Bug#461544: intend to NMU

Nico Golde Mon, 21 Jan 2008 07:11:37 -0800

Hi,
attached is a patch for an NMU to fix both CVE ids.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/vlc-0.8.6.c-5_0.8.6.c-5.1.patch


Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u vlc-0.8.6.c/debian/changelog vlc-0.8.6.c/debian/changelog
--- vlc-0.8.6.c/debian/changelog
+++ vlc-0.8.6.c/debian/changelog
@@ -1,3 +1,15 @@
+vlc (0.8.6.c-5.1) unstable; urgency=high
+
+  * Non-maintainer upload by security team.
+  * This update addresses the following security issues (Closes: #461544).
+    - CVE-2008-0295: Heap-based buffer overflow in real_sdpplin.c
+      which could lead to user-assisted arbitrary code execution
+      via crafted SDP data.
+    - CVE-2008-0296: Heap-based buffer overflow in libaccess_realrtsp plugin
+      which might lead to arbitrary code execution via a crafted RTSP server.
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Mon, 21 Jan 2008 14:18:52 +0100
+
 vlc (0.8.6.c-5) unstable; urgency=low
 
   [ Christophe Mutricy ]
diff -u vlc-0.8.6.c/debian/patches/series vlc-0.8.6.c/debian/patches/series
--- vlc-0.8.6.c/debian/patches/series
+++ vlc-0.8.6.c/debian/patches/series
@@ -13,0 +14 @@
+sec-CVE-2008-0296_CVE-2008-0295.diff
only in patch2:
unchanged:
--- vlc-0.8.6.c.orig/debian/patches/sec-CVE-2008-0296_CVE-2008-0295.diff
+++ vlc-0.8.6.c/debian/patches/sec-CVE-2008-0296_CVE-2008-0295.diff
@@ -0,0 +1,165 @@
+--- vlc-0.8.6.c.orig/modules/access/rtsp/real_sdpplin.c (revision 14187)
++++ vlc-0.8.6.c/modules/access/rtsp/real_sdpplin.c (revision 24443)
+@@ -25,4 +25,5 @@
+  
+ #include "real.h"
++#define BUFLEN 32000
+ 
+ /*
+@@ -89,5 +90,5 @@
+ }
+ 
+-static int filter(const char *in, const char *filter, char **out) {
++static int filter(const char *in, const char *filter, char **out, size_t outlen) {
+ 
+   int flen=strlen(filter);
+@@ -101,4 +102,9 @@
+     if(in[len-1]==13) len--;
+     if(in[len-1]=='"') len--;
++    if( len-flen+1 > outlen )
++    {
++        printf("Discarding end of string to avoid overflow");
++        len=outlen+flen-1;
++    }
+     memcpy(*out, in+flen, len-flen+1);
+     (*out)[len-flen]=0;
+@@ -111,6 +117,6 @@
+ 
+   sdpplin_stream_t *desc = malloc(sizeof(sdpplin_stream_t));
+-  char      *buf = malloc(32000);
+-  char      *decoded = malloc(32000);
++  char      *buf = malloc(BUFLEN);
++  char      *decoded = malloc(BUFLEN);
+   int       handled;
+ 
+@@ -121,5 +127,5 @@
+   if( !decoded ) goto error;
+ 
+-  if (filter(*data, "m=", &buf)) {
++  if (filter(*data, "m=", &buf, BUFLEN)) {
+     desc->id = strdup(buf);
+   } else {
+@@ -132,10 +138,10 @@
+     handled=0;
+ 
+-    if(filter(*data,"a=control:streamid=",&buf)) {
++    if(filter(*data,"a=control:streamid=",&buf, BUFLEN)) {
+       desc->stream_id=atoi(buf);
+       handled=1;
+       *data=nl(*data);
+     }
+-    if(filter(*data,"a=MaxBitRate:integer;",&buf)) {
++    if(filter(*data,"a=MaxBitRate:integer;",&buf, BUFLEN)) {
+       desc->max_bit_rate=atoi(buf);
+       if (!desc->avg_bit_rate)
+@@ -144,5 +150,5 @@
+       *data=nl(*data);
+     }
+-    if(filter(*data,"a=MaxPacketSize:integer;",&buf)) {
++    if(filter(*data,"a=MaxPacketSize:integer;",&buf, BUFLEN)) {
+       desc->max_packet_size=atoi(buf);
+       if (!desc->avg_packet_size)
+@@ -151,20 +157,20 @@
+       *data=nl(*data);
+     }
+-    if(filter(*data,"a=StartTime:integer;",&buf)) {
++    if(filter(*data,"a=StartTime:integer;",&buf, BUFLEN)) {
+       desc->start_time=atoi(buf);
+       handled=1;
+       *data=nl(*data);
+     }
+-    if(filter(*data,"a=Preroll:integer;",&buf)) {
++    if(filter(*data,"a=Preroll:integer;",&buf, BUFLEN)) {
+       desc->preroll=atoi(buf);
+       handled=1;
+       *data=nl(*data);
+     }
+-    if(filter(*data,"a=length:npt=",&buf)) {
++    if(filter(*data,"a=length:npt=",&buf, BUFLEN)) {
+       desc->duration=(uint32_t)(atof(buf)*1000);
+       handled=1;
+       *data=nl(*data);
+     }
+-    if(filter(*data,"a=StreamName:string;",&buf)) {
++    if(filter(*data,"a=StreamName:string;",&buf, BUFLEN)) {
+       desc->stream_name=strdup(buf);
+       desc->stream_name_size=strlen(desc->stream_name);
+@@ -172,5 +178,5 @@
+       *data=nl(*data);
+     }
+-    if(filter(*data,"a=mimetype:string;",&buf)) {
++    if(filter(*data,"a=mimetype:string;",&buf, BUFLEN)) {
+       desc->mime_type=strdup(buf);
+       desc->mime_type_size=strlen(desc->mime_type);
+@@ -178,5 +184,5 @@
+       *data=nl(*data);
+     }
+-    if(filter(*data,"a=OpaqueData:buffer;",&buf)) {
++    if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
+       decoded = b64_decode(buf, decoded, &(desc->mlti_data_size));
+       desc->mlti_data = malloc(sizeof(char)*desc->mlti_data_size);
+@@ -186,5 +192,5 @@
+       lprintf("mlti_data_size: %i\n", desc->mlti_data_size);
+     }
+-    if(filter(*data,"a=ASMRuleBook:string;",&buf)) {
++    if(filter(*data,"a=ASMRuleBook:string;",&buf, BUFLEN)) {
+       desc->asm_rule_book=strdup(buf);
+       handled=1;
+@@ -217,6 +223,6 @@
+   sdpplin_t        *desc = malloc(sizeof(sdpplin_t));
+   sdpplin_stream_t *stream;
+-  char             *buf=malloc(3200);
+-  char             *decoded=malloc(3200);
++  char             *buf=malloc(BUFLEN);
++  char             *decoded=malloc(BUFLEN);
+   int              handled;
+   int              len;
+@@ -237,5 +243,5 @@
+     handled=0;
+ 
+-    if (filter(data, "m=", &buf)) {
++    if (filter(data, "m=", &buf, BUFLEN)) {
+       stream=sdpplin_parse_stream(&data);
+       lprintf("got data for stream id %u\n", stream->stream_id);
+@@ -243,5 +249,5 @@
+       continue;
+     }
+-    if(filter(data,"a=Title:buffer;",&buf)) {
++    if(filter(data,"a=Title:buffer;",&buf, BUFLEN)) {
+       decoded=b64_decode(buf, decoded, &len);
+       desc->title=strdup(decoded);
+@@ -249,5 +255,5 @@
+       data=nl(data);
+     }
+-    if(filter(data,"a=Author:buffer;",&buf)) {
++    if(filter(data,"a=Author:buffer;",&buf, BUFLEN)) {
+       decoded=b64_decode(buf, decoded, &len);
+       desc->author=strdup(decoded);
+@@ -255,5 +261,5 @@
+       data=nl(data);
+     }
+-    if(filter(data,"a=Copyright:buffer;",&buf)) {
++    if(filter(data,"a=Copyright:buffer;",&buf, BUFLEN)) {
+       decoded=b64_decode(buf, decoded, &len);
+       desc->copyright=strdup(decoded);
+@@ -261,5 +267,5 @@
+       data=nl(data);
+     }
+-    if(filter(data,"a=Abstract:buffer;",&buf)) {
++    if(filter(data,"a=Abstract:buffer;",&buf, BUFLEN)) {
+       decoded=b64_decode(buf, decoded, &len);
+       desc->abstract=strdup(decoded);
+@@ -267,5 +273,5 @@
+       data=nl(data);
+     }
+-    if(filter(data,"a=StreamCount:integer;",&buf)) {
++    if(filter(data,"a=StreamCount:integer;",&buf, BUFLEN)) {
+       desc->stream_count=atoi(buf);
+       desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
+@@ -273,5 +279,5 @@
+       data=nl(data);
+     }
+-    if(filter(data,"a=Flags:integer;",&buf)) {
++    if(filter(data,"a=Flags:integer;",&buf, BUFLEN)) {
+       desc->flags=atoi(buf);
+       handled=1;

pgpWAZWtRcpsr.pgp
Description: PGP signature

Bug#461544: intend to NMU

Reply via email to