Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 133570

Summary: media-libs/libextractor Issue in embedded xine code
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gentoomail, net-p2p
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://aluigi.altervista.org/adv/libextho-adv.txt
Whiteboard: B2 [glsa] DerCorny
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 133240    

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-16 23:33:37 UTC
Got the following slightly edited report on Vendor-Sec. Not sure wether we are affected:

Thanks for letting us know!  Seems like the xine guys fixed this particular 
problem a while back already (that's where the asf code comes from), so no 
need to inform them.  I've fixed the problem in SVN 2827.

Christian

On Sunday 14 May 2006 10:20, Luigi Auriemma wrote:
> Hey,
>
> I want to report a security bug I have found in libextractor, tested
> both 0.5.13 and current SVN.
>
> The bug is a heap overflow in src/plugins/asfextractor.c.
>
> The demux_asf_t structure is allocated when the plugin is called and
> subsequently is performed a call to asf_read_header which reads all the
> header of the input file arriving to GUID_ASF_STREAM_PROPERTIES
> and then to CODEC_TYPE_AUDIO.
> Here we have the arbitrary reading of the data from the ASF file to the
> wavex buffer of 1024*2 bytes using the 32 bit number called total_size
> provided by the same file as amount of data to read.
> No checks are made on total_size so is possible to cause a heap overflow.
>
> The following is the piece of code containing the bug:
>
>           ...
>           total_size = get_le32(this);
>           stream_data_size = get_le32(this);
>           stream_id = get_le16(this); /* stream id */
>           get_le32(this);
>
>           if (type == CODEC_TYPE_AUDIO) {
>             ext_uint8_t buffer[6];
>
>             readBuf (this, (ext_uint8_t *) this->wavex, total_size);
>           ...
>
> I wait your reply.
>
>
> BYEZ
>
>
> ---
> Luigi Auriemma
> http://aluigi.org
> http://mirror.aluigi.org
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-16 23:36:01 UTC
Marcin please advise and patch as necessary. As this is still semi public.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-18 08:38:38 UTC
Opening as this is now public. net-p2p please advise.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-18 08:38:45 UTC
*** Bug 133664 has been marked as a duplicate of this bug. ***
Comment 4 Jon Hood (RETIRED) gentoo-dev 2006-05-18 08:58:04 UTC
libextractor 0.5.9 is currently stable on sparc and x86, and it is vulnerable to the reported issue. 0.5.14 is now in portage with the fixes from gnunet that fix this issue. Sparc and x86 will need to mark this stable.
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-18 09:09:55 UTC
sparc and x86 please do your magic for 0.5.14, thanks
Comment 6 Joshua Jackson (RETIRED) gentoo-dev 2006-05-18 22:00:12 UTC
x86 is done (^.^)
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2006-05-19 06:42:40 UTC
sparc stable.
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-19 06:48:59 UTC
ready for glsa
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-21 11:07:30 UTC
GLSA 200605-14

Thanks everybody