Bug 1739373 (CVE-2019-1010189)

Summary: CVE-2019-1010189 mgetty: opening a specially crafted file leads to an infinite loop and DoS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fkrska, mbenatto, msekleta, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 09:52:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1739376, 1791975    
Bug Blocks: 1739378    
Attachments:
Description Flags
Upstream patch none

Description Marian Rehak 2019-08-09 07:54:38 UTC 
mgetty prior to version 1.2.1 is affected by: Infinite Loop. The impact is: DoS, the program does never terminates. The component is: g3/g32pbm.c. The attack vector is: Local, the user should open a specially crafted file.

External References:

https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty/
Comment 1 Marian Rehak 2019-08-09 07:59:26 UTC 
Created mgetty tracking bugs for this issue:

Affects: fedora-29 [bug 1739376]
Comment 3 Marco Benatto 2020-01-16 19:26:15 UTC 
Created attachment 1652882 [details]
Upstream patch
Comment 4 Marco Benatto 2020-01-16 19:27:43 UTC 
Upstream patch for this issue (attached):

commit 0162663ed5f45209792995b54e36424334ee46da
Author: Gert Doering <gert.de>
Date:   Thu Sep 6 23:14:49 2018 +0200

    Fix invalid lseek() leading to infinite loop in g32pbm
    
    Commit 3ab78bddf4 "cleaned up code", supposedly replacing the magic
    constant "1" with "SEEK_CUR" in the lseek() call used for file pointer
    reporting on code violations.  Unfortunately this was mistyped in the
    actual code change as "SEEK_SET", thus rewinding the file to start on
    each G3 decoding error -> endless loop.
    
    Issue found and reported by Eric Sesterhenn <eric.sesterhenn>
    
    Signed-off-by: Gert Doering <gert.de>