Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1397441 (CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9808) - CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 CVE-2016-9808 gstreamer-plugins-good: Heap buffer overflow in FLIC decoder
Summary: CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 CVE-2016-9808 gstreamer-plugins-goo...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-9634, CVE-2016-9635, CVE-2016-9636, CVE-2016-9808
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1397442 1397443 1400835 1400836 1400842 1400843 1400892 1400893 1401875 1401876
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-22 14:26 UTC by Adam Mariš
Modified: 2021-02-17 03:00 UTC (History)
22 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-06-08 03:02:28 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2975 0 normal SHIPPED_LIVE Important: gstreamer-plugins-good security update 2016-12-21 17:33:20 UTC
Red Hat Product Errata RHSA-2017:0019 0 normal SHIPPED_LIVE Moderate: gstreamer-plugins-good security update 2017-01-05 14:35:19 UTC
Red Hat Product Errata RHSA-2017:0020 0 normal SHIPPED_LIVE Moderate: gstreamer1-plugins-good security update 2017-01-05 15:05:36 UTC

Description Adam Mariš 2016-11-22 14:26:15 UTC
A heap-based buffer overflow vulnerability was found in FLIC decoder in flx_decode_delta_fli() function.

Vulnerable code:

 flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest)
{
...
  /* use last frame for delta */
  memcpy (dest, flxdec->delta_data, flxdec->size);

  start_line = (data[0] + (data[1] << 8));
  lines = (data[2] + (data[3] << 8));
  data += 4;

  /* start position of delta */
  dest += (flxdec->hdr.width * start_line);
  start_p = dest;

  while (lines--) {
    /* packet count */
    packets = *data++;

    while (packets--) {
      /* skip count */
      dest += *data++;

      /* RLE count */
      count = *data++;

      if (count > 0x7f) {
...
      } else {
        /* replicate run */
        while (count--)
          *dest++ = *data++;

The above function is called via a FLX_LC command in the input file. At the time of the call, dest points to the start of the output canvas buffer, e.g. 8 x 8 pixels and always 1 byte per pixel. data points to attacker controlled data from the raw input file. Due to lack of bounds checking against the canvas width and height, attacker can achieve out-of-bounds write via multiple paths.

External References:

https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-advancing-exploitation.html

Comment 1 Adam Mariš 2016-11-22 14:27:11 UTC
Created gstreamer-plugins-good tracking bugs for this issue:

Affects: fedora-all [bug 1397443]

Comment 2 Adam Mariš 2016-11-22 14:27:27 UTC
Created gstreamer1-plugins-good tracking bugs for this issue:

Affects: fedora-all [bug 1397442]

Comment 3 Dhiru Kholia 2016-11-23 08:08:57 UTC
Mitigation:

This mitigation is only required if vulnerable gstreamer-plugins-good and/or gstreamer1-plugins-good packages are installed.

For RHEL 7,

sudo rm /usr/lib*/gstreamer-1.0/libgstflxdec.so
sudo rm /usr/lib*/gstreamer-0.10/libgstflxdec.so

For RHEL 5 and RHEL 6,

sudo rm /usr/lib*/gstreamer-0.10/libgstflxdec.so

Please note that this mitigation deletes the vulnerable FLI/FLC/FLX animation demuxer file(s), which removes the functionality to play FLI/FLC/FLX animation files.

Comment 6 Dhiru Kholia 2016-11-23 13:25:07 UTC
Upstream Bug:

https://bugzilla.gnome.org/show_bug.cgi?id=774834

Comment 9 Adam Mariš 2016-11-24 13:23:19 UTC
CVE assignment:

http://seclists.org/oss-sec/2016/q4/517

Comment 16 Adam Mariš 2016-12-06 10:29:26 UTC
Created mingw-gstreamer1-plugins-good tracking bugs for this issue:

Affects: fedora-all [bug 1401875]

Comment 17 Adam Mariš 2016-12-06 10:29:45 UTC
Created mingw-gstreamer-plugins-good tracking bugs for this issue:

Affects: fedora-all [bug 1401876]

Comment 20 Dhiru Kholia 2016-12-21 06:27:48 UTC
CVE assignment (CVE-2016-9808):

http://seclists.org/oss-sec/2016/q4/589

CVE-2016-9808 was issued because of an incomplete fix for CVE-2016-9635.

Comment 22 errata-xmlrpc 2016-12-21 12:33:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2975 https://rhn.redhat.com/errata/RHSA-2016-2975.html

Comment 23 errata-xmlrpc 2017-01-05 09:35:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0019 https://rhn.redhat.com/errata/RHSA-2017-0019.html

Comment 24 errata-xmlrpc 2017-01-05 10:07:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0020 https://rhn.redhat.com/errata/RHSA-2017-0020.html


Note You need to log in before you can comment on or make changes to this bug.