Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 669276 (CVE-2018-4013, CVE-2019-15232, CVE-2019-6256, CVE-2019-9215) - <media-plugins/live-2020.03.06: Multiple vulnerabilities (CVE-2018-4013, CVE-2019-{9215,6256,15232})
Summary: <media-plugins/live-2020.03.06: Multiple vulnerabilities (CVE-2018-4013, CVE-...
Status: RESOLVED FIXED
Alias: CVE-2018-4013, CVE-2019-15232, CVE-2019-6256, CVE-2019-9215
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal major (vote)
Assignee: Gentoo Security
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard: B1 [glsa+ cve cleanup]
Keywords:
Depends on:
Blocks: CVE-2019-7314 CVE-2019-7733
  Show dependency tree
 
Reported: 2018-10-22 05:04 UTC by J.O. Aho
Modified: 2020-05-14 22:07 UTC (History)
3 users (show)

See Also:
Package list:
=media-plugins/live-2020.03.06 amd64 arm ppc ppc64 x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description J.O. Aho 2018-10-22 05:04:35 UTC
An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability.

This affects versions earlier than 2018.10.17
CVSSv3 Score: 10.0 

Reproducible: Always




More information can be found at:
https://blog.talosintelligence.com/2018/10/vulnerability-spotlight-live-networks.html
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-21 21:45:13 UTC
status: need to determine if the ABI needs a bump.
Comment 2 Larry the Git Cow gentoo-dev 2020-03-31 08:39:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c293c2d398dbbe110b67473cc43835a43873c8c

commit 8c293c2d398dbbe110b67473cc43835a43873c8c
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-03-25 03:22:33 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-03-31 08:38:58 +0000

    media-plugins/live: Security bump to 2020.03.06
    
    * Decided to bump to the latest while there.
    * Adds an optional ssl dependency.
    * Bumps from EAPI 5 => 7
    
    Bug: https://bugs.gentoo.org/669276
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Closes: https://github.com/gentoo/gentoo/pull/15100
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-plugins/live/Manifest                  |   1 +
 media-plugins/live/files/config.gentoo-so-r3 |  17 +++++
 media-plugins/live/live-2020.03.06.ebuild    | 100 +++++++++++++++++++++++++++
 3 files changed, 118 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-31 11:27:06 UTC
@maintainer(s), please advise if ready for stabilisation, or call yourself
Comment 4 NATTkA bot gentoo-dev 2020-04-16 14:33:08 UTC
Unable to check for sanity:

> disallowed package spec (only = allowed): media-plugins/live
Comment 5 NATTkA bot gentoo-dev 2020-04-16 14:37:14 UTC
Unable to check for sanity:

> no match for package: =media-plugins/live-2020.30.06
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 04:35:04 UTC
CVE-2019-9215 (https://nvd.nist.gov/vuln/detail/CVE-2019-9215):
  In Live555 before 2019.02.27, malformed headers lead to invalid memory
  access in the parseAuthorizationHeader function.
Comment 7 J.O. Aho 2020-04-17 06:04:32 UTC
Maybe remove the vulnerable versions too:
live-2017.10.28.ebuild  live-2018.01.29.ebuild  live-2018.07.07.ebuild

would be bad to let users keep on using those versions.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-17 16:34:00 UTC
(In reply to J.O. Aho from comment #7)
> Maybe remove the vulnerable versions too:
> live-2017.10.28.ebuild  live-2018.01.29.ebuild  live-2018.07.07.ebuild
> 
> would be bad to let users keep on using those versions.

We always cleanup after stabilisation if necessary, don't worry.
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-19 11:19:52 UTC
arm64 stable
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-04-20 00:14:44 UTC
CVE-2019-6256 (https://nvd.nist.gov/vuln/detail/CVE-2019-6256):
  A Denial of Service issue was discovered in the LIVE555 Streaming Media
  libraries as used in Live555 Media Server 0.93. It can cause an RTSPServer
  crash in handleHTTPCmd_TunnelingPOST, when RTSP-over-HTTP tunneling is
  supported, via x-sessioncookie HTTP headers in a GET request and a POST
  request within the same TCP session. This occurs because of a call to an
  incorrect virtual function pointer in the readSocket function in
  GroupsockHelper.cpp.

CVE-2019-15232 (https://nvd.nist.gov/vuln/detail/CVE-2019-15232):
  Live555 before 2019.08.16 has a Use-After-Free because
  GenericMediaServer::createNewClientSessionWithId can generate the same
  client session ID in succession, which is mishandled by the MPEG1or2 and
  Matroska file demultiplexors.
Comment 11 Rolf Eike Beer archtester 2020-04-22 05:55:26 UTC
dropped to ~sparc
Comment 12 Agostino Sarubbo gentoo-dev 2020-04-23 06:20:17 UTC
amd64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-04-23 06:22:06 UTC
arm stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-04-23 06:24:39 UTC
ppc stable
Comment 15 Agostino Sarubbo gentoo-dev 2020-04-23 06:26:31 UTC
ppc64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2020-04-23 06:29:49 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2020-05-14 22:07:35 UTC
This issue was resolved and addressed in
 GLSA 202005-06 at https://security.gentoo.org/glsa/202005-06
by GLSA coordinator Thomas Deutschmann (whissi).