547


3.
the play_midi function in playmidi.c in TiMidity++ 2.14.0 can cause a denial of service(large loop and CPU consumption) 
via a crafted mid file.


./timidity timidity++_2.14.0_large_loop.mid


-----debug info:----
(gdb) bt
#0  do_ch_freeverb (buf=<optimized out>, count=<optimized out>, 
    rev=<optimized out>) at reverb.c:1570
#1  0x000000000079cdb6 in do_ch_reverb (buf=<optimized out>, 
    count=<optimized out>) at reverb.c:1921
#2  0x0000000000690b54 in do_compute_data_midi (count=2048) at playmidi.c:6895
#3  do_compute_data (count=<optimized out>) at playmidi.c:7044
#4  0x0000000000619eaa in compute_data (count=<optimized out>)
    at playmidi.c:7197
#5  0x00000000005e95bb in play_event (ev=<optimized out>) at playmidi.c:7563
#6  0x000000000065635a in play_midi (samples=<optimized out>, 
    eventlist=<optimized out>) at playmidi.c:8297
#7  play_midi_file (fn=<optimized out>) at playmidi.c:8570
#8  0x0000000000659562 in dumb_pass_playing_list (
    number_of_files=<optimized out>, list_of_files=<optimized out>)
    at playmidi.c:8624
#9  0x0000000000846159 in timidity_play_main (nfiles=1, files=<optimized out>)
    at timidity.c:5655
#10 main (argc=<optimized out>, argv=<optimized out>) at timidity.c:5935


##playmidi.c line:8294 ==> line:8302
for(;;)
{
midi_restart_time = 1;
rc = play_event(current_event);
if(rc != RC_NONE)
    break;
if (midi_restart_time)    /* don't skip the first event if == 0 */
    current_event++;
}


POC:
timidity++_2.14.0_large_loop.mid
CVE:
CVE-2017-11549

Comment 1 Andreas Sturmlechner gentoo-dev

2018-08-22 21:31:56 UTC

It seems that other distros regard CVE-2017-11549 as notabug:

https://www.mail-archive.com/debian-qa-packages@lists.debian.org/msg56304.html
https://bugzilla.suse.com/show_bug.cgi?id=1081694

Comment 2 Larry the Git Cow gentoo-dev

2018-08-22 22:23:50 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a87c686d9ac9de5e0e455d15773d11307a73c66

commit 6a87c686d9ac9de5e0e455d15773d11307a73c66
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-08-22 21:56:46 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-08-22 22:23:22 +0000

    media-sound/timidity++: EAPI-6, CVE-2017-11546, CVE-2017-11547
    
    Bug: https://bugs.gentoo.org/626706
    Package-Manager: Portage-2.3.48, Repoman-2.3.10

 .../files/timidity++-2.14.0-CVE-2017-11546.patch   |  31 ++++
 .../files/timidity++-2.14.0-CVE-2017-11547.patch   |  67 +++++++
 .../files/timidity++-2.14.0-params.patch           |   4 +-
 ...ert-for-required-ctl_speana_data-function.patch |   4 +-
 .../files/timidity++-2.14.0-tcltk86.patch          |   4 +-
 media-sound/timidity++/timidity++-2.14.0-r3.ebuild | 199 +++++++++++++++++++++
 6 files changed, 303 insertions(+), 6 deletions(-)

Comment 3 Andreas Sturmlechner gentoo-dev

2018-08-25 21:56:52 UTC

Adding arches for 2.14.0-r3 on the basis that other distributions do not regard CVE-2017-11549 as vulnerability either, and consequently I could not find any patch for that.

Security, please decide there.

Comment 4 Agostino Sarubbo gentoo-dev

2018-08-28 12:52:54 UTC

amd64 stable

Comment 5 Rolf Eike Beer archtester

2018-08-30 05:38:08 UTC

Ignoring bug 557072 as it is no regression. sparc done.

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2018-09-01 23:45:44 UTC

ppc stable

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2018-09-01 23:47:23 UTC

ppc64 stable

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2018-09-02 23:48:46 UTC

x86 stable

Comment 9 Larry the Git Cow gentoo-dev

2018-09-15 20:05:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99790c0b7392f6240be9b93d6210bc9265c8ec13

commit 99790c0b7392f6240be9b93d6210bc9265c8ec13
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-15 19:12:56 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-15 20:04:44 +0000

    media-sound/timidity++: Drop vulnerable 2.14.0-r2
    
    Bug: https://bugs.gentoo.org/626706
    Package-Manager: Portage-2.3.48, Repoman-2.3.10

 media-sound/timidity++/timidity++-2.14.0-r2.ebuild | 185 ---------------------
 1 file changed, 185 deletions(-)

Comment 10 Andreas Sturmlechner gentoo-dev

2018-09-15 20:06:47 UTC

arm dropped, sound done.

Comment 11 Yury German Gentoo Infrastructure

2018-11-08 02:43:00 UTC

GLSA Vote: No

Arches and Maintainer(s), Thank you for your work.
Closing noglsa.