On Mon, Jun 12, 2017 at 12:06 PM Moritz Muehlenhoff <j...@debian.org> wrote:
> Source: libquicktime > Severity: grave > Tags: security > > Please see: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9122 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9123 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9124 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9125 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9126 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9127 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9128 > > I've just uploaded a patch that should fix this. See https://anonscm.debian.org/cgit/pkg-multimedia/libquicktime.git/commit/?id=4728e38f2045d3d33be3d442a0ab9801990b4339 This is how I tested it: reproducible with qtinfo: vagrant@stretch:/tmp/42148$ ls -al total 48 drwxr-xr-x 2 vagrant vagrant 4096 Jun 9 16:41 . drwxrwxrwt 11 root root 4096 Jun 30 20:27 .. -rw-r--r-- 1 vagrant vagrant 6148 Jun 7 09:00 .DS_Store -rw------- 1 vagrant vagrant 1967 May 17 03:52 libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4 -rw------- 1 vagrant vagrant 1987 May 17 03:11 libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4 -rw------- 1 vagrant vagrant 6841 May 17 03:11 libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4 -rw------- 1 vagrant vagrant 1338 May 17 07:13 libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4 -rw-r--r-- 1 vagrant vagrant 1259 Dec 16 2014 libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4 -rw------- 1 vagrant vagrant 1294 May 17 02:42 libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4 -rw------- 1 vagrant vagrant 1192 May 18 04:53 libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4 vagrant@stretch:/tmp/42148$ qtinfo *.mp4 Type: MP4 0 audio tracks. 1 video tracks. 48x144, depth 24 rate 0.000369 [12:32541] not constant length 0 frames compressor avc1. Native colormodel: Undefined Interlace mode: None (Progressive) No timecodes available supported. 0 text tracks. Type: MP4 0 audio tracks. 1 video tracks. Segmentation fault vagrant@stretch:/tmp/42148$ qtinfo libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4 Type: MP4 0 audio tracks. 1 video tracks. 48x144, depth 24 rate 0.000367 [12:32660] not constant length 0 frames compressor avc1. Native colormodel: Undefined Interlace mode: None (Progressive) No timecodes available supported. 0 text tracks. vagrant@stretch:/tmp/42148$ qtinfo libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4 Type: MP4 0 audio tracks. 1 video tracks. Segmentation fault vagrant@stretch:/tmp/42148$ qtinfo libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4 Segmentation fault vagrant@stretch:/tmp/42148$ qtinfo libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4 Segmentation fault vagrant@stretch:/tmp/42148$ qtinfo libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4 ^C <just hangs, I had to abort it> vagrant@stretch:/tmp/42148$ qtinfo libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4 [ffmpeg_video] Error: No avcC atom present, decoding is likely to fail Type: MP4 0 audio tracks. 1 video tracks. Segmentation fault vagrant@stretch:/tmp/42148$ qtinfo libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4 [codecs] Warning: Could not find video Decoder for fourcc [codecs] Warning: quicktime_decode_video_stub called Type: MP4 0 audio tracks. 1 video tracks. Segmentation fault With the patch applied: vagrant@stretch:/tmp/42148$ for i in *.mp4; do echo $i; qtinfo $i; echo ----; done libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4 [core] Error: Opening failed (unsupported filetype) Couldn't open libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4 ---- libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4 [core] Error: Opening failed (unsupported filetype) Couldn't open libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4 ---- libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4 [core] Error: Opening failed (unsupported filetype) Couldn't open libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4 ---- libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4 [core] Error: Opening failed (unsupported filetype) Couldn't open libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4 ---- libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4 [core] Error: Opening failed (unsupported filetype) Couldn't open libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4 ---- libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4 [core] Error: Opening failed (unsupported filetype) Couldn't open libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4 ---- libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4 [core] Error: Opening failed (unsupported filetype) Couldn't open libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4 ---- vagrant@stretch:/tmp/42148$ qtinfo libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4 [core] Error: Opening failed (unsupported filetype) Couldn't open libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4 Moritz, I guess this patch should also go into stable-security and possibly oldstable security. Can you take it from here or how do we want to proceed? Best, Reinhard
