libopenmpt: CVE-2017-11311

Debian Bug report logs - #867579
libopenmpt: CVE-2017-11311

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jörn Heusipp <osmanx@problemloesungsmaschine.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libopenmpt: Security updates libopenmpt-0.2.7386-beta20.3-p10 available

Date: Fri, 07 Jul 2017 16:41:52 +0200

Source: libopenmpt
Version: 0.2.7386~beta20.3-3
Severity: important
Tags: upstream

Dear Maintainer,


A couple of security-related fixes have been released upstream as
version 0.2.7386-beta20.3-p10. See
https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html .

p10 fixes a heap buffer overflow which allows an attacker to write
arbitrary data to an arbitrarily choosen offset. It can be triggered
with a maliciously modified PSM file. This needs to be fixed ASAP via
a security update in Stretch. The bug happens due to 2 samples in a
PSM file using the same sample slot in libopenmpt, whereby the second
sample uses an invalid offset inside the file. That way, the second
sample did not re-allocate (via
sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file); deeper
down the call chain in SampleIO.cpp:73) the sample buffer itself but
only set the sample size metadata
(sampleHeader.ConvertToMPT(Samples[smp]);, ultimately at
Load_psm.cpp:1054). Later, as a loading post-processing step,
Sndfile.cpp:411 calls PrecomputeLoops() which writes a couple of
samples before and after the actual sample data (the amount is
statically known (InterpolationMaxLookahead) and accounted for when
allocating the sample buffer). However, due to the sample buffer and
sample length mismatch caused by the bug, this can write extrapolated
sample data to an arbitary location offset from the first sample's
buffer (PrecomputeLoopsImpl<T>() in modsmp_ctrl.cpp:263).

p8 is an out-of-bounds read directly after a heap-allocated allocated
buffer. It is difficult to trigger in practice because std::vector
does grow its buffer exponentially.

p9 fixes another potential race condition due to the use of non
thread-safe <time.h> functions. As discussed previously in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864195#67 , this
again can at worst cause wrong data to be returned for date metadata
in libopenmpt. However, please note that the same, now rewritten code
path, could also trigger an assertion failure in glibc under memory
pressure (which probably is a glibc bug, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867283 ), thereby
causing the application to crash.


-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Message #10 received at 867579@bugs.debian.org (full text, mbox, reply):

From: Jörn Heusipp <osmanx@problemloesungsmaschine.de>

To: 867579@bugs.debian.org

Subject: Re: Bug#867579: Acknowledgement (libopenmpt: Security updates libopenmpt-0.2.7386-beta20.3-p10 available)

Date: Fri, 7 Jul 2017 16:51:35 +0200

tags -1 + security

Message #19 received at 867579@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: Jörn Heusipp <osmanx@problemloesungsmaschine.de>

Cc: 867579@bugs.debian.org

Subject: Re: Bug#867579: libopenmpt: Security updates libopenmpt-0.2.7386-beta20.3-p10 available

Date: Fri, 14 Jul 2017 17:16:52 +0100

[Message part 1 (text/plain, inline)]

Control: severity -1 grave
Control: tags -1 fixed-upstream

Hi,

On 07/07/17 15:41, Jörn Heusipp wrote:
> Source: libopenmpt
> Version: 0.2.7386~beta20.3-3
> Severity: important
> Tags: upstream
> 
> Dear Maintainer,
> 
> A couple of security-related fixes have been released upstream as
> version 0.2.7386-beta20.3-p10. See
> https://lib.openmpt.org/libopenmpt/md_announce-2017-07-07.html .
> 
> p10 fixes a heap buffer overflow which allows an attacker to write
> arbitrary data to an arbitrarily choosen offset. It can be triggered
> with a maliciously modified PSM file. This needs to be fixed ASAP via
> a security update in Stretch. The bug happens due to 2 samples in a
> PSM file using the same sample slot in libopenmpt, whereby the second
> sample uses an invalid offset inside the file. That way, the second
> sample did not re-allocate (via
> sampleHeader.GetSampleFormat().ReadSample(Samples[smp], file); deeper
> down the call chain in SampleIO.cpp:73) the sample buffer itself but
> only set the sample size metadata
> (sampleHeader.ConvertToMPT(Samples[smp]);, ultimately at
> Load_psm.cpp:1054). Later, as a loading post-processing step,
> Sndfile.cpp:411 calls PrecomputeLoops() which writes a couple of
> samples before and after the actual sample data (the amount is
> statically known (InterpolationMaxLookahead) and accounted for when
> allocating the sample buffer). However, due to the sample buffer and
> sample length mismatch caused by the bug, this can write extrapolated
> sample data to an arbitary location offset from the first sample's
> buffer (PrecomputeLoopsImpl<T>() in modsmp_ctrl.cpp:263).

Firstly, sorry it's taken some time for me to get around to this. Since
this bug had the potential for remote code execution and looked pretty
serious, I requested a CVE number for it and it has been assigned
CVE-2017-11311.

> p8 is an out-of-bounds read directly after a heap-allocated allocated
> buffer. It is difficult to trigger in practice because std::vector
> does grow its buffer exponentially.

OK this should be fixed as well.

> p9 fixes another potential race condition due to the use of non
> thread-safe <time.h> functions. As discussed previously in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864195#67 , this
> again can at worst cause wrong data to be returned for date metadata
> in libopenmpt. However, please note that the same, now rewritten code
> path, could also trigger an assertion failure in glibc under memory
> pressure (which probably is a glibc bug, see
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867283 ), thereby
> causing the application to crash.

Again, I'm not sure if it is worth fixing this in stretch - it modifies
quite a bit of code. The glibc bug is important, but I'm not sure it
should be worked around in libopenmpt. It's also mitigated by the fact
that on Linux, if you're suffering from memory pressure, something is
probably about to be killed by the OOM killer anyway.

Thanks,
James

[signature.asc (application/pgp-signature, attachment)]

Message #28 received at 867579-submitter@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 867579-submitter@bugs.debian.org

Subject: Bug#867579 marked as pending

Date: Fri, 14 Jul 2017 16:27:54 +0000

tag 867579 pending
thanks

Hello,

Bug #867579 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://anonscm.debian.org/git/pkg-multimedia/libopenmpt.git/commit/?id=a364450

---
commit a3644504edd7d171b199abbd3c43925e88eeacdb
Author: James Cowgill <jcowgill@debian.org>
Date:   Fri Jul 14 17:23:26 2017 +0100

    Upload to unstable

diff --git a/debian/changelog b/debian/changelog
index cd6ba10..ff04a99 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libopenmpt (0.2.8461~beta26-1) unstable; urgency=medium
+
+  * New upstream release.
+    - Fixes CVE-2017-11311: arbitrary code execution via a crafted PSM File.
+      (Closes: #867579)
+
+ -- James Cowgill <jcowgill@debian.org>  Fri, 14 Jul 2017 17:21:59 +0100
+
 libopenmpt (0.2.8414~beta25-1) unstable; urgency=medium
 
   * New upstream release.

Message #33 received at 867579-close@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 867579-close@bugs.debian.org

Subject: Bug#867579: fixed in libopenmpt 0.2.8461~beta26-1

Date: Fri, 14 Jul 2017 16:52:14 +0000

Source: libopenmpt
Source-Version: 0.2.8461~beta26-1

We believe that the bug you reported is fixed in the latest version of
libopenmpt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867579@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated libopenmpt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 14 Jul 2017 17:21:59 +0100
Source: libopenmpt
Binary: openmpt123 libopenmpt0 libopenmpt-dev libopenmpt-doc libopenmpt-modplug1 libopenmpt-modplug-dev
Architecture: source
Version: 0.2.8461~beta26-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
 libopenmpt-dev - module music library based on OpenMPT -- development files
 libopenmpt-doc - module music library based on OpenMPT -- documentation
 libopenmpt-modplug-dev - module music library based on OpenMPT -- modplug compat developme
 libopenmpt-modplug1 - module music library based on OpenMPT -- modplug compat library
 libopenmpt0 - module music library based on OpenMPT -- shared library
 openmpt123 - module music library based on OpenMPT -- music player
Closes: 867579
Changes:
 libopenmpt (0.2.8461~beta26-1) unstable; urgency=medium
 .
   * New upstream release.
     - Fixes CVE-2017-11311: arbitrary code execution via a crafted PSM File.
       (Closes: #867579)
Checksums-Sha1:
 5cba3761e2bf11186b6dc2088a03868fc787e3ee 2688 libopenmpt_0.2.8461~beta26-1.dsc
 89563cd0f6f75ce8c2907d3c7c2ce571c3926b67 1283401 libopenmpt_0.2.8461~beta26.orig.tar.gz
 d79abaf29d57d7fd3be21a48c15d41b7fceca197 11688 libopenmpt_0.2.8461~beta26-1.debian.tar.xz
 672e396f08b6fed437377cab419f2ae9b47e81b9 5533 libopenmpt_0.2.8461~beta26-1_source.buildinfo
Checksums-Sha256:
 ad9506ae8c79b8e70436adf47a046faf9e99318fddefd89f7495a7964056b51c 2688 libopenmpt_0.2.8461~beta26-1.dsc
 82aef84808472de88f372c4453733f37fa49b76098167f65c1d1091f03a078e6 1283401 libopenmpt_0.2.8461~beta26.orig.tar.gz
 968b98feddb19cbec20ff5e4891bfc1104b9a8eaaad29b300a745ef4883b426d 11688 libopenmpt_0.2.8461~beta26-1.debian.tar.xz
 b98ea54f3fcd425734680b30cccd6789196cd43992978334ee99036fb660459a 5533 libopenmpt_0.2.8461~beta26-1_source.buildinfo
Files:
 42e63f6199742647cb9a853af3190b84 2688 libs optional libopenmpt_0.2.8461~beta26-1.dsc
 29ac490b6444be3f123d95650811b17d 1283401 libs optional libopenmpt_0.2.8461~beta26.orig.tar.gz
 b2acf2558caa8fb448c4056303826acc 11688 libs optional libopenmpt_0.2.8461~beta26-1.debian.tar.xz
 5bb7358e89df8a0eef0b76229256ff00 5533 libs optional libopenmpt_0.2.8461~beta26-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAllo8CQUHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe/BGBAAs60VWqCn9+qkjGG+1Wc92RKqAJSM
ZPMAX7yv53B1UMabW1AP71paDEFJFhYMQSlnr9VJlh4+WQhaSJZpolcoRb5wabW2
kxeH4RK2apgyTLk3X2K8MEuubRmK/mCFvE9+n8YVtYgysntpXN5tCVpgAhdbVdw6
znPwIzxvSmlyRlr9Xng+OrDL1mlM96o9G4xxK6fiSA+XHBKE2jEJ8ap4XLdzHns5
0/63vynRDkLHOA82yDZPEQAhfVy9/HNUASSKisZCpptrNrwWbsYPiULdIbWyoZAH
yq82V17LqPaxiYf7PVkER2McUL8OpBYs8Vz840oNTUEEEVhzBI6zG5G+iR53pIrm
gBC8QV5PQ0Rg4gR1eVY489nUtvwte8NvnJfTJu1ckgxwDg/W1lLdXOwHjBRO1+JU
QnY/3tLasHreJTdF1jei5mHyI5tnqa+pD6ThQTdeNnngKJ6v8uahXP1kaniavDYw
o/y4Lo9DAI7h4/22IHpPYB0OpSNquODWY2lYY0oMQa3ro5bQpR709bWRWC6ZD4s0
GbPhd6pt+3i1Mvw5V5jMMARdqOS3gO3+dtM/boTDNnFtXR3ZZSYgbV4MaUDMhhsB
yfVMNs9xBMjISaCopnJE2mlgSDYetuF2/hs+8Yqm62KU8EZ51sGVT9XYdAMfpuqu
k/OWdxutSA+PyDc=
=z0VP
-----END PGP SIGNATURE-----

Message #38 received at 867579-submitter@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 867579-submitter@bugs.debian.org

Subject: Bug#867579 marked as pending

Date: Sat, 15 Jul 2017 21:55:30 +0000

tag 867579 pending
thanks

Hello,

Bug #867579 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://anonscm.debian.org/git/pkg-multimedia/libopenmpt.git/commit/?id=d9d6089

---
commit d9d608980127f867775ed50c5ef774440a9b2f7a
Author: James Cowgill <jcowgill@debian.org>
Date:   Sat Jul 15 18:35:26 2017 +0100

    Upload to stretch

diff --git a/debian/changelog b/debian/changelog
index 6893f55..3e99a76 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,10 @@
-libopenmpt (0.2.7386~beta20.3-3+deb9u2) UNRELEASED; urgency=medium
+libopenmpt (0.2.7386~beta20.3-3+deb9u2) stretch; urgency=medium
 
-  *
+  * Add security patches (Closes: #867579).
+    - up8: Out-of-bounds read while loading a malfomed PLM file.
+    - up10: CVE-2017-11311: Arbitrary code execution by a crafted PSM file.
 
- -- James Cowgill <jcowgill@debian.org>  Sat, 15 Jul 2017 16:13:13 +0100
+ -- James Cowgill <jcowgill@debian.org>  Sat, 15 Jul 2017 18:33:57 +0100
 
 libopenmpt (0.2.7386~beta20.3-3+deb9u1) stretch; urgency=medium
 

Message #43 received at 867579-close@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 867579-close@bugs.debian.org

Subject: Bug#867579: fixed in libopenmpt 0.2.7386~beta20.3-3+deb9u2

Date: Sun, 16 Jul 2017 12:17:08 +0000

Source: libopenmpt
Source-Version: 0.2.7386~beta20.3-3+deb9u2

We believe that the bug you reported is fixed in the latest version of
libopenmpt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867579@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated libopenmpt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 15 Jul 2017 18:33:57 +0100
Source: libopenmpt
Binary: openmpt123 libopenmpt0 libopenmpt-dev libopenmpt-doc libopenmpt-modplug1 libopenmpt-modplug-dev
Architecture: source
Version: 0.2.7386~beta20.3-3+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
 libopenmpt-dev - module music library based on OpenMPT -- development files
 libopenmpt-doc - module music library based on OpenMPT -- documentation
 libopenmpt-modplug-dev - module music library based on OpenMPT -- modplug compat developme
 libopenmpt-modplug1 - module music library based on OpenMPT -- modplug compat library
 libopenmpt0 - module music library based on OpenMPT -- shared library
 openmpt123 - module music library based on OpenMPT -- music player
Closes: 867579
Changes:
 libopenmpt (0.2.7386~beta20.3-3+deb9u2) stretch; urgency=medium
 .
   * Add security patches (Closes: #867579).
     - up8: Out-of-bounds read while loading a malfomed PLM file.
     - up10: CVE-2017-11311: Arbitrary code execution by a crafted PSM file.
Checksums-Sha1:
 1ae2a6b831007c4ad1b3797766ebf491c66e5497 2721 libopenmpt_0.2.7386~beta20.3-3+deb9u2.dsc
 702ac4b948eac1893ee42bdea4adf846ce759581 15224 libopenmpt_0.2.7386~beta20.3-3+deb9u2.debian.tar.xz
 b72d2c7f60ab2006aeb2caf27ed8b3bbc3d8eae2 7824 libopenmpt_0.2.7386~beta20.3-3+deb9u2_source.buildinfo
Checksums-Sha256:
 093256d212de75fc608b1ab83d83b3a2cf2e5fb169a4f2318db4cf69176c09c3 2721 libopenmpt_0.2.7386~beta20.3-3+deb9u2.dsc
 34baba5847acaef01b3c25143e3bf3a4f4e83aa6a2ad4cd4f34faadef94af58c 15224 libopenmpt_0.2.7386~beta20.3-3+deb9u2.debian.tar.xz
 a8843454132e3781a2b55d1a8c1770d3ad06095c5e4087f49de5893c911a1f6b 7824 libopenmpt_0.2.7386~beta20.3-3+deb9u2_source.buildinfo
Files:
 9580b25a4c0657809baabe826aa9bab5 2721 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u2.dsc
 b0d3445c04833100e9f706e434d467eb 15224 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u2.debian.tar.xz
 a79b0a456f73330b58e773716bcf3e3d 7824 libs optional libopenmpt_0.2.7386~beta20.3-3+deb9u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAllqjxsUHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe/K4Q/+MVg4kbtTfst5F2esc1gtGbGr0iGW
VwpYhXK1y4IoWHtDZFStT3nMyH+8v7YeD2yg4B16ShhHnuyZtLzR7qORvMvM1Rxd
pFlEMpo6/t4zDEewbmjuaNUjfF7pxeU0+33H8apPO1GJeT1o16P8qFBI54Wj0T5i
Zp0541uP4ZczxdDEyBpUsAgAw9Sth6rSYDDC0qAu8mdYvmbQ8CxJ4Mz4PqqUt4Eg
QqxVST8P73Zqbo1XzHR/pIZ38K7tdHY29WDbxUXg/LsPcIgUbRYvZOCTjry3JSta
dM+NFvNIMHejTokFnGD7hii/tpDy9iZt5LAFBj/wN19WeIpRIvfZ2hSvAGts74aD
R+JM4Z2MTaHYvpXzh96Y0UpxAfW7QbHrBVi5xI9ebl+Q6r2ZzNJK0zzFtbIQgy+s
0jdc/knAr//I1UKRzdUiqGJ46tptCKFTTM91yzD6V2MyP+b8f8I1uBksIoNbUums
5vezAbIxFi7gwm3h4Fv1X/GVsUHyxCr6SJEBlBdr5g2etaahGrt42aDqi/crYCed
NSBqYyfaMRgBpuUu5JmiF4fnSDqt1f7/Zlm/eCa4tt/Urqx85+BLUqB+rHmZtuGj
7a3t7BGViF108xLmY2KaTDewqcLgoFdIXbnbkxN0ntqXBBeeK5U6zYgMtm2QRr07
KzHTyRv3Q1N5OcA=
=TZXL
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.