Summary: | media-libs/xine-lib includes vulnerable MiMMS code? (CVE-2006-2200) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | flameeyes, media-video, tcort |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa] Falco | ||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2006-07-05 08:15:00 UTC
yes, i confirm there is at least the string_utf16() issue. But i can't find, for example, the first memcpy overflow. See the debian patch in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=374577 Probably a good idea to CC maintainer. http://xine.cvs.sourceforge.net/xine/xine-lib/src/input/mms.c?r1=1.59&r2=1.60 http://xine.cvs.sourceforge.net/xine/xine-lib/src/input/mmsh.c?r1=1.37&r2=1.38 I handle xine-lib myself, would have been simpler to find if you CCed me :) This is what Matthias Hopf said on xine-devel: -- unfortunately this only made it through after xine-lib 1.1.2 release: There has been a vulnerability report about libmms on [vendor-sec]. (CVE-2006-2200) Please note that the original patch from the Debian maintainer is partially incorrect (it should read memset(dest,0,2*len)), but the memset isn't really necessary and could be nuked anyway. The use of memset in the patch certainly doesn't do any harm, though, and it fixes the potential overflow. Luckily, xine uses libmms in a way that these vulnerabilities cannot be exploited (buffers are large enough), and the xine module even seems to rely on the side effects of the memset of the 'broken' library. I handle xine-lib myself, would have been simpler to find if you CCed me :) This is what Matthias Hopf said on xine-devel: -- unfortunately this only made it through after xine-lib 1.1.2 release: There has been a vulnerability report about libmms on [vendor-sec]. (CVE-2006-2200) Please note that the original patch from the Debian maintainer is partially incorrect (it should read memset(dest,0,2*len)), but the memset isn't really necessary and could be nuked anyway. The use of memset in the patch certainly doesn't do any harm, though, and it fixes the potential overflow. Luckily, xine uses libmms in a way that these vulnerabilities cannot be exploited (buffers are large enough), and the xine module even seems to rely on the side effects of the memset of the 'broken' library. Note that the library sources are included (not an externally linked library). While analyzing the source I found a couple of potential heap overflows, though, which I'm pretty sure that they can be exploited with some effort. They are fixed in CVS. I also attached the according patch. But I'm pretty sure that I overlooked some additional ones. This source is a wormhole. Sorry, Thibaut, but then you maybe coded the glue layer only :-] -- Will prepare a 1.1.2-r2 after lunch, or during lunch. -r2 in less than 24 hours past release, sigh. Thx Diego. I assumed that you were on the media-video alias? I am, I just assign different priorities to them :P Depending on the quantity of new messages sometime i mark all as read on aliases, but never on my own. Anyway, building xine-lib-1.1.2-r2 now. 1.1.2-r2 in portage. Stable marking shouldn't be an issue for most arches, as this version has no big changes since last snapshots (as most of the patches applied before are now merged upstream, and are the important changes in the last month or so). The only problem is with ~sh that is missing ffmpeg dependency, and ia64 that still has 1.1.1 keyworded (vulnerable to other stuff too). Thx for clearing that up Diego. Arches please test and mark stable. ppc stable amd32*2 done. x86 is all happy ^.^;; stable on ppc64 SPARC, the keyword of time immortal. ______________ < alpha stable > -------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || Stable on hppa. Sorry for the delay. Ready for GLSA GLSA 200607-07 Does not affect current (2008.0) release. Removing release. |