Debian Bug report logs -
#864664
CVE-2017-9122 CVE-2017-9123 CVE-2017-9124 CVE-2017-9125 CVE-2017-9126 CVE-2017-9127 CVE-2017-9128
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 12 Jun 2017 16:06:01 UTC
Severity: grave
Tags: security, upstream
Found in version libquicktime/2:1.2.4-7
Fixed in versions libquicktime/2:1.2.4-11, libquicktime/2:1.2.4-10+deb9u1
Done: Moritz Mühlenhoff <jmm@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#864664; Package src:libquicktime.
(Mon, 12 Jun 2017 16:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Mon, 12 Jun 2017 16:06:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libquicktime
Severity: grave
Tags: security
Please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9122
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9123
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9124
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9127
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9128
Cheers,
Moritz
Marked as found in versions libquicktime/2:1.2.4-7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 12 Jun 2017 16:15:10 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 12 Jun 2017 16:15:12 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Reinhard Tartler <siretart@tauware.de>
to control@bugs.debian.org.
(Fri, 30 Jun 2017 21:00:03 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#864664.
(Fri, 30 Jun 2017 21:00:05 GMT) (full text, mbox, link).
Message #14 received at 864664-submitter@bugs.debian.org (full text, mbox, reply):
tag 864664 pending
thanks
Hello,
Bug #864664 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://anonscm.debian.org/git/pkg-multimedia/libquicktime.git/commit/?id=4728e38
---
commit 4728e38f2045d3d33be3d442a0ab9801990b4339
Author: Reinhard Tartler <siretart@tauware.de>
Date: Fri Jun 30 16:18:03 2017 -0400
add security patches
diff --git a/debian/changelog b/debian/changelog
index 9a25361..4472aab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+libquicktime (2:1.2.4-11) unstable; urgency=medium
+
+ * Cherry pick security patches from upstream (Closes: #864664)
+ - CVE-2017-9122
+ - CVE-2017-9123
+ - CVE-2017-9124
+ - CVE-2017-9125
+ - CVE-2017-9126
+ - CVE-2017-9127
+ - CVE-2017-9128
+
+ -- Reinhard Tartler <siretart@tauware.de> Fri, 30 Jun 2017 16:16:24 -0400
+
libquicktime (2:1.2.4-10) unstable; urgency=medium
* Fix integer overflow in the quicktime_read_pascal function (CVE-2016-2399)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#864664; Package src:libquicktime.
(Fri, 30 Jun 2017 21:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Reinhard Tartler <siretart@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Fri, 30 Jun 2017 21:06:02 GMT) (full text, mbox, link).
Message #19 received at 864664@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, Jun 12, 2017 at 12:06 PM Moritz Muehlenhoff <jmm@debian.org> wrote:
> Source: libquicktime
> Severity: grave
> Tags: security
>
> Please see:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9122
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9123
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9124
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9125
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9126
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9127
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9128
>
>
I've just uploaded a patch that should fix this. See
https://anonscm.debian.org/cgit/pkg-multimedia/libquicktime.git/commit/?id=4728e38f2045d3d33be3d442a0ab9801990b4339
This is how I tested it:
reproducible with qtinfo:
vagrant@stretch:/tmp/42148$ ls -al
total 48
drwxr-xr-x 2 vagrant vagrant 4096 Jun 9 16:41 .
drwxrwxrwt 11 root root 4096 Jun 30 20:27 ..
-rw-r--r-- 1 vagrant vagrant 6148 Jun 7 09:00 .DS_Store
-rw------- 1 vagrant vagrant 1967 May 17 03:52
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
-rw------- 1 vagrant vagrant 1987 May 17 03:11
libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
-rw------- 1 vagrant vagrant 6841 May 17 03:11
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
-rw------- 1 vagrant vagrant 1338 May 17 07:13
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
-rw-r--r-- 1 vagrant vagrant 1259 Dec 16 2014
libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
-rw------- 1 vagrant vagrant 1294 May 17 02:42
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
-rw------- 1 vagrant vagrant 1192 May 18 04:53
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
vagrant@stretch:/tmp/42148$ qtinfo *.mp4
Type: MP4
0 audio tracks.
1 video tracks.
48x144, depth 24
rate 0.000369 [12:32541] not constant
length 0 frames
compressor avc1.
Native colormodel: Undefined
Interlace mode: None (Progressive)
No timecodes available
supported.
0 text tracks.
Type: MP4
0 audio tracks.
1 video tracks.
Segmentation fault
vagrant@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
Type: MP4
0 audio tracks.
1 video tracks.
48x144, depth 24
rate 0.000367 [12:32660] not constant
length 0 frames
compressor avc1.
Native colormodel: Undefined
Interlace mode: None (Progressive)
No timecodes available
supported.
0 text tracks.
vagrant@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
Type: MP4
0 audio tracks.
1 video tracks.
Segmentation fault
vagrant@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
Segmentation fault
vagrant@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
Segmentation fault
vagrant@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
^C
<just hangs, I had to abort it>
vagrant@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
[ffmpeg_video] Error: No avcC atom present, decoding is likely to fail
Type: MP4
0 audio tracks.
1 video tracks.
Segmentation fault
vagrant@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
[codecs] Warning: Could not find video Decoder for fourcc
[codecs] Warning: quicktime_decode_video_stub called
Type: MP4
0 audio tracks.
1 video tracks.
Segmentation fault
With the patch applied:
vagrant@stretch:/tmp/42148$ for i in *.mp4; do echo $i; qtinfo $i; echo
----; done
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
----
libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
----
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
----
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
----
libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
----
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
----
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
----
vagrant@stretch:/tmp/42148$ qtinfo
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
[core] Error: Opening failed (unsupported filetype)
Couldn't open libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
Moritz, I guess this patch should also go into stable-security and possibly
oldstable security. Can you take it from here or how do we want to proceed?
Best,
Reinhard
[Message part 2 (text/html, inline)]
Reply sent
to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility.
(Fri, 30 Jun 2017 21:24:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Fri, 30 Jun 2017 21:24:03 GMT) (full text, mbox, link).
Message #24 received at 864664-close@bugs.debian.org (full text, mbox, reply):
Source: libquicktime
Source-Version: 2:1.2.4-11
We believe that the bug you reported is fixed in the latest version of
libquicktime, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864664@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated libquicktime package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 30 Jun 2017 16:16:24 -0400
Source: libquicktime
Binary: libquicktime2 libquicktime-dev libquicktime-doc quicktime-utils quicktime-x11utils
Architecture: source
Version: 2:1.2.4-11
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description:
libquicktime-dev - library for reading and writing Quicktime files (development)
libquicktime-doc - library for reading and writing Quicktime files (documentation)
libquicktime2 - library for reading and writing Quicktime files
quicktime-utils - library for reading and writing Quicktime files (utilities)
quicktime-x11utils - library for reading and writing Quicktime files (x11 utilities)
Closes: 864664
Changes:
libquicktime (2:1.2.4-11) unstable; urgency=medium
.
* Cherry pick security patches from upstream (Closes: #864664)
- CVE-2017-9122
- CVE-2017-9123
- CVE-2017-9124
- CVE-2017-9125
- CVE-2017-9126
- CVE-2017-9127
- CVE-2017-9128
Checksums-Sha1:
1e595a94c749f00b82fa6fe9d7638f5a83432012 2700 libquicktime_1.2.4-11.dsc
34e65a46e47c5e55be8cc776f36c6e7b8c226844 22644 libquicktime_1.2.4-11.debian.tar.xz
Checksums-Sha256:
c62105c754253b0eb232f7e8a726a44ed3b9b0b401987d2a7c1f178e76eb1cde 2700 libquicktime_1.2.4-11.dsc
3f655fdab37fcad2d2e7d20672ff8bad6eec64a9d5a7dc702c79082346ba878b 22644 libquicktime_1.2.4-11.debian.tar.xz
Files:
f3f8179f9d66914f243e49a02b84b326 2700 devel optional libquicktime_1.2.4-11.dsc
f202c9df441e3305ecbc4d07efcd67ac 22644 devel optional libquicktime_1.2.4-11.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE6n5rckvJ+/LRcetya3IL6cXPbZ4FAllWuzAACgkQa3IL6cXP
bZ7KlQ/9EdBa/wdBIRFlysafv6CoFyl5MTSS0e6VVyHqUcgyClbkSUs6BIenAuav
WblABB8x6FrdfvfD9oXMEON9zfNYiM27a9izmEbLmNDCZ/K7nx6kqi7v9qc3x3gr
IVIOWGqg/GZ1hiurbtAEfA0n1XV1o868i7FQ3hNYbAVxR1AGXfqYiqQ6xvTkzcd5
s6KVqlGAGtzZO7dbDXa2k6N2p+oNRG6A+3HT2BbkgvKJjG2U6xWi/Z3GJ+TVP5GF
AmyWNAJu/adBu0hRzVy7lQmVEX7TENJVA6ZOVcdZISfv6W//o4L9XiCSzcoIwAYl
YXi3EbdpUoZnVw7HukiO2Za+GvyMrWgYBoVFrXEuEAwi75BVsgY+lN/i+OS3VH5B
P7QAkJo9qdhE4HuRc7oPa2hZuKDhooLGuEvZCFLzExt9slhDpOG8PU5hvpm50Ie7
uofyaBwrFVoDSEOCKAHnBhrQs3xJGpuH7ZKuGLbddkR2NSE7HbSwssCNXHQGoDNE
CN0pT3Iz1aIhjRUspADkpfeBSmlhwWahXuCD0fdZPzeh4KGkOj7Q+Xvt+U5RlkRQ
dlpl0XXeASW3C+mmwEcq0PxSKer6Ue6UNHFzatvGdKwOnqjwlM+4LUDNP38oA0AW
mDi7YsW3d7vD2uTilVSD0ToON7W5jdlk8C14WKWRcn5HW1cfgzc=
=nwnw
-----END PGP SIGNATURE-----
Reply sent
to Moritz Mühlenhoff <jmm@debian.org>:
You have taken responsibility.
(Sun, 16 Jul 2017 21:21:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 16 Jul 2017 21:21:07 GMT) (full text, mbox, link).
Message #29 received at 864664-close@bugs.debian.org (full text, mbox, reply):
Source: libquicktime
Source-Version: 2:1.2.4-10+deb9u1
We believe that the bug you reported is fixed in the latest version of
libquicktime, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864664@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated libquicktime package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 13 Jul 2017 20:29:10 +0200
Source: libquicktime
Binary: libquicktime2 libquicktime-dev libquicktime-doc quicktime-utils quicktime-x11utils
Architecture: source
Version: 2:1.2.4-10+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Closes: 864664
Description:
libquicktime-dev - library for reading and writing Quicktime files (development)
libquicktime-doc - library for reading and writing Quicktime files (documentation)
libquicktime2 - library for reading and writing Quicktime files
quicktime-utils - library for reading and writing Quicktime files (utilities)
quicktime-x11utils - library for reading and writing Quicktime files (x11 utilities)
Changes:
libquicktime (2:1.2.4-10+deb9u1) stretch; urgency=medium
.
* Fix CVE-2017-9122 to CVE-2017-9128, patch from 1.2.4-11 in unstable
(Closes: #864664)
Checksums-Sha1:
bb517402940d37b91e6e102e3a5a928524d38a32 2883 libquicktime_1.2.4-10+deb9u1.dsc
ceae5ac2b461037679f5cd389a09a557b1da9db7 22456 libquicktime_1.2.4-10+deb9u1.debian.tar.xz
Checksums-Sha256:
42646521721a56906f8360a4f9ade4de647049069e641be8ca31b33d665e0fe8 2883 libquicktime_1.2.4-10+deb9u1.dsc
f2508b02ae26aaf6f147374c31b3f23e3557c0e94fbd17553af393e634c3ef71 22456 libquicktime_1.2.4-10+deb9u1.debian.tar.xz
Files:
bba6a44311d4a7bfde18c25720812614 2883 devel optional libquicktime_1.2.4-10+deb9u1.dsc
817e72bd9ba5e42068d20993d2232aff 22456 devel optional libquicktime_1.2.4-10+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllrur1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E8n0P/R7WAzV6BNkHmT4yI41vrMhZz/T1jdzn
RE+FTWpWnUtf2ZPtm8R2S5lDbOltfM4QLXB/IrVrbx2r1Sn4Iz0tII/jGpGQqYUt
LGigDUEDJ9SbhbZO6/vw/aBPHrI/bQrCifKZESGLJ71jJipH6XT09HXdyy10N/NQ
k2X9xzh49lrsStIXOGIBI0q+ntlk4U7IaDuHFYcJ7WqqHIbZT6vaB/2kTeguSBXv
0/+4SVCvJKMoF8pK2dNgwZPR3dGpwsraLdsuD9ooMekbYukrn1NghDpA7FDLPm+t
36pWEB2oJbaIyy3XEoFVRvoEul2G2O+L5fRqZSmd8JcTJGV3eJ5CAu7xdk/uoQyO
gxMctE0Qp88hY/8etaqtGVDOnaJZM4H8OMKCs1nafXiD30pu0uw0E6n7qJyuoKXU
atiur4ZN6hNa5YAUbT+vloFNaYd1GmSTSbyPV80zoB3sYe+426fiuEyOcER4eFhh
JIaA4XiFu9S5VUjVRVRA52Be+7eXxPCzWuAJc3UbnBrj5K/zTVWu6hnTDpeI9Uz+
VLw1F4ZWSf+ghCzvHghVp2P40kbIp5yK10Dg5JGjfzww7Li0l2WEQ1lLpvvMI5Z0
Y1CmUqa7ggf6ogPdJ7fbzSf7yqLm7B8DfeCVtz0nijh4311CElAgL0IUCLJ9+AJx
3FrBG2qmvvMb
=etDp
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 14 Aug 2017 07:26:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:24:37 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon