Ubuntu
game-music-emu package

Arbitrary code execution via malformed SPC music file

Bug #1650523 reported by Norbert
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
game-music-emu (Debian)
Fix Released
Unknown
game-music-emu (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Steps:
1. Ubuntu 16.04.1 LTS
2. Trying to play xcalc_ubuntu_16.04_libc_2.23-0ubuntu3.spc file from this blog post ( https://scarybeastsecurity.blogspot.ru/2016/12/redux-compromising-linux-using-snes.html ) and this video ( https://www.youtube.com/watch?v=wrCLoem6ggM ).
3. Totem found required plugin for playing "SNES-SPC700 Sound File Data decoder" which is in gstreamer1.0-plugins-bad.
4. xcalc does not launched on music play or by Nautilus launch.

Ubuntu security team, please read blog post (see above link) and confirm (and fix) or refute zero-day vulnerability.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: gstreamer1.0-plugins-bad 1.8.2-1ubuntu0.2
ProcVersionSignature: Ubuntu 4.4.0-31.50-generic 4.4.13
Uname: Linux 4.4.0-31-generic i686
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: i386
CasperVersion: 1.376
CurrentDesktop: Unity
Date: Fri Dec 16 12:03:27 2016
LiveMediaBuild: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release i386 (20160719)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: gst-plugins-bad1.0
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Norbert (nrbrtx) wrote :
Norbert (nrbrtx)
summary: - totem can't find required plugin for playing "SNES-SPC700 Sound File
- Data decoder" which is in gstreamer1.0-plugins-bad
+ Plugin "SNES-SPC700 Sound File Data decoder" in gstreamer1.0-plugins-bad
+ may have security vulnerability
description: updated
Revision history for this message
Tyler Hicks (tyhicks) wrote : Re: Plugin "SNES-SPC700 Sound File Data decoder" in gstreamer1.0-plugins-bad may have security vulnerability

We've released security updates to address this issue for all supported Ubuntu releases:

https://launchpad.net/ubuntu/+source/game-music-emu/0.6.0-3ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/game-music-emu/0.6.0-3ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/game-music-emu/0.5.5-2ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/game-music-emu/0.5.5-2ubuntu0.12.04.1

Please make sure that you've applied all security updates. Thanks!

information type: Private Security → Public Security
Changed in gst-plugins-bad1.0 (Ubuntu):
status: New → Invalid
Changed in totem (Ubuntu):
status: New → Invalid
Changed in game-music-emu (Ubuntu):
status: New → Fix Released
Mathew Hodson (mhodson)
no longer affects: gst-plugins-bad1.0 (Ubuntu)
no longer affects: totem (Ubuntu)
Mathew Hodson (mhodson)
Changed in game-music-emu (Ubuntu):
importance: Undecided → High
Bug Watch Updater (bug-watch-updater)
Changed in game-music-emu (Debian):
status: Unknown → Fix Released
Mathew Hodson (mhodson)
summary: - Plugin "SNES-SPC700 Sound File Data decoder" in gstreamer1.0-plugins-bad
- may have security vulnerability
+ Arbitrary code execution via malformed SPC music file
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.