Got the following slightly edited report on Vendor-Sec. Not sure wether we are affected: Thanks for letting us know! Seems like the xine guys fixed this particular problem a while back already (that's where the asf code comes from), so no need to inform them. I've fixed the problem in SVN 2827. Christian On Sunday 14 May 2006 10:20, Luigi Auriemma wrote: > Hey, > > I want to report a security bug I have found in libextractor, tested > both 0.5.13 and current SVN. > > The bug is a heap overflow in src/plugins/asfextractor.c. > > The demux_asf_t structure is allocated when the plugin is called and > subsequently is performed a call to asf_read_header which reads all the > header of the input file arriving to GUID_ASF_STREAM_PROPERTIES > and then to CODEC_TYPE_AUDIO. > Here we have the arbitrary reading of the data from the ASF file to the > wavex buffer of 1024*2 bytes using the 32 bit number called total_size > provided by the same file as amount of data to read. > No checks are made on total_size so is possible to cause a heap overflow. > > The following is the piece of code containing the bug: > > ... > total_size = get_le32(this); > stream_data_size = get_le32(this); > stream_id = get_le16(this); /* stream id */ > get_le32(this); > > if (type == CODEC_TYPE_AUDIO) { > ext_uint8_t buffer[6]; > > readBuf (this, (ext_uint8_t *) this->wavex, total_size); > ... > > I wait your reply. > > > BYEZ > > > --- > Luigi Auriemma > http://aluigi.org > http://mirror.aluigi.org
Marcin please advise and patch as necessary. As this is still semi public.
Opening as this is now public. net-p2p please advise.
*** Bug 133664 has been marked as a duplicate of this bug. ***
libextractor 0.5.9 is currently stable on sparc and x86, and it is vulnerable to the reported issue. 0.5.14 is now in portage with the fixes from gnunet that fix this issue. Sparc and x86 will need to mark this stable.
sparc and x86 please do your magic for 0.5.14, thanks
x86 is done (^.^)
sparc stable.
ready for glsa
GLSA 200605-14 Thanks everybody