Bug 1397441 (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9808)
| Summary: | CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 CVE-2016-9808 gstreamer-plugins-good: Heap buffer overflow in FLIC decoder | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bdpepple, bmcclain, bnocera, cfergeau, dblechte, fidencio, jgrulich, lsurette, marcandre.lureau, mgoldboi, michal.skrivanek, mike, negativo17, otte, rh-spice-bugs, slawomir, srevivo, uraeus, victortoso, wtaymans, ykaul, yozone |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
Multiple flaws were discovered in GStreamer's FLC/FLI/FLX media file format decoding plug-in. A remote attacker could use these flaws to cause an application using GStreamer to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:02:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1397442, 1397443, 1400835, 1400836, 1400842, 1400843, 1400892, 1400893, 1401875, 1401876 | ||
| Bug Blocks: | 1397444 | ||
Created gstreamer-plugins-good tracking bugs for this issue: Affects: fedora-all [bug 1397443] Created gstreamer1-plugins-good tracking bugs for this issue: Affects: fedora-all [bug 1397442] Mitigation: This mitigation is only required if vulnerable gstreamer-plugins-good and/or gstreamer1-plugins-good packages are installed. For RHEL 7, sudo rm /usr/lib*/gstreamer-1.0/libgstflxdec.so sudo rm /usr/lib*/gstreamer-0.10/libgstflxdec.so For RHEL 5 and RHEL 6, sudo rm /usr/lib*/gstreamer-0.10/libgstflxdec.so Please note that this mitigation deletes the vulnerable FLI/FLC/FLX animation demuxer file(s), which removes the functionality to play FLI/FLC/FLX animation files. Upstream Bug: https://bugzilla.gnome.org/show_bug.cgi?id=774834 Upstream Fix: https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bf43f44fcfada5ec4a3ce60cb374340486fe9fac https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=fec77de8cbb0c8192b77aff2e563705ba421f2f2 CVE assignment: http://seclists.org/oss-sec/2016/q4/517 Updates to gstreamer1-plugins-good: f24: https://bodhi.fedoraproject.org/updates/FEDORA-2016-3a45d79132 f25: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c883d07fba Created mingw-gstreamer1-plugins-good tracking bugs for this issue: Affects: fedora-all [bug 1401875] Created mingw-gstreamer-plugins-good tracking bugs for this issue: Affects: fedora-all [bug 1401876] Upstream fix for CVE-2016-9808: https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=153a8ae752c90d07190ef45803422a4f71ea8bff CVE assignment (CVE-2016-9808): http://seclists.org/oss-sec/2016/q4/589 CVE-2016-9808 was issued because of an incomplete fix for CVE-2016-9635. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:2975 https://rhn.redhat.com/errata/RHSA-2016-2975.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:0019 https://rhn.redhat.com/errata/RHSA-2017-0019.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:0020 https://rhn.redhat.com/errata/RHSA-2017-0020.html |
A heap-based buffer overflow vulnerability was found in FLIC decoder in flx_decode_delta_fli() function. Vulnerable code: flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest) { ... /* use last frame for delta */ memcpy (dest, flxdec->delta_data, flxdec->size); start_line = (data[0] + (data[1] << 8)); lines = (data[2] + (data[3] << 8)); data += 4; /* start position of delta */ dest += (flxdec->hdr.width * start_line); start_p = dest; while (lines--) { /* packet count */ packets = *data++; while (packets--) { /* skip count */ dest += *data++; /* RLE count */ count = *data++; if (count > 0x7f) { ... } else { /* replicate run */ while (count--) *dest++ = *data++; The above function is called via a FLX_LC command in the input file. At the time of the call, dest points to the start of the output canvas buffer, e.g. 8 x 8 pixels and always 1 byte per pixel. data points to attacker controlled data from the raw input file. Due to lack of bounds checking against the canvas width and height, attacker can achieve out-of-bounds write via multiple paths. External References: https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-advancing-exploitation.html