Your message dated Mon, 31 Mar 2008 09:03:25 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#472635: fixed in vlc 0.8.6.c-6+lenny3
has caused the Debian Bug report #472635,
regarding vlc CVE-2008-1489: integer overflow leading to heap overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
472635: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=472635
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: vlc
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for vlc.
CVE-2008-1489[0]:
| Integer overflow in the MP4_ReadBox_rdrf function in libmp4.c for VLC
| 0.8.6e allows remote attackers to cause a denial of service (crash)
| and possibly execute arbitrary code via a crafted MP4 RDRF box that
| triggers a heap-based buffer overflow, a different vulnerability than
| CVE-2008-0984.
Patch is on:
http://trac.videolan.org/vlc/changeset/09572892df7e72c0d4e598c0b5e076cf330d8b0a
I can provide some more details since I also discovered this
in 0.8.6e independently :)
Quoting modules/demuxer/mp4/libmp4.c, MP4_ReadBox_rdrf() function:
1954 static int MP4_ReadBox_rdrf( stream_t *p_stream, MP4_Box_t *p_box )
1955 {
1956 uint32_t i_len;
1957 MP4_READBOX_ENTER( MP4_Box_data_rdrf_t );
1958
1959 MP4_GETVERSIONFLAGS( p_box->data.p_rdrf );
1960 MP4_GETFOURCC( p_box->data.p_rdrf->i_ref_type );
1961 MP4_GET4BYTES( i_len );
1962 if( i_len > 0 )
1963 {
1964 uint32_t i;
1965 p_box->data.p_rdrf->psz_ref = malloc( i_len + 1);
1966 for( i = 0; i < i_len; i++ )
1967 {
1968 MP4_GET1BYTE( p_box->data.p_rdrf->psz_ref[i] );
1969 }
1970 p_box->data.p_rdrf->psz_ref[i_len] = '\0';
1971 }
1972 else
In line 1961 MP4_GET4BYTES reads the atom length of the mov file as specified
in the apple quicktime standard and stores the value in the i_len variable.
On positive values it then allocates memory to store that atom data in a buffer.
There is a problem with this code here:
1965 p_box->data.p_rdrf->psz_ref = malloc( i_len + 1);
When supplied 0xFFFFFFFF as the atom lenght i_len + 1 will overflow and
resulting
in malloc allocating the smallest possible chunk because malloc is called with
a length
argument of 0. It will not fail but it won't allocate the needed memory.
The for-loop in 1966 will then happily copy a lot more data into the buffer.
When exploited this could possibly lead to code execution.
Btw since i_len is of type uint32_t the else branch will be never used.
A check for malloc returning NULL doesn't hurt either.
A proof of concept mov file can be found on:
http://nion.modprobe.de/la.mov
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1489
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpbqUU9MLfLF.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: vlc
Source-Version: 0.8.6.c-6+lenny3
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6.c-6+lenny3_amd64.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6.c-6+lenny3_amd64.deb
libvlc0_0.8.6.c-6+lenny3_amd64.deb
to pool/main/v/vlc/libvlc0_0.8.6.c-6+lenny3_amd64.deb
mozilla-plugin-vlc_0.8.6.c-6+lenny3_amd64.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-6+lenny3_amd64.deb
vlc-nox_0.8.6.c-6+lenny3_amd64.deb
to pool/main/v/vlc/vlc-nox_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-alsa_0.8.6.c-6+lenny3_all.deb
to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-6+lenny3_all.deb
vlc-plugin-arts_0.8.6.c-6+lenny3_amd64.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-esd_0.8.6.c-6+lenny3_amd64.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-ggi_0.8.6.c-6+lenny3_amd64.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-jack_0.8.6.c-6+lenny3_amd64.deb
to pool/main/v/vlc/vlc-plugin-jack_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-sdl_0.8.6.c-6+lenny3_amd64.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-svgalib_0.8.6.c-6+lenny3_amd64.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-6+lenny3_amd64.deb
vlc_0.8.6.c-6+lenny3.diff.gz
to pool/main/v/vlc/vlc_0.8.6.c-6+lenny3.diff.gz
vlc_0.8.6.c-6+lenny3.dsc
to pool/main/v/vlc/vlc_0.8.6.c-6+lenny3.dsc
vlc_0.8.6.c-6+lenny3_amd64.deb
to pool/main/v/vlc/vlc_0.8.6.c-6+lenny3_amd64.deb
wxvlc_0.8.6.c-6+lenny3_all.deb
to pool/main/v/vlc/wxvlc_0.8.6.c-6+lenny3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 28 Mar 2008 13:51:48 +0100
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa
vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts
mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all amd64
Version: 0.8.6.c-6+lenny3
Distribution: testing-security
Urgency: high
Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-alsa - dummy transitional package
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
wxvlc - dummy transitional package
Closes: 472635 473057
Changes:
vlc (0.8.6.c-6+lenny3) testing-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* This update addresses the following security issues:
- CVE-2008-1489: an integer overflow in the MP4_ReadBox_rdrf function that
can be triggered via crafted atom size values could possibly lead to
arbitrary code execution (Closes: #472635).
- CVE-2008-0073: possible code execution via a crafted rtsp stream with
a large streamid SDP parameter (Closes: #473057).
Files:
a154adf5e340c056d48f690aea8d2aac 2713 graphics optional
vlc_0.8.6.c-6+lenny3.dsc
80193f533ef47d30463d3dfb2f79d491 39426 graphics optional
vlc_0.8.6.c-6+lenny3.diff.gz
68f059b691db7422cd3b0aef65594b9d 804 graphics optional
vlc-plugin-alsa_0.8.6.c-6+lenny3_all.deb
237c2429244caeff612ed430d9977ba3 798 graphics optional
wxvlc_0.8.6.c-6+lenny3_all.deb
31aa2f01b3d7702476b432a5c33775bf 1159496 graphics optional
vlc_0.8.6.c-6+lenny3_amd64.deb
01b7c4316e0c923e4ff0c0764efa0e48 4719008 net optional
vlc-nox_0.8.6.c-6+lenny3_amd64.deb
b633eb8ee19a3aefb4b7efa577de87ed 473634 libs optional
libvlc0_0.8.6.c-6+lenny3_amd64.deb
c7555dec2c1d9f32789a11622a367a8e 539922 libdevel optional
libvlc0-dev_0.8.6.c-6+lenny3_amd64.deb
8e5eca4e237d7489976784d791c8edc5 4544 graphics optional
vlc-plugin-esd_0.8.6.c-6+lenny3_amd64.deb
8c68f3ad13e185f37d6a5fafbadac038 11656 graphics optional
vlc-plugin-sdl_0.8.6.c-6+lenny3_amd64.deb
9f2cc3af1b9a375bbaa615ead68b568d 6222 graphics optional
vlc-plugin-ggi_0.8.6.c-6+lenny3_amd64.deb
a10c33e116f82037b4b9a4d577fdac51 4192 graphics optional
vlc-plugin-arts_0.8.6.c-6+lenny3_amd64.deb
81a6fe49b87cf4934e84d4365813bb70 38152 graphics optional
mozilla-plugin-vlc_0.8.6.c-6+lenny3_amd64.deb
5d9f64f2d20bee2eadb9f492e34c2469 4812 graphics optional
vlc-plugin-svgalib_0.8.6.c-6+lenny3_amd64.deb
60926a4e3dc3c4b0878396df1923bfa2 4882 graphics optional
vlc-plugin-jack_0.8.6.c-6+lenny3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH74mSHYflSXNkfP8RAiYqAJ9aluODB9pwQ+jsGpMit2a6javNQgCgtioc
YB4CoZ1NOadL79cYo79d+oY=
=HB2M
-----END PGP SIGNATURE-----
--- End Message ---
