A heap-based buffer overflow vulnerability was found in FLIC decoder in flx_decode_delta_fli() function. Vulnerable code: flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest) { ... /* use last frame for delta */ memcpy (dest, flxdec->delta_data, flxdec->size); start_line = (data[0] + (data[1] << 8)); lines = (data[2] + (data[3] << 8)); data += 4; /* start position of delta */ dest += (flxdec->hdr.width * start_line); start_p = dest; while (lines--) { /* packet count */ packets = *data++; while (packets--) { /* skip count */ dest += *data++; /* RLE count */ count = *data++; if (count > 0x7f) { ... } else { /* replicate run */ while (count--) *dest++ = *data++; The above function is called via a FLX_LC command in the input file. At the time of the call, dest points to the start of the output canvas buffer, e.g. 8 x 8 pixels and always 1 byte per pixel. data points to attacker controlled data from the raw input file. Due to lack of bounds checking against the canvas width and height, attacker can achieve out-of-bounds write via multiple paths. External References: https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-advancing-exploitation.html
Created gstreamer-plugins-good tracking bugs for this issue: Affects: fedora-all [bug 1397443]
Created gstreamer1-plugins-good tracking bugs for this issue: Affects: fedora-all [bug 1397442]
Mitigation: This mitigation is only required if vulnerable gstreamer-plugins-good and/or gstreamer1-plugins-good packages are installed. For RHEL 7, sudo rm /usr/lib*/gstreamer-1.0/libgstflxdec.so sudo rm /usr/lib*/gstreamer-0.10/libgstflxdec.so For RHEL 5 and RHEL 6, sudo rm /usr/lib*/gstreamer-0.10/libgstflxdec.so Please note that this mitigation deletes the vulnerable FLI/FLC/FLX animation demuxer file(s), which removes the functionality to play FLI/FLC/FLX animation files.
Upstream Bug: https://bugzilla.gnome.org/show_bug.cgi?id=774834
Upstream Fix: https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bf43f44fcfada5ec4a3ce60cb374340486fe9fac https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=fec77de8cbb0c8192b77aff2e563705ba421f2f2
CVE assignment: http://seclists.org/oss-sec/2016/q4/517
Updates to gstreamer1-plugins-good: f24: https://bodhi.fedoraproject.org/updates/FEDORA-2016-3a45d79132 f25: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c883d07fba
Created mingw-gstreamer1-plugins-good tracking bugs for this issue: Affects: fedora-all [bug 1401875]
Created mingw-gstreamer-plugins-good tracking bugs for this issue: Affects: fedora-all [bug 1401876]
Upstream fix for CVE-2016-9808: https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=153a8ae752c90d07190ef45803422a4f71ea8bff
CVE assignment (CVE-2016-9808): http://seclists.org/oss-sec/2016/q4/589 CVE-2016-9808 was issued because of an incomplete fix for CVE-2016-9635.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:2975 https://rhn.redhat.com/errata/RHSA-2016-2975.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:0019 https://rhn.redhat.com/errata/RHSA-2017-0019.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:0020 https://rhn.redhat.com/errata/RHSA-2017-0020.html