Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 133570
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 133570 depends on: Show dependency tree
Bug 133570 blocks: 133240

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-05-16 23:33 0000 
Got the following slightly edited report on Vendor-Sec. Not sure wether we are
affected:

Thanks for letting us know!  Seems like the xine guys fixed this particular 
problem a while back already (that's where the asf code comes from), so no 
need to inform them.  I've fixed the problem in SVN 2827.

Christian

On Sunday 14 May 2006 10:20, Luigi Auriemma wrote:
> Hey,
>
> I want to report a security bug I have found in libextractor, tested
> both 0.5.13 and current SVN.
>
> The bug is a heap overflow in src/plugins/asfextractor.c.
>
> The demux_asf_t structure is allocated when the plugin is called and
> subsequently is performed a call to asf_read_header which reads all the
> header of the input file arriving to GUID_ASF_STREAM_PROPERTIES
> and then to CODEC_TYPE_AUDIO.
> Here we have the arbitrary reading of the data from the ASF file to the
> wavex buffer of 1024*2 bytes using the 32 bit number called total_size
> provided by the same file as amount of data to read.
> No checks are made on total_size so is possible to cause a heap overflow.
>
> The following is the piece of code containing the bug:
>
>           ...
>           total_size = get_le32(this);
>           stream_data_size = get_le32(this);
>           stream_id = get_le16(this); /* stream id */
>           get_le32(this);
>
>           if (type == CODEC_TYPE_AUDIO) {
>             ext_uint8_t buffer[6];
>
>             readBuf (this, (ext_uint8_t *) this->wavex, total_size);
>           ...
>
> I wait your reply.
>
>
> BYEZ
>
>
> ---
> Luigi Auriemma
> http://aluigi.org
> http://mirror.aluigi.org

------- Comment #1 From Sune Kloppenborg Jeppesen 2006-05-16 23:36:01 0000 ------- 
Marcin please advise and patch as necessary. As this is still semi public.

------- Comment #2 From Sune Kloppenborg Jeppesen 2006-05-18 08:38:38 0000 ------- 
Opening as this is now public. net-p2p please advise.

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-05-18 08:38:45 0000 ------- 
*** Bug 133664 has been marked as a duplicate of this bug. ***

------- Comment #4 From Jon Hood (RETIRED) 2006-05-18 08:58:04 0000 ------- 
libextractor 0.5.9 is currently stable on sparc and x86, and it is vulnerable
to the reported issue. 0.5.14 is now in portage with the fixes from gnunet that
fix this issue. Sparc and x86 will need to mark this stable.

------- Comment #5 From Stefan Cornelius (RETIRED) 2006-05-18 09:09:55 0000 ------- 
sparc and x86 please do your magic for 0.5.14, thanks

------- Comment #6 From Joshua Jackson 2006-05-18 22:00:12 0000 ------- 
x86 is done (^.^)

------- Comment #7 From Gustavo Zacarias (RETIRED) 2006-05-19 06:42:40 0000 ------- 
sparc stable.

------- Comment #8 From Stefan Cornelius (RETIRED) 2006-05-19 06:48:59 0000 ------- 
ready for glsa

------- Comment #9 From Stefan Cornelius (RETIRED) 2006-05-21 11:07:30 0000 ------- 
GLSA 200605-14

Thanks everybody
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug