Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 279340 (CVE-2010-2062) - <media-video/vlc-0.9.10 Real RDT Integer Underflow (CVE-2010-2062)
Summary: <media-video/vlc-0.9.10 Real RDT Integer Underflow (CVE-2010-2062)
Status: RESOLVED FIXED
Alias: CVE-2010-2062
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/fulldisclosure/20...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-27 17:03 UTC by Alex Legler (RETIRED)
Modified: 2014-11-05 22:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-27 17:03:26 UTC
From $URL:

Function real_get_rdt_chunk() calls rtsp_read_data() to read RDT
(Real Data Transport) chunks headers from the network and after that it will
parse them.
A controled variable is used to allocate a buffer and later passed on to the
rtsp_read_data() function in order to specify the length of an RDT chunk
data to read from the network.
An integer underflow can be triggered when parsing a malformed RDT header chunk,
a remote attacker can exploit it to execute arbitrary code in the context of
the application.

VLC
Source file:    modules/access/rtsp/real.c
function:       int real_get_rdt_chunk_header(rtsp_client_t *rtsp_session,
                                             rmff_pheader_t *ph)
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-27 17:05:39 UTC
Fixed in VLC 1.0.1, already tagged in upstream git, but not yet released.

Patch available at http://git.videolan.org/?p=vlc.git;a=commit;h=dc74600c97eb834c08674676e209afa842053aca
Comment 2 Alexis Ballier gentoo-dev 2009-07-27 17:13:34 UTC
So it is indeed exploitable...
We'll have two options: 0.9.10 or 1.0.1

I'd really prefer going for 1.0.1 stable as it fixes a couple of UI regressions from 0.9.x but it is a bit young so I'd like arch testers to take extra care there and refuse stable if there's too much annoying stuff (we may have a 0.9.10 very soon too).
Anyway, we'll see what will be released and when.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-28 06:07:53 UTC
1.0.1 is now on the download site: http://download.videolan.org/pub/videolan/vlc/1.0.1/

Alexis, your call.
Comment 4 Alexis Ballier gentoo-dev 2009-07-28 10:03:17 UTC
0.9.10 and 1.0.1 are both in cvs now.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-07-28 10:48:15 UTC
Arches, please test and mark stable:
=media-video/vlc-0.9.10
=media-video/vlc-1.0.1 (see comment #2)
Target keywords : "alpha amd64 ppc sparc x86"
Comment 6 Markus Meier gentoo-dev 2009-07-29 21:21:55 UTC
amd64/x86 stable
Comment 7 Alexis Ballier gentoo-dev 2009-08-02 21:18:00 UTC
(In reply to comment #6)
> amd64/x86 stable

It seems you've only been with 0.9.10 and I'd like to know why... the request was more: go for 1.0.1 unless absolutely needed and the part that seemed obvious to me: report why. Upstream has no plan to support 0.9.x anymore...

http://mailman.videolan.org/pipermail/vlc-devel/2009-July/063528.html
Comment 8 Markus Meier gentoo-dev 2009-08-03 19:35:34 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > amd64/x86 stable
> 
> It seems you've only been with 0.9.10 and I'd like to know why... the request
> was more: go for 1.0.1 unless absolutely needed and the part that seemed
> obvious to me: report why. Upstream has no plan to support 0.9.x anymore...

basically b/c of the deps needing stable, but it looks like they do not have any open bugs. so should I go for these packages?
=media-video/vlc-1.0.1
=media-libs/libdvbpsi-0.1.6
=net-libs/libproxy-0.2.3-r2
=media-libs/libtiger-0.3.3
Comment 9 Alexis Ballier gentoo-dev 2009-08-04 07:15:26 UTC
(In reply to comment #8)
> (In reply to comment #7)
> > (In reply to comment #6)
> > > amd64/x86 stable
> > 
> > It seems you've only been with 0.9.10 and I'd like to know why... the request
> > was more: go for 1.0.1 unless absolutely needed and the part that seemed
> > obvious to me: report why. Upstream has no plan to support 0.9.x anymore...
> 
> basically b/c of the deps needing stable, but it looks like they do not have
> any open bugs. so should I go for these packages?
> =media-video/vlc-1.0.1
> =media-libs/libdvbpsi-0.1.6
> =net-libs/libproxy-0.2.3-r2
> =media-libs/libtiger-0.3.3


yes please
Comment 10 Markus Meier gentoo-dev 2009-08-04 08:17:38 UTC
amd64/x86: please have a look at the previous comments, we should go for media-video/vlc-1.0.1 and deps.
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-04 20:14:52 UTC
This also needs a newer libtool.
Comment 12 Alexis Ballier gentoo-dev 2009-08-04 23:51:48 UTC
(In reply to comment #11)
> This also needs a newer libtool.

Hu? It's fine here and according to the deps it doesn't. If you dont explain in more details what the problem is, chances are great this won't get fixed soon... (assuming there is something to fix)
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-05 07:01:22 UTC
(In reply to comment #12)
> (In reply to comment #11)
> > This also needs a newer libtool.
> 
> Hu? It's fine here and according to the deps it doesn't. If you dont explain in
> more details what the problem is, chances are great this won't get fixed
> soon... (assuming there is something to fix)

 USE=pulseaudio wants a newer pulseaudio (I chose 0.9.15-r2) and this pulls in a newer libtool.

Comment 14 Alexis Ballier gentoo-dev 2009-08-05 07:20:24 UTC
(In reply to comment #13)
> (In reply to comment #12)
> > (In reply to comment #11)
> > > This also needs a newer libtool.
> > 
> > Hu? It's fine here and according to the deps it doesn't. If you dont explain in
> > more details what the problem is, chances are great this won't get fixed
> > soon... (assuming there is something to fix)
> 
>  USE=pulseaudio wants a newer pulseaudio (I chose 0.9.15-r2) and this pulls in
> a newer libtool.

Ok, thanks. Forget about 1.0.1 and go for 0.9.10 for now then. I didn't notice this was pulling ~arch pulseaudio too :/ We'll see about 1.0.x going stable in another bug later.
Comment 15 nixnut (RETIRED) gentoo-dev 2009-08-09 14:30:47 UTC
ppc stable
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2009-08-09 16:47:07 UTC
alpha/sparc stable
Comment 17 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-19 10:59:37 UTC
GLSA request filed.
Comment 18 Jaak Ristioja 2010-07-23 09:09:04 UTC
There is no <media-video/vlc-1.0.6 in portage any more.
Comment 19 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-10 19:12:02 UTC
Can one of our new scouts check if there is a CVE for this and request one if there is none?
Comment 20 Sean Amoss (RETIRED) gentoo-dev Security 2011-10-10 19:51:08 UTC
This appears to be CVE-2010-2062 - I don't have edit privileges to update the
summary or alias.
Comment 21 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-10 20:15:56 UTC
Where did you find that, I don't see it here:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2062
Comment 22 Sean Amoss (RETIRED) gentoo-dev Security 2011-10-10 20:27:31 UTC
Sorry, I found that from Debian with the same git commit:

http://security-tracker.debian.org/tracker/CVE-2010-2062

Description	VLC: integer underflow in Real RTSP
Comment 23 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-10 20:37:42 UTC
Thanks for searching! :)
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2014-11-05 22:07:29 UTC
This issue was resolved and addressed in
 GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml
by GLSA coordinator Sean Amoss (ackle).