Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 238445 (CVE-2008-4201)

Summary: media-libs/faad2 < 2.6.1-r2: heap overflow in the frontend (CVE-2008-4201)
Product: Gentoo Security Reporter: Alexis Ballier <aballier>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: sound
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Description Flags
main_overflow.diff none

Description Alexis Ballier gentoo-dev 2008-09-23 06:21:09 UTC
While going on the faad2 homepage, I found this:

Security patch 	Earlier today I was notified of a possible security flaw in the command line frontend for FAAD2, on a specially constructed file the frontend can cause a heap overflow when reading from a buffer returned by the decoder library. A patch can be found here. Note that this only affects the frontend, not the library. Many thanks to ICST-ERCIS (Peking University) for reporting this issue.

I don't have more info; I think I could just apply the patch in a new revision. Do you have more information about this (like the impact, a POC, etc.)?
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-09-23 12:12:37 UTC
Created attachment 166174 [details, diff]

Make the thing apply cleanly.
Comment 2 Peter Alfredsen (RETIRED) gentoo-dev 2008-09-23 12:38:38 UTC
+*faad2-2.6.1-r2 (23 Sep 2008)
+  23 Sep 2008; Peter Alfredsen <>
+  +files/faad2-2.6.1-main-overflow.patch, +faad2-2.6.1-r2.ebuild:
+  Security bump w/ patch from bug 238445
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-23 22:05:47 UTC
Arches, please test and mark stable media-libs/faad2-2.6.1-r2. Target keywords: "alpha amd64 ~arm hppa ia64 ~mips ppc ppc64 ~sh sparc x86 ~x86-fbsd"
Comment 4 Richard Freeman gentoo-dev 2008-09-24 00:21:19 UTC
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2008-09-24 06:12:10 UTC
Stable for HPPA.
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2008-09-24 12:15:59 UTC
Sparc stable for -2.6.1-r2.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-09-24 15:45:09 UTC
CVE-2008-4201 (
  Heap-based buffer overflow in the decodeMP4file function
  (frontend/main.c) in FAAD2 before 2.6.1 allows remote attackers to
  cause a denial of service (crash) and possibly execute arbitrary code
  via a crafted MPEG-4 (MP4) file.
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2008-09-24 17:46:20 UTC
ppc64 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-09-25 11:40:07 UTC
alpha/ia64/x86 stable
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-01 17:49:04 UTC
ppc stable
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-01 21:21:01 UTC
GLSA request filed.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-10 17:57:41 UTC
GLSA 200811-03, thanks everyone, sorry about the delay.