Discussion:
Bug#864664: CVE-2017-9122 CVE-2017-9123 CVE-2017-9124 CVE-2017-9125 CVE-2017-9126 CVE-2017-9127 CVE-2017-9128
(too old to reply)
Moritz Muehlenhoff
2017-06-12 16:02:55 UTC
Permalink
Raw Message
Source: libquicktime
Severity: grave
Tags: security

Please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9122
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9123
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9124
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9127
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9128

Cheers,
Moritz
Reinhard Tartler
2017-06-30 21:02:09 UTC
Permalink
Raw Message
Post by Moritz Muehlenhoff
Source: libquicktime
Severity: grave
Tags: security
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9122
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9123
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9124
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9127
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9128
I've just uploaded a patch that should fix this. See
https://anonscm.debian.org/cgit/pkg-multimedia/libquicktime.git/commit/?id=4728e38f2045d3d33be3d442a0ab9801990b4339

This is how I tested it:
reproducible with qtinfo:

***@stretch:/tmp/42148$ ls -al
total 48
drwxr-xr-x 2 vagrant vagrant 4096 Jun 9 16:41 .
drwxrwxrwt 11 root root 4096 Jun 30 20:27 ..
-rw-r--r-- 1 vagrant vagrant 6148 Jun 7 09:00 .DS_Store
-rw------- 1 vagrant vagrant 1967 May 17 03:52
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
-rw------- 1 vagrant vagrant 1987 May 17 03:11
libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
-rw------- 1 vagrant vagrant 6841 May 17 03:11
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
-rw------- 1 vagrant vagrant 1338 May 17 07:13
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
-rw-r--r-- 1 vagrant vagrant 1259 Dec 16 2014
libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
-rw------- 1 vagrant vagrant 1294 May 17 02:42
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
-rw------- 1 vagrant vagrant 1192 May 18 04:53
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
***@stretch:/tmp/42148$ qtinfo *.mp4
Type: MP4
0 audio tracks.
1 video tracks.
48x144, depth 24
rate 0.000369 [12:32541] not constant
length 0 frames
compressor avc1.
Native colormodel: Undefined
Interlace mode: None (Progressive)
No timecodes available
supported.
0 text tracks.
Type: MP4
0 audio tracks.
1 video tracks.
Segmentation fault
***@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
Type: MP4
0 audio tracks.
1 video tracks.
48x144, depth 24
rate 0.000367 [12:32660] not constant
length 0 frames
compressor avc1.
Native colormodel: Undefined
Interlace mode: None (Progressive)
No timecodes available
supported.
0 text tracks.
***@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
Type: MP4
0 audio tracks.
1 video tracks.
Segmentation fault
***@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
Segmentation fault
***@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
Segmentation fault
***@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
^C
<just hangs, I had to abort it>
***@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
[ffmpeg_video] Error: No avcC atom present, decoding is likely to fail
Type: MP4
0 audio tracks.
1 video tracks.
Segmentation fault
***@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
[codecs] Warning: Could not find video Decoder for fourcc
[codecs] Warning: quicktime_decode_video_stub called
Type: MP4
0 audio tracks.
1 video tracks.
Segmentation fault


With the patch applied:

***@stretch:/tmp/42148$ for i in *.mp4; do echo $i; qtinfo $i; echo
----; done
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
----
libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
----
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
----
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
----
libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
----
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
----
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
----
***@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4


Moritz, I guess this patch should also go into stable-security and possibly
oldstable security. Can you take it from here or how do we want to proceed?

Best,
Reinhard
Debian Bug Tracking System
2017-06-30 21:24:03 UTC
Permalink
Raw Message
Your message dated Fri, 30 Jun 2017 21:21:07 +0000
with message-id <E1dR3Lf-0000y4-***@fasolo.debian.org>
and subject line Bug#864664: fixed in libquicktime 2:1.2.4-11
has caused the Debian Bug report #864664,
regarding CVE-2017-9122 CVE-2017-9123 CVE-2017-9124 CVE-2017-9125 CVE-2017-9126 CVE-2017-9127 CVE-2017-9128
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
864664: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864664
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2017-07-16 21:21:06 UTC
Permalink
Raw Message
Your message dated Sun, 16 Jul 2017 21:17:08 +0000
with message-id <E1dWqua-0003SI-***@fasolo.debian.org>
and subject line Bug#864664: fixed in libquicktime 2:1.2.4-10+deb9u1
has caused the Debian Bug report #864664,
regarding CVE-2017-9122 CVE-2017-9123 CVE-2017-9124 CVE-2017-9125 CVE-2017-9126 CVE-2017-9127 CVE-2017-9128
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
864664: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864664
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...