Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 203532 - media-video/nemesi Multiple buffer overflows with remote data
Summary: media-video/nemesi Multiple buffer overflows with remote data
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: ~1 [masked]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-28 00:57 UTC by Robert Buchholz (RETIRED)
Modified: 2008-12-12 13:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-12-28 00:57:01 UTC 
Luigi Auriemma discovered
* a buffer overflow in the handle_rtsp_pkt() and other functions via long
  version strings ("HTTP/1.0") in a server reply,
* buffer-overflows in the send_*_request functions via Content-Base values,
* buffer-overflow in get_transport_str_*
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-12-28 00:57:32 UTC 
Luca and media-video, please advise.
Comment 2 Luca Barbato gentoo-dev 2007-12-28 01:01:48 UTC 
should be removed and fenice as well...
Comment 3 Luca Barbato gentoo-dev 2007-12-28 01:02:57 UTC 
I'll add libnemesi and feng once they are a bit more stable
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-12-28 01:38:32 UTC 
Luca, I created bug 203536 to keep tracking of the fenice/feng bugs.

I did not notice the name change that had taken place between the versions here. What do you advise how to go ahead with the existing nemesi ebuild? For a clean transition, we could introduce libnemesi sooner than you intended. Or mask nemesi until you feel the new libnemesi is ready.

I should also check if the nemesi versions in our tree are actually affected.
Comment 5 Luca Barbato gentoo-dev 2007-12-28 02:34:37 UTC 
nemesi is deprecated in itself so it's a good time to clean up the tree.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-12-28 08:58:37 UTC 
Let me know when you masked, removed or updated it.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-01-05 02:07:54 UTC 
# Luca Barbato <lu_zero@gentoo.org> (05 Jan 2008)
# Security issues spotted
# Superceeded by feng and libnemesi
# Pending removal
media-video/fenice
media-video/nemesi
Comment 8 Techwolf 2008-04-27 22:17:57 UTC 
(In reply to comment #7)
> # Superceeded by feng and libnemesi
> # Pending removal

Where is feng and libnemsi? mplayer has the nemesi USE flag.
Would be nice to explain where one can find it in the masking comments sense it is missing from portage.
Comment 9 Luca Barbato gentoo-dev 2008-04-27 22:40:47 UTC 
libnemesi is available currently as live git from my overlay, sadly some issues made us (I'm upstream for it) not release the library since we focused more on the server, soonish we'll release and I'll put it on gentoo.
Comment 10 Techwolf 2008-09-08 01:13:06 UTC 
It been several months no activity. However, for those of you that found this bug wondering where the ebuild is, it in one of the layman overlays.

layman -a lu_zero

That little piece of info was missing in this bug, so I'me putting it here for future reference.
Comment 11 Techwolf 2008-09-08 01:14:21 UTC 
I'me getting an error emerging this:

*    bootstrap with commands: NOCONFIGURE=1 ./autogen.sh
/var/tmp/portage/media-video/libnemesi-git-0.1/temp/environment: line 1577: ./autogen.sh: No such file or directory
Comment 12 Luca Barbato gentoo-dev 2008-09-08 01:32:51 UTC 
the ebuild has to be updated...
Comment 13 Samuli Suominen (RETIRED) gentoo-dev 2008-12-12 11:44:08 UTC 
Security, these pkgs are no longer in portage tree. Please close this bug the way you want.

+  12 Dec 2008; <ssuominen@gentoo.org> package.mask:
+  Removing nemesi and fenice, masked since 05 Jan 2008 for security issues.
+  They are also deprecated and replaced by libnemesi and feng.
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-12-12 13:01:08 UTC 
thanks, closing.