Bug 1044002 - (CVE-2017-9127) VUL-1: CVE-2017-9127: libquicktime: heap-based buffer overflow in quicktime_user_atoms_read_atom via a crafted mp4 file
(CVE-2017-9127)
VUL-1: CVE-2017-9127: libquicktime: heap-based buffer overflow in quicktime_u...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/186618/
CVSSv2:SUSE:CVE-2017-9127:2.6:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-13 06:55 UTC by Johannes Segitz
Modified: 2017-10-26 07:33 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
reproducer (1.26 KB, video/mp4)
2017-06-13 06:55 UTC, Johannes Segitz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-06-13 06:55:49 UTC
Created attachment 728732 [details]
reproducer

CVE-2017-9127

The quicktime_user_atoms_read_atom function in useratoms.c in libquicktime 1.2.4
allows remote attackers to cause a denial of service (heap-based buffer overflow
and application crash) via a crafted mp4 file.

lqtplay libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
(lqtplay from leap 42.2, libraries von SLE 12 SP2)

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9127
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9127.html
http://www.cvedetails.com/cve/CVE-2017-9127/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9127
Comment 1 Alexander Bergmann 2017-06-13 15:31:34 UTC
Reproducer:
1. Xvfb &
2. DISPLAY=:0 lqtplay \
   libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4 
[codecs] Warning: Could not find video Decoder for fourcc avc1
[codecs] Warning: quicktime_decode_video_stub called
INFO: playing libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
Type: MP4
  0 audio tracks.
  1 video tracks.
Segmentation fault (core dumped)
Comment 2 Kristyna Streitova 2017-06-27 20:42:18 UTC
It seems that upstream won't release the fixed version of libquicktime officially [1] but they kindly provided patches when I asked them:

Patches:
http://libquicktime.cvs.sourceforge.net/viewvc/libquicktime/libquicktime/src/atom.c?r1=1.24&r2=1.25
http://libquicktime.cvs.sourceforge.net/viewvc/libquicktime/libquicktime/src/lqt_quicktime.c?r1=1.167&r2=1.168
http://libquicktime.cvs.sourceforge.net/viewvc/libquicktime/libquicktime/src/moov.c?r1=1.30&r2=1.31
http://libquicktime.cvs.sourceforge.net/viewvc/libquicktime/libquicktime/src/trak.c?r1=1.59&r2=1.60

The patches above were merged to the libquicktime-<version>-multiple_vulnerabilities.patch that fixes all issues from CVE-2017-9122 to CVE-2017-9128.


|     Codestream     |     Version      | Request  |
|--------------------|------------------|----------|
| SLE-11:Update      | 1.0.3            |  #134996 |
| SLE-12:Update      | 1.2.4            |  #134995 |
| openSUSE:Leap:42.2 | 1.2.4cvs20150223 |  #506565 |
| multimedia:libs    | 1.2.4cvs20150223 |  #506564 |



Everything is done here. I'm reassigning it back to the security-team.

[1] https://sourceforge.net/p/libquicktime/mailman/message/35909032/
Comment 3 Bernhard Wiedemann 2017-06-27 22:00:47 UTC
This is an autogenerated message for OBS integration:
This bug (1044002) was mentioned in
https://build.opensuse.org/request/show/506565 42.2 / libquicktime
Comment 5 Swamp Workflow Management 2017-07-04 19:10:26 UTC
SUSE-SU-2017:1769-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1044000,1044002,1044006,1044008,1044009,1044077,1044122
CVE References: CVE-2017-9122,CVE-2017-9123,CVE-2017-9124,CVE-2017-9125,CVE-2017-9126,CVE-2017-9127,CVE-2017-9128
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libquicktime-1.2.4-13.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libquicktime-1.2.4-13.1
SUSE Linux Enterprise Server 12-SP2 (src):    libquicktime-1.2.4-13.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libquicktime-1.2.4-13.1
Comment 6 Swamp Workflow Management 2017-07-06 22:12:52 UTC
openSUSE-SU-2017:1806-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1044000,1044002,1044006,1044008,1044009,1044077,1044122
CVE References: CVE-2017-9122,CVE-2017-9123,CVE-2017-9124,CVE-2017-9125,CVE-2017-9126,CVE-2017-9127,CVE-2017-9128
Sources used:
openSUSE Leap 42.2 (src):    libquicktime-1.2.4cvs20150223-8.3.1
Comment 7 Swamp Workflow Management 2017-07-28 13:08:25 UTC
SUSE-SU-2017:1988-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1022805,1044000,1044002,1044006,1044008,1044009,1044077,1044122
CVE References: CVE-2016-2399,CVE-2017-9122,CVE-2017-9123,CVE-2017-9124,CVE-2017-9125,CVE-2017-9126,CVE-2017-9127,CVE-2017-9128
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libquicktime-1.0.3-6.5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libquicktime-1.0.3-6.5.1
Comment 8 Marcus Meissner 2017-10-26 07:33:56 UTC
released