Bugzilla – Bug 1044006
VUL-1: CVE-2017-9126: libquicktime: heap-based buffer overflow in quicktime_read_dref_table via a crafted mp4 file
Last modified: 2017-10-26 07:34:06 UTC
Created attachment 728736 [details] reproducer CVE-2017-9126 The quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted mp4 file. Reproducer: lqtplay libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4 (lqtplay from leap 42.2, libraries von SLE 12 SP2) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9126 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9126.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9126
Reproducer: 1. Xvfb & 2. DISPLAY=:0 lqtplay \ libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4 Segmentation fault (core dumped)
It seems that upstream won't release the fixed version of libquicktime officially [1] but they kindly provided patches when I asked them: Patches: http://libquicktime.cvs.sourceforge.net/viewvc/libquicktime/libquicktime/src/atom.c?r1=1.24&r2=1.25 http://libquicktime.cvs.sourceforge.net/viewvc/libquicktime/libquicktime/src/lqt_quicktime.c?r1=1.167&r2=1.168 http://libquicktime.cvs.sourceforge.net/viewvc/libquicktime/libquicktime/src/moov.c?r1=1.30&r2=1.31 http://libquicktime.cvs.sourceforge.net/viewvc/libquicktime/libquicktime/src/trak.c?r1=1.59&r2=1.60 The patches above were merged to the libquicktime-<version>-multiple_vulnerabilities.patch that fixes all issues from CVE-2017-9122 to CVE-2017-9128. | Codestream | Version | Request | |--------------------|------------------|----------| | SLE-11:Update | 1.0.3 | #134996 | | SLE-12:Update | 1.2.4 | #134995 | | openSUSE:Leap:42.2 | 1.2.4cvs20150223 | #506565 | | multimedia:libs | 1.2.4cvs20150223 | #506564 | Everything is done here. I'm reassigning it back to the security-team. [1] https://sourceforge.net/p/libquicktime/mailman/message/35909032/
This is an autogenerated message for OBS integration: This bug (1044006) was mentioned in https://build.opensuse.org/request/show/506565 42.2 / libquicktime
SUSE-SU-2017:1769-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1044000,1044002,1044006,1044008,1044009,1044077,1044122 CVE References: CVE-2017-9122,CVE-2017-9123,CVE-2017-9124,CVE-2017-9125,CVE-2017-9126,CVE-2017-9127,CVE-2017-9128 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libquicktime-1.2.4-13.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libquicktime-1.2.4-13.1 SUSE Linux Enterprise Server 12-SP2 (src): libquicktime-1.2.4-13.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libquicktime-1.2.4-13.1
openSUSE-SU-2017:1806-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1044000,1044002,1044006,1044008,1044009,1044077,1044122 CVE References: CVE-2017-9122,CVE-2017-9123,CVE-2017-9124,CVE-2017-9125,CVE-2017-9126,CVE-2017-9127,CVE-2017-9128 Sources used: openSUSE Leap 42.2 (src): libquicktime-1.2.4cvs20150223-8.3.1
SUSE-SU-2017:1988-1: An update that fixes 8 vulnerabilities is now available. Category: security (moderate) Bug References: 1022805,1044000,1044002,1044006,1044008,1044009,1044077,1044122 CVE References: CVE-2016-2399,CVE-2017-9122,CVE-2017-9123,CVE-2017-9124,CVE-2017-9125,CVE-2017-9126,CVE-2017-9127,CVE-2017-9128 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libquicktime-1.0.3-6.5.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libquicktime-1.0.3-6.5.1
released