Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 271786 - <media-libs/xvid-1.2.2: Arbitrary code execution, other impact (CVE-2009-{0893,0894})
Summary: <media-libs/xvid-1.2.2: Arbitrary code execution, other impact (CVE-2009-{089...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.xvid.org/Downloads.43.0.html
Whiteboard: B2 [noglsa]
Keywords:
Depends on:
Blocks: 211652 222477 231805
  Show dependency tree
 
Reported: 2009-05-29 16:01 UTC by Robert Buchholz (RETIRED)
Modified: 2014-05-31 20:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-05-29 16:01:33 UTC
Xvid 1.2.2 stable release

This release is Xvid 1.2.2 bugfix release. It is API compatible with the previous 1.2.1 stable release. This release contains important, security-related fixes. Update is highly recommended.
Changes since 1.2.1:
xvidcore library 

    * Workaround for nasm bug with Mach-O/OSX target
    * Fix for missing resync marker range check (reported by IBM X-Force. Thanks go to John McDonald and Christopher Valasek)
    * Improved precision for RGB<->YUV conversions
    * Fix for potential RGB24 access violation
    * Updated compiler options for Apple PPC target
    * Fixed MSVC6 projects to work for path names with spaces
...
DShow frontend

    * Bugfix for wrong handling of xvidcore XVID_ERR_MEMORY return code (reported by IBM X-Force. Thanks to John McDonald and Mark Dowd)
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2009-05-29 16:45:18 UTC
*xvid-1.2.2 (29 May 2009)

  29 May 2009; Samuli Suominen <ssuominen@gentoo.org> +xvid-1.2.2.ebuild:
  Version bump for security #271786, thanks to Robert Buchholz.
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2009-05-29 17:21:36 UTC
(In reply to comment #2)
> *xvid-1.2.2 (29 May 2009)
> 
>   29 May 2009; Samuli Suominen <ssuominen@gentoo.org> +xvid-1.2.2.ebuild:
>   Version bump for security #271786, thanks to Robert Buchholz.
> 

Sorry, I've fixed execstacks as well. 

*xvid-1.2.2-r1 (29 May 2009)

  29 May 2009; Samuli Suominen <ssuominen@gentoo.org> -xvid-1.2.1.ebuild,
  -xvid-1.2.2.ebuild, +xvid-1.2.2-r1.ebuild,
  +files/xvid-1.2.2-no_execstacks.patch:
  Fix execstacks wrt #258804, thanks to en.ABCD at gmail.org.

Test this instead.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-05-29 17:47:40 UTC
Arches, please test and mark stable:
=media-libs/xvid-1.2.2-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2009-05-29 20:00:00 UTC
Commented out the no_execstacks patch, it wasn't working properly afterall. So, 1.2.2-r1 is basically same as 1.2.2. As in, vanilla xvid. Please do proceed, reopened bug 258804.
Comment 6 Brent Baude (RETIRED) gentoo-dev 2009-05-30 13:28:05 UTC
ppc64 done
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-05-30 13:28:12 UTC
ppc done
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-05-30 16:30:17 UTC
Stable for HPPA.
Comment 9 Markus Meier gentoo-dev 2009-05-31 09:57:15 UTC
amd64/x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-06-02 16:03:55 UTC
alpha/arm/ia64/sparc stable
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-04 13:52:06 UTC
CVE-2009-0893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0893):
  Multiple heap-based buffer overflows in xvidcore/src/decoder.c in the
  xvidcore library in Xvid before 1.2.2, as used by Windows Media
  Player and other applications, allow remote attackers to execute
  arbitrary code by providing a crafted macroblock (aka MBlock) number
  in a video stream in a crafted movie file that triggers heap memory
  corruption, related to a "missing resync marker range check" and the
  (1) decoder_iframe, (2) decoder_pframe, and (3) decoder_bframe
  functions.

CVE-2009-0894 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0894):
  Heap-based buffer overflow in the decoder_create function in the
  initialization functionality in xvidcore/src/decoder.c in Xvid before
  1.2.2, as used by Windows Media Player and other applications, allows
  remote attackers to execute arbitrary code via vectors involving the
  DirectShow (aka DShow) frontend and improper handling of the
  XVID_ERR_MEMORY return code during processing of a crafted movie
  file. NOTE: some of these details are obtained from third party
  information.
Comment 12 Jaak Ristioja 2010-07-23 08:48:41 UTC
<media-libs/xvid-1.2.2-r1 is no longer in portage.
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2014-05-31 20:45:58 UTC
This issue has been fixed since Jun 02, 2009. No GLSA will be issued.