Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 133570 - media-libs/libextractor Issue in embedded xine code
Summary: media-libs/libextractor Issue in embedded xine code
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://aluigi.altervista.org/adv/libe...
Whiteboard: B2 [glsa] DerCorny
Keywords:
: 133664 (view as bug list)
Depends on:
Blocks: 133240
  Show dependency tree
 
Reported: 2006-05-16 23:33 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-05-21 11:07 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-16 23:33:37 UTC
Got the following slightly edited report on Vendor-Sec. Not sure wether we are affected:

Thanks for letting us know!  Seems like the xine guys fixed this particular 
problem a while back already (that's where the asf code comes from), so no 
need to inform them.  I've fixed the problem in SVN 2827.

Christian

On Sunday 14 May 2006 10:20, Luigi Auriemma wrote:
> Hey,
>
> I want to report a security bug I have found in libextractor, tested
> both 0.5.13 and current SVN.
>
> The bug is a heap overflow in src/plugins/asfextractor.c.
>
> The demux_asf_t structure is allocated when the plugin is called and
> subsequently is performed a call to asf_read_header which reads all the
> header of the input file arriving to GUID_ASF_STREAM_PROPERTIES
> and then to CODEC_TYPE_AUDIO.
> Here we have the arbitrary reading of the data from the ASF file to the
> wavex buffer of 1024*2 bytes using the 32 bit number called total_size
> provided by the same file as amount of data to read.
> No checks are made on total_size so is possible to cause a heap overflow.
>
> The following is the piece of code containing the bug:
>
>           ...
>           total_size = get_le32(this);
>           stream_data_size = get_le32(this);
>           stream_id = get_le16(this); /* stream id */
>           get_le32(this);
>
>           if (type == CODEC_TYPE_AUDIO) {
>             ext_uint8_t buffer[6];
>
>             readBuf (this, (ext_uint8_t *) this->wavex, total_size);
>           ...
>
> I wait your reply.
>
>
> BYEZ
>
>
> ---
> Luigi Auriemma
> http://aluigi.org
> http://mirror.aluigi.org
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-16 23:36:01 UTC
Marcin please advise and patch as necessary. As this is still semi public.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-18 08:38:38 UTC
Opening as this is now public. net-p2p please advise.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-18 08:38:45 UTC
*** Bug 133664 has been marked as a duplicate of this bug. ***
Comment 4 Jon Hood (RETIRED) gentoo-dev 2006-05-18 08:58:04 UTC
libextractor 0.5.9 is currently stable on sparc and x86, and it is vulnerable to the reported issue. 0.5.14 is now in portage with the fixes from gnunet that fix this issue. Sparc and x86 will need to mark this stable.
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-18 09:09:55 UTC
sparc and x86 please do your magic for 0.5.14, thanks
Comment 6 Joshua Jackson (RETIRED) gentoo-dev 2006-05-18 22:00:12 UTC
x86 is done (^.^)
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2006-05-19 06:42:40 UTC
sparc stable.
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-19 06:48:59 UTC
ready for glsa
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-21 11:07:30 UTC
GLSA 200605-14

Thanks everybody