Bug 1397441 (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9808) - CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 CVE-2016-9808 gstreamer-plugins-good: Heap buffer overflow in FLIC decoder
Summary: CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 CVE-2016-9808 gstreamer-plugins-goo...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9808
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1401876 1397442 1397443 1400835 1400836 1400842 1400843 1400892 1400893 1401875
Blocks: 1397444
TreeView+ depends on / blocked
 
Reported: 2016-11-22 14:26 UTC by Adam Mariš
Modified: 2019-09-29 14:00 UTC (History)
22 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Multiple flaws were discovered in GStreamer's FLC/FLI/FLX media file format decoding plug-in. A remote attacker could use these flaws to cause an application using GStreamer to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:02:28 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2975 normal SHIPPED_LIVE Important: gstreamer-plugins-good security update 2016-12-21 17:33:20 UTC
Red Hat Product Errata RHSA-2017:0019 normal SHIPPED_LIVE Moderate: gstreamer-plugins-good security update 2017-01-05 14:35:19 UTC
Red Hat Product Errata RHSA-2017:0020 normal SHIPPED_LIVE Moderate: gstreamer1-plugins-good security update 2017-01-05 15:05:36 UTC

Description Adam Mariš 2016-11-22 14:26:15 UTC
A heap-based buffer overflow vulnerability was found in FLIC decoder in flx_decode_delta_fli() function.

Vulnerable code:

 flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest)
{
...
  /* use last frame for delta */
  memcpy (dest, flxdec->delta_data, flxdec->size);

  start_line = (data[0] + (data[1] << 8));
  lines = (data[2] + (data[3] << 8));
  data += 4;

  /* start position of delta */
  dest += (flxdec->hdr.width * start_line);
  start_p = dest;

  while (lines--) {
    /* packet count */
    packets = *data++;

    while (packets--) {
      /* skip count */
      dest += *data++;

      /* RLE count */
      count = *data++;

      if (count > 0x7f) {
...
      } else {
        /* replicate run */
        while (count--)
          *dest++ = *data++;

The above function is called via a FLX_LC command in the input file. At the time of the call, dest points to the start of the output canvas buffer, e.g. 8 x 8 pixels and always 1 byte per pixel. data points to attacker controlled data from the raw input file. Due to lack of bounds checking against the canvas width and height, attacker can achieve out-of-bounds write via multiple paths.

External References:

https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-advancing-exploitation.html

Comment 1 Adam Mariš 2016-11-22 14:27:11 UTC
Created gstreamer-plugins-good tracking bugs for this issue:

Affects: fedora-all [bug 1397443]

Comment 2 Adam Mariš 2016-11-22 14:27:27 UTC
Created gstreamer1-plugins-good tracking bugs for this issue:

Affects: fedora-all [bug 1397442]

Comment 3 Dhiru Kholia 2016-11-23 08:08:57 UTC
Mitigation:

This mitigation is only required if vulnerable gstreamer-plugins-good and/or gstreamer1-plugins-good packages are installed.

For RHEL 7,

sudo rm /usr/lib*/gstreamer-1.0/libgstflxdec.so
sudo rm /usr/lib*/gstreamer-0.10/libgstflxdec.so

For RHEL 5 and RHEL 6,

sudo rm /usr/lib*/gstreamer-0.10/libgstflxdec.so

Please note that this mitigation deletes the vulnerable FLI/FLC/FLX animation demuxer file(s), which removes the functionality to play FLI/FLC/FLX animation files.

Comment 6 Dhiru Kholia 2016-11-23 13:25:07 UTC
Upstream Bug:

https://bugzilla.gnome.org/show_bug.cgi?id=774834

Comment 9 Adam Mariš 2016-11-24 13:23:19 UTC
CVE assignment:

http://seclists.org/oss-sec/2016/q4/517

Comment 16 Adam Mariš 2016-12-06 10:29:26 UTC
Created mingw-gstreamer1-plugins-good tracking bugs for this issue:

Affects: fedora-all [bug 1401875]

Comment 17 Adam Mariš 2016-12-06 10:29:45 UTC
Created mingw-gstreamer-plugins-good tracking bugs for this issue:

Affects: fedora-all [bug 1401876]

Comment 20 Dhiru Kholia 2016-12-21 06:27:48 UTC
CVE assignment (CVE-2016-9808):

http://seclists.org/oss-sec/2016/q4/589

CVE-2016-9808 was issued because of an incomplete fix for CVE-2016-9635.

Comment 22 errata-xmlrpc 2016-12-21 12:33:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2975 https://rhn.redhat.com/errata/RHSA-2016-2975.html

Comment 23 errata-xmlrpc 2017-01-05 09:35:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0019 https://rhn.redhat.com/errata/RHSA-2017-0019.html

Comment 24 errata-xmlrpc 2017-01-05 10:07:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0020 https://rhn.redhat.com/errata/RHSA-2017-0020.html


Note You need to log in before you can comment on or make changes to this bug.