Arbitrary code execution via malformed SPC music file

Bug #1650523 reported by Norbert on 2016-12-16
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
game-music-emu (Debian)
Fix Released
Unknown
game-music-emu (Ubuntu)
High
Unassigned

Bug Description

Steps:
1. Ubuntu 16.04.1 LTS
2. Trying to play xcalc_ubuntu_16.04_libc_2.23-0ubuntu3.spc file from this blog post ( https://scarybeastsecurity.blogspot.ru/2016/12/redux-compromising-linux-using-snes.html ) and this video ( https://www.youtube.com/watch?v=wrCLoem6ggM ).
3. Totem found required plugin for playing "SNES-SPC700 Sound File Data decoder" which is in gstreamer1.0-plugins-bad.
4. xcalc does not launched on music play or by Nautilus launch.

Ubuntu security team, please read blog post (see above link) and confirm (and fix) or refute zero-day vulnerability.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: gstreamer1.0-plugins-bad 1.8.2-1ubuntu0.2
ProcVersionSignature: Ubuntu 4.4.0-31.50-generic 4.4.13
Uname: Linux 4.4.0-31-generic i686
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: i386
CasperVersion: 1.376
CurrentDesktop: Unity
Date: Fri Dec 16 12:03:27 2016
LiveMediaBuild: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release i386 (20160719)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: gst-plugins-bad1.0
UpgradeStatus: No upgrade log present (probably fresh install)

Norbert (nrbrtx) wrote :
Norbert (nrbrtx) on 2016-12-16
summary: - totem can't find required plugin for playing "SNES-SPC700 Sound File
- Data decoder" which is in gstreamer1.0-plugins-bad
+ Plugin "SNES-SPC700 Sound File Data decoder" in gstreamer1.0-plugins-bad
+ may have security vulnerability
description: updated
information type: Private Security → Public Security
Changed in gst-plugins-bad1.0 (Ubuntu):
status: New → Invalid
Changed in totem (Ubuntu):
status: New → Invalid
Changed in game-music-emu (Ubuntu):
status: New → Fix Released
no longer affects: gst-plugins-bad1.0 (Ubuntu)
no longer affects: totem (Ubuntu)
Changed in game-music-emu (Ubuntu):
importance: Undecided → High
Changed in game-music-emu (Debian):
status: Unknown → Fix Released
summary: - Plugin "SNES-SPC700 Sound File Data decoder" in gstreamer1.0-plugins-bad
- may have security vulnerability
+ Arbitrary code execution via malformed SPC music file
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.