Bug 133570

Summary:	media-libs/libextractor Issue in embedded xine code
Product:	Gentoo Security	Reporter:	Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	gentoomail, net-p2p
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://aluigi.altervista.org/adv/libextho-adv.txt
Whiteboard:	B2 [glsa] DerCorny
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	133240

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-05-16 23:33:37 UTC

Got the following slightly edited report on Vendor-Sec. Not sure wether we are affected:

Thanks for letting us know!  Seems like the xine guys fixed this particular 
problem a while back already (that's where the asf code comes from), so no 
need to inform them.  I've fixed the problem in SVN 2827.

Christian

On Sunday 14 May 2006 10:20, Luigi Auriemma wrote:
> Hey,
>
> I want to report a security bug I have found in libextractor, tested
> both 0.5.13 and current SVN.
>
> The bug is a heap overflow in src/plugins/asfextractor.c.
>
> The demux_asf_t structure is allocated when the plugin is called and
> subsequently is performed a call to asf_read_header which reads all the
> header of the input file arriving to GUID_ASF_STREAM_PROPERTIES
> and then to CODEC_TYPE_AUDIO.
> Here we have the arbitrary reading of the data from the ASF file to the
> wavex buffer of 1024*2 bytes using the 32 bit number called total_size
> provided by the same file as amount of data to read.
> No checks are made on total_size so is possible to cause a heap overflow.
>
> The following is the piece of code containing the bug:
>
>           ...
>           total_size = get_le32(this);
>           stream_data_size = get_le32(this);
>           stream_id = get_le16(this); /* stream id */
>           get_le32(this);
>
>           if (type == CODEC_TYPE_AUDIO) {
>             ext_uint8_t buffer[6];
>
>             readBuf (this, (ext_uint8_t *) this->wavex, total_size);
>           ...
>
> I wait your reply.
>
>
> BYEZ
>
>
> ---
> Luigi Auriemma
> http://aluigi.org
> http://mirror.aluigi.org

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-05-16 23:36:01 UTC

Marcin please advise and patch as necessary. As this is still semi public.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-05-18 08:38:38 UTC

Opening as this is now public. net-p2p please advise.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-05-18 08:38:45 UTC

*** Bug 133664 has been marked as a duplicate of this bug. ***

Comment 4 Jon Hood (RETIRED) gentoo-dev

2006-05-18 08:58:04 UTC

libextractor 0.5.9 is currently stable on sparc and x86, and it is vulnerable to the reported issue. 0.5.14 is now in portage with the fixes from gnunet that fix this issue. Sparc and x86 will need to mark this stable.

Comment 5 Stefan Cornelius (RETIRED) gentoo-dev

2006-05-18 09:09:55 UTC

sparc and x86 please do your magic for 0.5.14, thanks

Comment 6 Joshua Jackson (RETIRED) gentoo-dev

2006-05-18 22:00:12 UTC

x86 is done (^.^)

Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev

2006-05-19 06:42:40 UTC

sparc stable.

Comment 8 Stefan Cornelius (RETIRED) gentoo-dev

2006-05-19 06:48:59 UTC

ready for glsa

Comment 9 Stefan Cornelius (RETIRED) gentoo-dev

2006-05-21 11:07:30 UTC

GLSA 200605-14

Thanks everybody