Bug 1397441 (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9808)

Summary: CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 CVE-2016-9808 gstreamer-plugins-good: Heap buffer overflow in FLIC decoder
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdpepple, bmcclain, bnocera, cfergeau, dblechte, fidencio, jgrulich, lsurette, marcandre.lureau, mgoldboi, michal.skrivanek, mike, negativo17, otte, rh-spice-bugs, slawomir, srevivo, uraeus, victortoso, wtaymans, ykaul, yozone
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Multiple flaws were discovered in GStreamer's FLC/FLI/FLX media file format decoding plug-in. A remote attacker could use these flaws to cause an application using GStreamer to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:02:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1401876, 1397442, 1397443, 1400835, 1400836, 1400842, 1400843, 1400892, 1400893, 1401875    
Bug Blocks: 1397444    

Description Adam Mariš 2016-11-22 14:26:15 UTC
A heap-based buffer overflow vulnerability was found in FLIC decoder in flx_decode_delta_fli() function.

Vulnerable code:

 flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest)
{
...
  /* use last frame for delta */
  memcpy (dest, flxdec->delta_data, flxdec->size);

  start_line = (data[0] + (data[1] << 8));
  lines = (data[2] + (data[3] << 8));
  data += 4;

  /* start position of delta */
  dest += (flxdec->hdr.width * start_line);
  start_p = dest;

  while (lines--) {
    /* packet count */
    packets = *data++;

    while (packets--) {
      /* skip count */
      dest += *data++;

      /* RLE count */
      count = *data++;

      if (count > 0x7f) {
...
      } else {
        /* replicate run */
        while (count--)
          *dest++ = *data++;

The above function is called via a FLX_LC command in the input file. At the time of the call, dest points to the start of the output canvas buffer, e.g. 8 x 8 pixels and always 1 byte per pixel. data points to attacker controlled data from the raw input file. Due to lack of bounds checking against the canvas width and height, attacker can achieve out-of-bounds write via multiple paths.

External References:

https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-advancing-exploitation.html

Comment 1 Adam Mariš 2016-11-22 14:27:11 UTC
Created gstreamer-plugins-good tracking bugs for this issue:

Affects: fedora-all [bug 1397443]

Comment 2 Adam Mariš 2016-11-22 14:27:27 UTC
Created gstreamer1-plugins-good tracking bugs for this issue:

Affects: fedora-all [bug 1397442]

Comment 3 Dhiru Kholia 2016-11-23 08:08:57 UTC
Mitigation:

This mitigation is only required if vulnerable gstreamer-plugins-good and/or gstreamer1-plugins-good packages are installed.

For RHEL 7,

sudo rm /usr/lib*/gstreamer-1.0/libgstflxdec.so
sudo rm /usr/lib*/gstreamer-0.10/libgstflxdec.so

For RHEL 5 and RHEL 6,

sudo rm /usr/lib*/gstreamer-0.10/libgstflxdec.so

Please note that this mitigation deletes the vulnerable FLI/FLC/FLX animation demuxer file(s), which removes the functionality to play FLI/FLC/FLX animation files.

Comment 6 Dhiru Kholia 2016-11-23 13:25:07 UTC
Upstream Bug:

https://bugzilla.gnome.org/show_bug.cgi?id=774834

Comment 9 Adam Mariš 2016-11-24 13:23:19 UTC
CVE assignment:

http://seclists.org/oss-sec/2016/q4/517

Comment 16 Adam Mariš 2016-12-06 10:29:26 UTC
Created mingw-gstreamer1-plugins-good tracking bugs for this issue:

Affects: fedora-all [bug 1401875]

Comment 17 Adam Mariš 2016-12-06 10:29:45 UTC
Created mingw-gstreamer-plugins-good tracking bugs for this issue:

Affects: fedora-all [bug 1401876]

Comment 20 Dhiru Kholia 2016-12-21 06:27:48 UTC
CVE assignment (CVE-2016-9808):

http://seclists.org/oss-sec/2016/q4/589

CVE-2016-9808 was issued because of an incomplete fix for CVE-2016-9635.

Comment 22 errata-xmlrpc 2016-12-21 12:33:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2975 https://rhn.redhat.com/errata/RHSA-2016-2975.html

Comment 23 errata-xmlrpc 2017-01-05 09:35:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0019 https://rhn.redhat.com/errata/RHSA-2017-0019.html

Comment 24 errata-xmlrpc 2017-01-05 10:07:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0020 https://rhn.redhat.com/errata/RHSA-2017-0020.html