Bug#864664: CVE-2017-9122 CVE-2017-9123 CVE-2017-9124 CVE-2017-9125 CVE-2017-9126 CVE-2017-9127 CVE-2017-9128

Reinhard Tartler siretart at gmail.com
Fri Jun 30 21:02:09 UTC 2017 

On Mon, Jun 12, 2017 at 12:06 PM Moritz Muehlenhoff <jmm at debian.org> wrote:

> Source: libquicktime
> Severity: grave
> Tags: security
>
> Please see:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9122
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9123
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9124
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9125
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9126
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9127
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9128
>
>
I've just uploaded a patch that should fix this. See
https://anonscm.debian.org/cgit/pkg-multimedia/libquicktime.git/commit/?id=4728e38f2045d3d33be3d442a0ab9801990b4339

This is how I tested it:
reproducible with qtinfo:

vagrant at stretch:/tmp/42148$ ls -al
total 48
drwxr-xr-x  2 vagrant vagrant 4096 Jun  9 16:41 .
drwxrwxrwt 11 root    root    4096 Jun 30 20:27 ..
-rw-r--r--  1 vagrant vagrant 6148 Jun  7 09:00 .DS_Store
-rw-------  1 vagrant vagrant 1967 May 17 03:52
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
-rw-------  1 vagrant vagrant 1987 May 17 03:11
libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
-rw-------  1 vagrant vagrant 6841 May 17 03:11
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
-rw-------  1 vagrant vagrant 1338 May 17 07:13
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
-rw-r--r--  1 vagrant vagrant 1259 Dec 16  2014
libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
-rw-------  1 vagrant vagrant 1294 May 17 02:42
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
-rw-------  1 vagrant vagrant 1192 May 18 04:53
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
vagrant at stretch:/tmp/42148$ qtinfo  *.mp4
Type: MP4
  0 audio tracks.
  1 video tracks.
    48x144, depth 24
    rate 0.000369 [12:32541] not constant
    length 0 frames
    compressor avc1.
    Native colormodel:  Undefined
    Interlace mode:     None (Progressive)
    No timecodes available
    supported.
  0 text tracks.
Type: MP4
  0 audio tracks.
  1 video tracks.
Segmentation fault
vagrant at stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
Type: MP4
  0 audio tracks.
  1 video tracks.
    48x144, depth 24
    rate 0.000367 [12:32660] not constant
    length 0 frames
    compressor avc1.
    Native colormodel:  Undefined
    Interlace mode:     None (Progressive)
    No timecodes available
    supported.
  0 text tracks.
vagrant at stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
Type: MP4
  0 audio tracks.
  1 video tracks.
Segmentation fault
vagrant at stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
Segmentation fault
vagrant at stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
Segmentation fault
vagrant at stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
^C
<just hangs, I had to abort it>
vagrant at stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
[ffmpeg_video] Error: No avcC atom present, decoding is likely to fail
Type: MP4
  0 audio tracks.
  1 video tracks.
Segmentation fault
vagrant at stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
[codecs] Warning: Could not find video Decoder for fourcc
[codecs] Warning: quicktime_decode_video_stub called
Type: MP4
  0 audio tracks.
  1 video tracks.
Segmentation fault


With the patch applied:

vagrant at stretch:/tmp/42148$ for i in *.mp4; do echo $i; qtinfo $i; echo
----; done
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
----
libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
----
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
----
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
----
libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
----
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
----
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
----
vagrant at stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4


Moritz, I guess this patch should also go into stable-security and possibly
oldstable security. Can you take it from here or how do we want to proceed?

Best,
Reinhard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20170630/8d89ad30/attachment-0001.html>

More information about the pkg-multimedia-maintainers mailing list