Your message dated Wed, 26 Mar 2008 17:17:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#472635: fixed in vlc 0.8.6.e-1.1
has caused the Debian Bug report #472635,
regarding vlc CVE-2008-1489: integer overflow leading to heap overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
472635: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=472635
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: vlc
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for vlc.
CVE-2008-1489[0]:
| Integer overflow in the MP4_ReadBox_rdrf function in libmp4.c for VLC
| 0.8.6e allows remote attackers to cause a denial of service (crash)
| and possibly execute arbitrary code via a crafted MP4 RDRF box that
| triggers a heap-based buffer overflow, a different vulnerability than
| CVE-2008-0984.
Patch is on:
http://trac.videolan.org/vlc/changeset/09572892df7e72c0d4e598c0b5e076cf330d8b0a
I can provide some more details since I also discovered this
in 0.8.6e independently :)
Quoting modules/demuxer/mp4/libmp4.c, MP4_ReadBox_rdrf() function:
1954 static int MP4_ReadBox_rdrf( stream_t *p_stream, MP4_Box_t *p_box )
1955 {
1956 uint32_t i_len;
1957 MP4_READBOX_ENTER( MP4_Box_data_rdrf_t );
1958
1959 MP4_GETVERSIONFLAGS( p_box->data.p_rdrf );
1960 MP4_GETFOURCC( p_box->data.p_rdrf->i_ref_type );
1961 MP4_GET4BYTES( i_len );
1962 if( i_len > 0 )
1963 {
1964 uint32_t i;
1965 p_box->data.p_rdrf->psz_ref = malloc( i_len + 1);
1966 for( i = 0; i < i_len; i++ )
1967 {
1968 MP4_GET1BYTE( p_box->data.p_rdrf->psz_ref[i] );
1969 }
1970 p_box->data.p_rdrf->psz_ref[i_len] = '\0';
1971 }
1972 else
In line 1961 MP4_GET4BYTES reads the atom length of the mov file as specified
in the apple quicktime standard and stores the value in the i_len variable.
On positive values it then allocates memory to store that atom data in a buffer.
There is a problem with this code here:
1965 p_box->data.p_rdrf->psz_ref = malloc( i_len + 1);
When supplied 0xFFFFFFFF as the atom lenght i_len + 1 will overflow and
resulting
in malloc allocating the smallest possible chunk because malloc is called with
a length
argument of 0. It will not fail but it won't allocate the needed memory.
The for-loop in 1966 will then happily copy a lot more data into the buffer.
When exploited this could possibly lead to code execution.
Btw since i_len is of type uint32_t the else branch will be never used.
A check for malloc returning NULL doesn't hurt either.
A proof of concept mov file can be found on:
http://nion.modprobe.de/la.mov
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1489
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpcceSbLBlGr.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: vlc
Source-Version: 0.8.6.e-1.1
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6.e-1.1_amd64.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6.e-1.1_amd64.deb
libvlc0_0.8.6.e-1.1_amd64.deb
to pool/main/v/vlc/libvlc0_0.8.6.e-1.1_amd64.deb
mozilla-plugin-vlc_0.8.6.e-1.1_amd64.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.e-1.1_amd64.deb
vlc-nox_0.8.6.e-1.1_amd64.deb
to pool/main/v/vlc/vlc-nox_0.8.6.e-1.1_amd64.deb
vlc-plugin-alsa_0.8.6.e-1.1_all.deb
to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.e-1.1_all.deb
vlc-plugin-arts_0.8.6.e-1.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6.e-1.1_amd64.deb
vlc-plugin-esd_0.8.6.e-1.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6.e-1.1_amd64.deb
vlc-plugin-ggi_0.8.6.e-1.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.e-1.1_amd64.deb
vlc-plugin-jack_0.8.6.e-1.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-jack_0.8.6.e-1.1_amd64.deb
vlc-plugin-sdl_0.8.6.e-1.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.e-1.1_amd64.deb
vlc-plugin-svgalib_0.8.6.e-1.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.e-1.1_amd64.deb
vlc_0.8.6.e-1.1.diff.gz
to pool/main/v/vlc/vlc_0.8.6.e-1.1.diff.gz
vlc_0.8.6.e-1.1.dsc
to pool/main/v/vlc/vlc_0.8.6.e-1.1.dsc
vlc_0.8.6.e-1.1_amd64.deb
to pool/main/v/vlc/vlc_0.8.6.e-1.1_amd64.deb
wxvlc_0.8.6.e-1.1_all.deb
to pool/main/v/vlc/wxvlc_0.8.6.e-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 26 Mar 2008 13:21:44 +0100
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa
vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts
mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all amd64
Version: 0.8.6.e-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-alsa - dummy transitional package
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
wxvlc - dummy transitional package
Closes: 472635
Changes:
vlc (0.8.6.e-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix Integer overflow in MP4_ReadBox_rdrf function
that triggers a heap-based buffer overflow via a
large atom length value (Closes: #472635).
Files:
bdcaa9730d2cd021e86db87e65708fb0 2703 graphics optional vlc_0.8.6.e-1.1.dsc
fbb40c6aaade38e0cbf43e8749d9b191 35720 graphics optional
vlc_0.8.6.e-1.1.diff.gz
5719e622c7a71e80b36c2795e6dda29c 798 graphics optional
vlc-plugin-alsa_0.8.6.e-1.1_all.deb
a081b1f5aeffd3c603bba5c526649af0 792 graphics optional
wxvlc_0.8.6.e-1.1_all.deb
9d5a3083e149d120d9b2291732e7e0c6 1165900 graphics optional
vlc_0.8.6.e-1.1_amd64.deb
85942e15502272c737ee68c2bbefa4cb 4860156 net optional
vlc-nox_0.8.6.e-1.1_amd64.deb
72b499d123450b0415f46aec9b028386 485084 libs optional
libvlc0_0.8.6.e-1.1_amd64.deb
39f4e601e8971eb667a10c8e1fb35369 539958 libdevel optional
libvlc0-dev_0.8.6.e-1.1_amd64.deb
db99f1622b7779d89ad13c9461714550 4530 graphics optional
vlc-plugin-esd_0.8.6.e-1.1_amd64.deb
778cacd6f649ec3d0ca2122ccfc710de 11654 graphics optional
vlc-plugin-sdl_0.8.6.e-1.1_amd64.deb
87b41ecc0fcff93ce2362a81f740a4d0 6216 graphics optional
vlc-plugin-ggi_0.8.6.e-1.1_amd64.deb
a7285a54fe267cd5b0d7ef1e2b815d0e 4176 graphics optional
vlc-plugin-arts_0.8.6.e-1.1_amd64.deb
79fc47583effd10c6627af2c76515b79 38280 graphics optional
mozilla-plugin-vlc_0.8.6.e-1.1_amd64.deb
d9718dab24afec2ffafc48ebad82f79d 4802 graphics optional
vlc-plugin-svgalib_0.8.6.e-1.1_amd64.deb
a287f25350170a4abfdec86249efab3c 4872 graphics optional
vlc-plugin-jack_0.8.6.e-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH6oD2HYflSXNkfP8RAtCIAJ9W46rIeQRKhPwHzQ0AABFZnc77agCfZ/fw
QNAOa/K2FhO9tqKC2HduvVA=
=5ONb
-----END PGP SIGNATURE-----
--- End Message ---
