Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 127326 - media-video/kaffeine buffer overflow (CVE-2006-0051)
Summary: media-video/kaffeine buffer overflow (CVE-2006-0051)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa] jaervosz
Keywords:
: 129390 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-03-23 09:15 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-04-09 15:15 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
kaffeine-input-http.patch (kaffeine-input-http.patch,3.37 KB, patch)
2006-03-23 09:16 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
kaffeine-0.7.1-r1.ebuild (kaffeine-0.7.1-r1.ebuild,1.22 KB, text/plain)
2006-03-24 13:46 UTC, Diego Elio Pettenò (RETIRED)
no flags Details
kaffeine-0.7.1-input-http.patch (kaffeine-0.7.1-input-http.patch,3.38 KB, patch)
2006-03-24 13:47 UTC, Diego Elio Pettenò (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-23 09:15:25 UTC
KDE Security Advisory: Kaffeine buffer overflow
Original Release Date: 2006-03-XX
URL: http://www.kde.org/info/security/advisory-200603XX-1.txt

0. References
        CAN-2006-XXXX


1. Systems affected:

        Kaffeine up to including Kaffeine 0.7.1


2. Overview:

        Kaffeine contains an unchecked buffer while creating HTTP
	request headers for fetching remote RAM playlists, which
        allow overflowing a heap allocated buffer and execute 
        arbitrary code.


3. Impact:

        Remotely supplied RAM playlists can be used to execute arbitrary
	code on the client machine.


4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        Patch for Kaffeine 0.7.x is available from 
        ftp://ftp.kde.org/pub/kde/security_patches :

        03e74434799159a41d735118916b2dd6  kaffeine-input-http.patch


6. Credits:

	We'd like to thank Marcus Meissner for discovering and reporting
	the issue.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-23 09:16:28 UTC
Created attachment 82941 [details, diff]
kaffeine-input-http.patch
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-23 09:20:13 UTC
CC'ing flameeyes and carlo.

Please don't commit anything to Portage yet, instead attach any updated ebuilds to this bug and we'll call arch security liaisons to test.
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-03-24 13:46:59 UTC
Created attachment 83042 [details]
kaffeine-0.7.1-r1.ebuild

Take it as -r1 or name it as -r2, this is the ebuild..
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-03-24 13:47:31 UTC
Created attachment 83043 [details, diff]
kaffeine-0.7.1-input-http.patch

This patch is needed because the other doesn't apply cleanly on source tarball.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-24 23:30:38 UTC
Arch Security Liaisons please test and report back on this bug. Do NOT put anything in Portage at this point.

amd64 -> blubb
ppc -> dertobi123
ppc64 -> corsair
x86 -> halcy0n
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-03-26 05:43:48 UTC
FWIW, ~arch is fixed as I've just added version 0.8 that does not seem to use that code anymore.
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2006-03-27 01:12:37 UTC
0.8 works fine on my ppc64 machine. should we go ahead and mark stable? (as it is already in ~arch)
Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-03-28 11:12:48 UTC
No, 0.8 has too many new features yet to be tested, starting from that ripping interface I don't trust at all.

I'd rather add a 0.7.1-r2 if required.
Comment 9 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-04-02 17:31:46 UTC
It's 20060403 (UTC) now, what's the status of this?
Comment 10 Mark Loeser (RETIRED) gentoo-dev 2006-04-03 09:22:49 UTC
Sorry about the delay, the 0.7.1 version looks fine for x86
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-03 22:01:04 UTC
No announcement yet on the main KDE site.

Arch Security Liaisons please test and report back.
Comment 12 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-04-04 00:01:55 UTC
blubb gave me the ok for amd64 as long as it worked there.

ppc and ppc64?
Comment 13 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-04 06:03:46 UTC
public now
Comment 14 Mark Loeser (RETIRED) gentoo-dev 2006-04-04 09:20:58 UTC
If anything else is needed from x86, please contact tsunam.  I'll be gone until Friday.
Comment 15 Markus Rothe (RETIRED) gentoo-dev 2006-04-04 10:44:48 UTC
stable on ppc64
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2006-04-05 11:25:51 UTC
ppc stable, sorry for the delay
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-05 14:14:09 UTC
GLSA drafted, Security please review.
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-05 14:32:39 UTC
Thx everyone.

GLSA 200604-04
Comment 19 Eduardo Tongson 2006-04-09 15:15:22 UTC
*** Bug 129390 has been marked as a duplicate of this bug. ***