Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 231834

Summary: <media-plugins/gst-plugins-ffmpeg-0.10.5 FFmpeg psxstr.c Buffer overflow (CVE-2008-3162)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome, gstreamer, loki_val
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 231831, 245291    
Bug Blocks:    
Attachments:
Description Flags
gst-plugins-ffmpeg-0.10.1-r1-CVE-2008-3162.patch none

Description Robert Buchholz (RETIRED) gentoo-dev 2008-07-15 03:21:11 UTC 
media-plugins/gst-plugins-ffmpeg ships a copy of ffmpeg, and builds that statically. Is it generally possible to have it link to a system-provided version?


+++ This bug was initially created as a clone of Bug #231831 +++

CVE-2008-3162 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3162):
  Stack-based buffer overflow in the str_read_packet function in
  libavformat/psxstr.c in FFmpeg before r13993 allows remote attackers to cause
  a denial of service (application crash) or execute arbitrary code via a
  crafted STR file that interleaves audio and video sectors.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-15 03:22:03 UTC 
Created attachment 160413 [details, diff]
gst-plugins-ffmpeg-0.10.1-r1-CVE-2008-3162.patch
Comment 2 Mart Raudsepp gentoo-dev 2008-07-19 20:07:31 UTC 
(In reply to comment #0)
> media-plugins/gst-plugins-ffmpeg ships a copy of ffmpeg, and builds that
> statically. Is it generally possible to have it link to a system-provided
> version?

That is not supported by upstream.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 18:43:32 UTC 
(In reply to comment #2)
> (In reply to comment #0)
> > media-plugins/gst-plugins-ffmpeg ships a copy of ffmpeg, and builds that
> > statically. Is it generally possible to have it link to a system-provided
> > version?
> 
> That is not supported by upstream.

In this case we need to rebase their ffmpeg or patch this issue (you can find a patch in comment 1).
Comment 4 Edward Hervey 2008-12-09 13:40:16 UTC 
Why not just use a more recent version of gst-ffmpeg ?

0.10.6 ships with r15750
0.10.5 ships with r15004

Any version above (and including) 0.10.5 has this issue fixed.
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2008-12-20 12:04:30 UTC 
Please CC archteams and fix status whiteboard as needed.. not sure if I got it right. Archteams don't seem to realize they are not handling several bugs..
Comment 6 nixnut (RETIRED) gentoo-dev 2008-12-21 14:37:24 UTC 
ppc stable
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2008-12-21 16:14:40 UTC 
Sparc stable --- forgot to note it on the bug.
Comment 8 Samuli Suominen (RETIRED) gentoo-dev 2008-12-22 14:34:02 UTC 
Security: All archteams are done, and old versions have been removed from tree.
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-20 08:31:22 UTC 
GLSA 200903-33