Bug#867579: libopenmpt: Security updates libopenmpt-0.2.7386-beta20.3-p10 available

2017-07-07 Thread Jörn Heusipp
Source: libopenmpt
Version: 0.2.7386~beta20.3-3
Severity: important
Tags: upstream

Dear Maintainer,


A couple of security-related fixes have been released upstream as
version 0.2.7386-beta20.3-p10. See
https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html .

p10 fixes a heap buffer overflow which allows an attacker to write
arbitrary data to an arbitrarily choosen offset. It can be triggered
with a maliciously modified PSM file. This needs to be fixed ASAP via
a security update in Stretch. The bug happens due to 2 samples in a
PSM file using the same sample slot in libopenmpt, whereby the second
sample uses an invalid offset inside the file. That way, the second
sample did not re-allocate (via
sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file); deeper
down the call chain in SampleIO.cpp:73) the sample buffer itself but
only set the sample size metadata
(sampleHeader.ConvertToMPT(Samples[smp]);, ultimately at
Load_psm.cpp:1054). Later, as a loading post-processing step,
Sndfile.cpp:411 calls PrecomputeLoops() which writes a couple of
samples before and after the actual sample data (the amount is
statically known (InterpolationMaxLookahead) and accounted for when
allocating the sample buffer). However, due to the sample buffer and
sample length mismatch caused by the bug, this can write extrapolated
sample data to an arbitary location offset from the first sample's
buffer (PrecomputeLoopsImpl() in modsmp_ctrl.cpp:263).

p8 is an out-of-bounds read directly after a heap-allocated allocated
buffer. It is difficult to trigger in practice because std::vector
does grow its buffer exponentially.

p9 fixes another potential race condition due to the use of non
thread-safe  functions. As discussed previously in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864195#67 , this
again can at worst cause wrong data to be returned for date metadata
in libopenmpt. However, please note that the same, now rewritten code
path, could also trigger an assertion failure in glibc under memory
pressure (which probably is a glibc bug, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867283 ), thereby
causing the application to crash.


-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers


Bug#867579: libopenmpt: Security updates libopenmpt-0.2.7386-beta20.3-p10 available

2017-07-14 Thread James Cowgill
Control: severity -1 grave
Control: tags -1 fixed-upstream

Hi,

On 07/07/17 15:41, Jörn Heusipp wrote:
> Source: libopenmpt
> Version: 0.2.7386~beta20.3-3
> Severity: important
> Tags: upstream
> 
> Dear Maintainer,
> 
> A couple of security-related fixes have been released upstream as
> version 0.2.7386-beta20.3-p10. See
> https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html .
> 
> p10 fixes a heap buffer overflow which allows an attacker to write
> arbitrary data to an arbitrarily choosen offset. It can be triggered
> with a maliciously modified PSM file. This needs to be fixed ASAP via
> a security update in Stretch. The bug happens due to 2 samples in a
> PSM file using the same sample slot in libopenmpt, whereby the second
> sample uses an invalid offset inside the file. That way, the second
> sample did not re-allocate (via
> sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file); deeper
> down the call chain in SampleIO.cpp:73) the sample buffer itself but
> only set the sample size metadata
> (sampleHeader.ConvertToMPT(Samples[smp]);, ultimately at
> Load_psm.cpp:1054). Later, as a loading post-processing step,
> Sndfile.cpp:411 calls PrecomputeLoops() which writes a couple of
> samples before and after the actual sample data (the amount is
> statically known (InterpolationMaxLookahead) and accounted for when
> allocating the sample buffer). However, due to the sample buffer and
> sample length mismatch caused by the bug, this can write extrapolated
> sample data to an arbitary location offset from the first sample's
> buffer (PrecomputeLoopsImpl() in modsmp_ctrl.cpp:263).

Firstly, sorry it's taken some time for me to get around to this. Since
this bug had the potential for remote code execution and looked pretty
serious, I requested a CVE number for it and it has been assigned
CVE-2017-11311.

> p8 is an out-of-bounds read directly after a heap-allocated allocated
> buffer. It is difficult to trigger in practice because std::vector
> does grow its buffer exponentially.

OK this should be fixed as well.

> p9 fixes another potential race condition due to the use of non
> thread-safe  functions. As discussed previously in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864195#67 , this
> again can at worst cause wrong data to be returned for date metadata
> in libopenmpt. However, please note that the same, now rewritten code
> path, could also trigger an assertion failure in glibc under memory
> pressure (which probably is a glibc bug, see
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867283 ), thereby
> causing the application to crash.

Again, I'm not sure if it is worth fixing this in stretch - it modifies
quite a bit of code. The glibc bug is important, but I'm not sure it
should be worked around in libopenmpt. It's also mitigated by the fact
that on Linux, if you're suffering from memory pressure, something is
probably about to be killed by the OOM killer anyway.

Thanks,
James



signature.asc
Description: OpenPGP digital signature
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Processed: Re: Bug#867579: libopenmpt: Security updates libopenmpt-0.2.7386-beta20.3-p10 available

2017-07-14 Thread Debian Bug Tracking System
Processing control commands:

> severity -1 grave
Bug #867579 [src:libopenmpt] libopenmpt: CVE-2017-11311
Severity set to 'grave' from 'important'
> tags -1 fixed-upstream
Bug #867579 [src:libopenmpt] libopenmpt: CVE-2017-11311
Added tag(s) fixed-upstream.

-- 
867579: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867579
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers