http://bugzilla.opensuse.org/show_bug.cgi?id=1036968
Bug ID: 1036968
Summary: VUL-1: libmad: heap-based buffer overflow in
mad_layer_III (layer3.c)
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team(a)suse.de
Reporter: mikhail.kasimov(a)gmail.com
QA Contact: qa-bugs(a)suse.de
Found By: ---
Blocker: ---
Created attachment 723245
--> http://bugzilla.opensuse.org/attachment.cgi?id=723245&action=edit
00213-libmad-heapoverflow-mad_layer_III_reproducer
Ref:
https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-i…
======================================================
Description:
libmad stays for “M”peg “A”udio “D”ecoder library.
There is an heap overflow discovered through madplay.
The complete ASan output:
# madplay -v -i -o raw:out $FILE
==14773==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61e00000fa87 at pc 0x0000004bc8ec bp 0x7ffcda3263d0 sp 0x7ffcda325b80
WRITE of size 2060 at 0x61e00000fa87 thread T0
#0 0x4bc8eb in __asan_memcpy
/tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413
#1 0x7f37ddfa397d in mad_layer_III
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:2635:2
#2 0x7f37ddf6784d in mad_frame_decode
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/frame.c:453:7
#3 0x7f37ddf8c4e4 in run_sync
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/decoder.c:404:11
#4 0x7f37ddf8ac59 in mad_decoder_run
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/decoder.c:557:12
#5 0x5277a1 in decode
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:1862:12
#6 0x5277a1 in play_one
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:1951
#7 0x5277a1 in play_all
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:2041
#8 0x5215a2 in player_run
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:2768:14
#9 0x50c46c in main
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/madplay.c:816:7
#10 0x7f37dce4f78f in __libc_start_main
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#11 0x41aa78 in _init (/usr/bin/madplay+0x41aa78)
Affected version:
0.15.1b
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00213-libmad-heapoverflow-mad_l…
Timeline:
2017-01-01: bug discovered and reported to upstream
2017-04-30: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
libmad: heap-based buffer overflow in mad_layer_III (layer3.c)
======================================================
(open-)SUSE: https://software.opensuse.org/package/libmad
0.15.1b (TW, 42.{1,2}, multimedia:libs repo)
--
You are receiving this mail because:
You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1036967
Bug ID: 1036967
Summary: VUL-1: libmad: heap-based buffer overflow in
mad_bit_skip (bit.c)
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team(a)suse.de
Reporter: mikhail.kasimov(a)gmail.com
QA Contact: qa-bugs(a)suse.de
Found By: ---
Blocker: ---
Created attachment 723244
--> http://bugzilla.opensuse.org/attachment.cgi?id=723244&action=edit
00211-libmad-heapoverflow-mad_bit_skip_reproducer
Ref:
https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-i…
===========================================================
Description:
libmad stays for “M”peg “A”udio “D”ecoder library.
There is an heap overflow discovered through madplay.
The complete ASan output:
# madplay -v -i -o raw:out $FILE
==12603==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61200000c09f at pc 0x7f72d6aa05c0 bp 0x7fff03e32040 sp 0x7fff03e32038
READ of size 1 at 0x61200000c09f thread T0
#0 0x7f72d6aa05bf in mad_bit_skip
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/bit.c:130:21
#1 0x7f72d6b032ad in III_huffdecode
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:953:3
#2 0x7f72d6b032ad in III_decode
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:2403
#3 0x7f72d6af1a8e in mad_layer_III
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:2648:13
#4 0x7f72d6ab584d in mad_frame_decode
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/frame.c:453:7
#5 0x7f72d6ada4e4 in run_sync
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/decoder.c:404:11
#6 0x7f72d6ad8c59 in mad_decoder_run
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/decoder.c:557:12
#7 0x5277a1 in decode
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:1862:12
#8 0x5277a1 in play_one
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:1951
#9 0x5277a1 in play_all
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:2041
#10 0x5215a2 in player_run
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:2768:14
#11 0x50c46c in main
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/madplay.c:816:7
#12 0x7f72d599d78f in __libc_start_main
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#13 0x41aa78 in _init (/usr/bin/madplay+0x41aa78)
Affected version:
0.15.1b
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00211-libmad-heapoverflow-mad_b…
Timeline:
2017-01-01: bug discovered and reported to upstream
2017-04-30: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
libmad: heap-based buffer overflow in mad_bit_skip (bit.c)
===========================================================
(open-)SUSE: https://software.opensuse.org/package/libmad
0.15.1b (TW, 42.{1,2}, multimedia:libs repo)
--
You are receiving this mail because:
You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1041090
Bug ID: 1041090
Summary: trackerbug: packages do not build reproducibly from
unsorted input
Classification: openSUSE
Product: openSUSE Tumbleweed
Version: Current
Hardware: Other
OS: openSUSE 13.2
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Other
Assignee: bwiedemann(a)suse.com
Reporter: bwiedemann(a)suse.com
QA Contact: qa-bugs(a)suse.de
Found By: Development
Blocker: ---
See also https://reproducible-builds.org/docs/stable-inputs/
When linking .o files in random filesystem order
the linker will vary the ordering of functions
and apply varying optimizations
resulting in binaries that differ on every build
and thus trigger rebuilds of depending packages
and are published to mirrors and users
when actually nothing really changed.
--
You are receiving this mail because:
You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1036463
Bug ID: 1036463
Summary: Please take over /usr/lib/modules-load.d/sg.conf
Classification: openSUSE
Product: openSUSE Tumbleweed
Version: Current
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Kernel
Assignee: kernel-maintainers(a)forge.provo.novell.com
Reporter: fbui(a)suse.com
QA Contact: qa-bugs(a)suse.de
Found By: ---
Blocker: ---
Hi kernel maintainers,
Currently systemd package ships the following file:
$ cat /usr/lib/modules-load.d/sg.conf
# load sg module at boot time
sg
I don't know if it's still needed but if so it doesn't seem appropriate to ship
it through systemd since it seems to be a workaround for a missing driver
dependency or something similar.
Would you take this file over ?
Thanks.
--
You are receiving this mail because:
You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1068678
Bug ID: 1068678
Summary: Package rsyslog requires package system-user-news
Classification: openSUSE
Product: openSUSE Tumbleweed
Version: Current
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Basesystem
Assignee: bnc-team-screening(a)forge.provo.novell.com
Reporter: freek(a)opensuse.org
QA Contact: qa-bugs(a)suse.de
Found By: ---
Blocker: ---
When installing rsyslog in Tumbleweed there are warning messages that the user
news is not present (chown: invalid user: 'news:news'). Unless rsyslog is
changed to not using news, the package should require the package
"system-user-news".
--
You are receiving this mail because:
You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1027942
Bug ID: 1027942
Summary: virt-manager: Missing upstream bug fixes
Classification: openSUSE
Product: openSUSE Tumbleweed
Version: Current
Hardware: x86-64
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Virtualization:Tools
Assignee: virt-bugs(a)suse.de
Reporter: carnold(a)suse.com
QA Contact: qa-bugs(a)suse.de
Found By: ---
Blocker: ---
There are upstream patches fixing bugs needed for this version of virt-manager.
--
You are receiving this mail because:
You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1036208
Bug ID: 1036208
Summary: GNOME:Factory/libostree: remount service not loaded on
install
Classification: openSUSE
Product: openSUSE.org
Version: unspecified
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: 3rd party software
Assignee: os.gnome.maintainers(a)gmail.com
Reporter: sebix+novell.com(a)sebix.at
QA Contact: opensuse-communityscreening(a)forge.provo.novell.com
Found By: ---
Blocker: ---
During my todays zypper dup run, I got this output:
( 72/408) Installing: libostree-2017.3-1.1.x86_64
......................................................................................................[done]
Additional rpm output:
Failed to disable unit: No such file or directory
Failed to stop ostree-remount.service.service: Unit
ostree-remount.service.service not loaded.
Is this a bug? The file is there:
> find /usr/lib/systemd/ -name "*ostree*"
/usr/lib/systemd/system/ostree-prepare-root.service
/usr/lib/systemd/system/ostree-remount.service
--
You are receiving this mail because:
You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1028460
Bug ID: 1028460
Summary: grub2 ignores active_devices
Classification: openSUSE
Product: openSUSE Tumbleweed
Version: Current
Hardware: S/390-64
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Bootloader
Assignee: rw(a)suse.de
Reporter: bg(a)suse.com
QA Contact: jsrain(a)suse.com
Found By: ---
Blocker: ---
after doing the latest update, I found that /boot/zipl/active_devices.txt was
emptied. Even after copying the old data in there, the newly generated initrd
ignores active_devices.txt which results in an unbootable system.
--
You are receiving this mail because:
You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1042528
Bug ID: 1042528
Summary: security/keepassx: Segfault for search
Classification: openSUSE
Product: openSUSE.org
Version: unspecified
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: 3rd party software
Assignee: meissner(a)suse.com
Reporter: sebix+novell.com(a)sebix.at
QA Contact: opensuse-communityscreening(a)forge.provo.novell.com
Found By: ---
Blocker: ---
After pressing Ctrl+F it shortly (~0.2s) shows the search view and then gave me
a Segfault.
Running it with gdb gave me another error:
> gdb keepass
keepassx keepassxc
ele@melekess:~> gdb keepassx
GNU gdb (GDB; openSUSE Tumbleweed) 7.12.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-suse-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://bugs.opensuse.org/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from keepassx...Reading symbols from
/usr/lib/debug/usr/bin/keepassx.debug...done.
done.
(gdb) r
Starting program: /usr/bin/keepassx
Missing separate debuginfo for /usr/lib64/libQtCore.so.4
Try: zypper install -C
"debuginfo(build-id)=aae09ee6055dc186575945fad62f28e198a9d356"
Missing separate debuginfo for /usr/lib64/libQtGui.so.4
Try: zypper install -C
"debuginfo(build-id)=be91c0bccafd94ecc5fd1a4437e2de5b77696ca1"
Missing separate debuginfo for /usr/lib64/libgcrypt.so.20
Try: zypper install -C
"debuginfo(build-id)=4e0a9294838b3fb3dac12e68cb00f2e4f397b2e9"
Missing separate debuginfo for /lib64/libz.so.1
Try: zypper install -C
"debuginfo(build-id)=21b301d5592177bf542e8d8c41c0b27df7e2440d"
Missing separate debuginfo for /usr/lib64/libstdc++.so.6
Try: zypper install -C
"debuginfo(build-id)=ee9fd8cc6fbbf42cc79e4924f6118b496b45b3a8"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Missing separate debuginfo for /usr/lib64/libglib-2.0.so.0
Try: zypper install -C
"debuginfo(build-id)=561783b5517f6a4c17726f96ef692597377d9fc8"
Missing separate debuginfo for /lib64/libgcc_s.so.1
Try: zypper install -C
"debuginfo(build-id)=d2a8238991eb9ac4afa570da0419d6188b64a546"
Missing separate debuginfo for /usr/lib64/libpng16.so.16
Try: zypper install -C
"debuginfo(build-id)=22de6f0dd806ef44469f30509bd7c1919730cdbd"
Missing separate debuginfo for /usr/lib64/libfreetype.so.6
Try: zypper install -C
"debuginfo(build-id)=ddfced10958280dc5cbc5031dda671a6bd0ecd70"
Missing separate debuginfo for /usr/lib64/libgobject-2.0.so.0
Try: zypper install -C
"debuginfo(build-id)=64f04f5c97010448c3a51b03bb9fa2b437888e57"
Missing separate debuginfo for /usr/lib64/libSM.so.6
Try: zypper install -C
"debuginfo(build-id)=488ce271a4e9b76d429602888b6e2cd766e4d4bd"
Missing separate debuginfo for /usr/lib64/libICE.so.6
Try: zypper install -C
"debuginfo(build-id)=95e0e706f873fbd16c643ec072b3e7f21a48138c"
Missing separate debuginfo for /usr/lib64/libXi.so.6
Try: zypper install -C
"debuginfo(build-id)=04842b5af5cbfdca656d65ed3e2f69f3f078d9c5"
Missing separate debuginfo for /usr/lib64/libXrender.so.1
Try: zypper install -C
"debuginfo(build-id)=dbd5711f34b7cfa50f28059240da17240894187e"
Missing separate debuginfo for /usr/lib64/libXrandr.so.2
Try: zypper install -C
"debuginfo(build-id)=cc3f4cf227f8e8d5ddec9ae0dfea02e450ae45e1"
Missing separate debuginfo for /usr/lib64/libXfixes.so.3
Try: zypper install -C
"debuginfo(build-id)=446be2aebf53829fe05f0257d4b94765639e218b"
Missing separate debuginfo for /usr/lib64/libXcursor.so.1
Try: zypper install -C
"debuginfo(build-id)=b589fe995a2a95a9e8b4a1404466c24186c2647c"
Missing separate debuginfo for /usr/lib64/libXinerama.so.1
Try: zypper install -C
"debuginfo(build-id)=a9dd93da989813b45ffed48101f4e69f8f5f3b79"
Missing separate debuginfo for /usr/lib64/libfontconfig.so.1
Try: zypper install -C
"debuginfo(build-id)=1657bc30ca61f5a5165b0a1bf4c14ea432d740c6"
Missing separate debuginfo for /usr/lib64/libXext.so.6
Try: zypper install -C
"debuginfo(build-id)=9825de0ced273155a4f9cbed9c35aa6219fd2311"
Missing separate debuginfo for /usr/lib64/libX11.so.6
Try: zypper install -C
"debuginfo(build-id)=261d9592a95e4724a3d7019faa591320ec3834d0"
Missing separate debuginfo for /usr/lib64/libgpg-error.so.0
Try: zypper install -C
"debuginfo(build-id)=9985ccc9f6380b4be688069ae226dfbd77013f9b"
Missing separate debuginfo for /usr/lib64/libpcre.so.1
Try: zypper install -C
"debuginfo(build-id)=8b15c8089ae69924185eb89f09c0b4d2c4178e59"
Missing separate debuginfo for /usr/lib64/libbz2.so.1
Try: zypper install -C
"debuginfo(build-id)=6e4dee957505d111d0eb00fe0830394c3dd44f6a"
Missing separate debuginfo for /usr/lib64/libffi.so.7
Try: zypper install -C
"debuginfo(build-id)=b93e3c6f234f62f861d6a429bc3672a85ae22c95"
Missing separate debuginfo for /usr/lib64/libuuid.so.1
Try: zypper install -C
"debuginfo(build-id)=4c7dba3b81d600005bc342e1b31982eb259349f5"
Missing separate debuginfo for /usr/lib64/libexpat.so.1
Try: zypper install -C
"debuginfo(build-id)=6de3c39118914851895f9af7c9abf737d717aa13"
Missing separate debuginfo for /usr/lib64/libxcb.so.1
Try: zypper install -C
"debuginfo(build-id)=b3a1aeb7294c2b5503d2401b1317bfddc34220c7"
Missing separate debuginfo for /usr/lib64/libXau.so.6
Try: zypper install -C
"debuginfo(build-id)=86d79656851311fd78521e28b18cf88b7f7ffec0"
Cannot find user-level thread for LWP 12821: generic error
(gdb)
Not sure how to debug it further.
--
You are receiving this mail because:
You are on the CC list for the bug.