Vulnerabilities > CVE-2018-4022 - Use After Free vulnerability in Mkvtoolnix Mkvinfo 25.0.0

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2018-8587111c5a.
#

include("compat.inc");

if (description)
{
  script_id(118809);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2018-4022");
  script_xref(name:"FEDORA", value:"2018-8587111c5a");

  script_name(english:"Fedora 27 : mkvtoolnix (2018-8587111c5a)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"# Version 28.2.0 'The Awakening' 2018-10-25

## Bug fixes

  - mkvmerge, mkvinfo, mkvextract, mkvpropedit, MKVToolNix
    GUI's info tool & chapter editor: fixed a case of memory
    being accessed after it had been freed earlier. This can
    be triggered by specially crafted Matroska files and
    lead to arbitrary code execution. The vulnerability was
    reported as Cisco TALOS 2018-0694 on 2018-10-25.

# Version 28.1.0 'Morning Child' 2018-10-23

## Bug fixes

  - mkvmerge: AV1 parser: fixed an error in the sequence
    header parser if neither the
    `reduced_still_picture_header` nor the
    `frame_id_numbers_present_flag` is set. Part of the fix
    for #2410.

  - mkvmerge: AV1 parser: when creating the `av1C` structure
    for the Codec Private element the sequence header OBU
    wasn't copied completely: its common data (type field &
    OBU size among others) was missing. Part of the fix for
    #2410.

  - mkvmerge: Matroska reader, AV1: mkvmerge will try to
    re-create the `av1C` data stored in Codec Private when
    reading AV1 from Matroska or WebM files created by
    mkvmerge v28.0.0. Part of the fix for #2410.

  - MKVToolNix GUI: info tool: the tool will no longer stop
    scanning elements when an EBML Void element is found
    after the first Cluster element. Fixes #2413.

# Version 28.0.0 'Voice In My Head' 2018-10-20

## New features and enhancements

  - mkvmerge: AV1 parser: updated the code for the finalized
    AV1 bitstream specification. Part of the implementation
    of #2261.

  - mkvmerge: AV1 packetizer: updated the code for the
    finalized AV1-in-Matroska & WebM mapping specification.
    Part of the implementation of #2261.

  - mkvmerge: AV1 support: the `--engage enable_av1` option
    has been removed again. Part of the implementation of
    #2261.

  - mkvmerge: MP4 reader: added support for AV1. Part of the
    implementation of #2261.

  - mkvmerge: DTS: implemented dialog normalization gain
    removal for extension substreams. Implements #2377.

  - mkvmerge, mkvextract: simple text subtitles: added a
    workaround for simple text subtitle tracks that don't
    contain a duration. Implements #2397.

  - mkvextract: added support for extracting AV1 to IVF.
    Part of the implementation of #2261.

  - mkvextract: IVF extractor (AV1, VP8, VP9): precise
    values will be used for the frame rate numerator &
    denominator header fields for certain well-known values
    of the track's default duration.

  - mkvmerge: VP9: mkvmerge will now create codec private
    data according to the VP9 codec mapping described in the
    WebM specifications. Implements #2379.

  - MKVToolNix GUI: automatic scaling for high DPI displays
    is activated if the GUI is compiled with Qt ≥ 5.6.0.
    Fixes #1996 and #2383.

  - MKVToolNix GUI: added a menu item ('Help' → 'System
    information') for displaying information about the
    system MKVToolNix is running on in order to make
    debugging easier.

  - MKVToolNix GUI: multiplexer, header editor: the user can
    enter a list of predefined track names in the
    preferences. She can later select from them in 'track
    name' combo box. Implements #2230.

## Bug fixes

  - mkvmerge: JSON identification: fixed a bug when removing
    invalid UTF-8 data from strings before they're output as
    JSON. Fixes #2398.

  - mkvmerge: MP4/QuickTime reader: fixed handling of PCM
    audio with FourCC `in24`. Fixes #2391.

  - mkvmerge: MPEG transport stream reader, teletext
    subtitles: the decision whether or not to keep frames
    around in order to potentially merge them with the
    following frame is made sooner. That avoids problems if
    there are large gaps between teletext subtitle frames
    which could lead to frames being interleaved too late.
    Fixes #2393.

  - mkvextract: IVF extractor (AV1, VP8, VP8): the frame
    rate header fields weren't clamped to 16 bits properly
    causing wrong frame rates to be written in certain
    situations.

  - mkvpropedit, MKVToolNix GUI's header editor: fixed file
    corruption when a one-byte space must be covered with a
    new EBML void element but all surrounding elements have
    a 'size length' field that's eight bytes long already.
    Fixes #2406.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-8587111c5a"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected mkvtoolnix package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mkvtoolnix");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/11/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/08");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC27", reference:"mkvtoolnix-28.2.0-1.fc27")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mkvtoolnix");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2018-317ecbb54f.
#

include("compat.inc");

if (description)
{
  script_id(120333);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2018-4022");
  script_xref(name:"FEDORA", value:"2018-317ecbb54f");

  script_name(english:"Fedora 28 : mkvtoolnix (2018-317ecbb54f)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"# Version 28.2.0 'The Awakening' 2018-10-25

## Bug fixes

  - mkvmerge, mkvinfo, mkvextract, mkvpropedit, MKVToolNix
    GUI's info tool & chapter editor: fixed a case of memory
    being accessed after it had been freed earlier. This can
    be triggered by specially crafted Matroska files and
    lead to arbitrary code execution. The vulnerability was
    reported as Cisco TALOS 2018-0694 on 2018-10-25.

# Version 28.1.0 'Morning Child' 2018-10-23

## Bug fixes

  - mkvmerge: AV1 parser: fixed an error in the sequence
    header parser if neither the
    `reduced_still_picture_header` nor the
    `frame_id_numbers_present_flag` is set. Part of the fix
    for #2410.

  - mkvmerge: AV1 parser: when creating the `av1C` structure
    for the Codec Private element the sequence header OBU
    wasn't copied completely: its common data (type field &
    OBU size among others) was missing. Part of the fix for
    #2410.

  - mkvmerge: Matroska reader, AV1: mkvmerge will try to
    re-create the `av1C` data stored in Codec Private when
    reading AV1 from Matroska or WebM files created by
    mkvmerge v28.0.0. Part of the fix for #2410.

  - MKVToolNix GUI: info tool: the tool will no longer stop
    scanning elements when an EBML Void element is found
    after the first Cluster element. Fixes #2413.

# Version 28.0.0 'Voice In My Head' 2018-10-20

## New features and enhancements

  - mkvmerge: AV1 parser: updated the code for the finalized
    AV1 bitstream specification. Part of the implementation
    of #2261.

  - mkvmerge: AV1 packetizer: updated the code for the
    finalized AV1-in-Matroska & WebM mapping specification.
    Part of the implementation of #2261.

  - mkvmerge: AV1 support: the `--engage enable_av1` option
    has been removed again. Part of the implementation of
    #2261.

  - mkvmerge: MP4 reader: added support for AV1. Part of the
    implementation of #2261.

  - mkvmerge: DTS: implemented dialog normalization gain
    removal for extension substreams. Implements #2377.

  - mkvmerge, mkvextract: simple text subtitles: added a
    workaround for simple text subtitle tracks that don't
    contain a duration. Implements #2397.

  - mkvextract: added support for extracting AV1 to IVF.
    Part of the implementation of #2261.

  - mkvextract: IVF extractor (AV1, VP8, VP9): precise
    values will be used for the frame rate numerator &
    denominator header fields for certain well-known values
    of the track's default duration.

  - mkvmerge: VP9: mkvmerge will now create codec private
    data according to the VP9 codec mapping described in the
    WebM specifications. Implements #2379.

  - MKVToolNix GUI: automatic scaling for high DPI displays
    is activated if the GUI is compiled with Qt ≥ 5.6.0.
    Fixes #1996 and #2383.

  - MKVToolNix GUI: added a menu item ('Help' → 'System
    information') for displaying information about the
    system MKVToolNix is running on in order to make
    debugging easier.

  - MKVToolNix GUI: multiplexer, header editor: the user can
    enter a list of predefined track names in the
    preferences. She can later select from them in 'track
    name' combo box. Implements #2230.

## Bug fixes

  - mkvmerge: JSON identification: fixed a bug when removing
    invalid UTF-8 data from strings before they're output as
    JSON. Fixes #2398.

  - mkvmerge: MP4/QuickTime reader: fixed handling of PCM
    audio with FourCC `in24`. Fixes #2391.

  - mkvmerge: MPEG transport stream reader, teletext
    subtitles: the decision whether or not to keep frames
    around in order to potentially merge them with the
    following frame is made sooner. That avoids problems if
    there are large gaps between teletext subtitle frames
    which could lead to frames being interleaved too late.
    Fixes #2393.

  - mkvextract: IVF extractor (AV1, VP8, VP8): the frame
    rate header fields weren't clamped to 16 bits properly
    causing wrong frame rates to be written in certain
    situations.

  - mkvpropedit, MKVToolNix GUI's header editor: fixed file
    corruption when a one-byte space must be covered with a
    new EBML void element but all surrounding elements have
    a 'size length' field that's eight bytes long already.
    Fixes #2406.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-317ecbb54f"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected mkvtoolnix package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mkvtoolnix");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:28");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/11/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/03");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^28([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 28", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC28", reference:"mkvtoolnix-28.2.0-1.fc28")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mkvtoolnix");
}