Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 279342

Summary: <media-video/mplayer-1.0_rc2_p20090731 Real RDT Integer Underflow (CVE-2010-2062)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: 1i5t5.duncan, media-video
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/fulldisclosure/2009/Jul/0418.html
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-27 17:07:06 UTC
+++ This bug was initially created as a clone of Bug #279340 +++

From $URL:

Function real_get_rdt_chunk() calls rtsp_read_data() to read RDT
(Real Data Transport) chunks headers from the network and after that it will
parse them.
A controled variable is used to allocate a buffer and later passed on to the
rtsp_read_data() function in order to specify the length of an RDT chunk
data to read from the network.
An integer underflow can be triggered when parsing a malformed RDT header chunk,
a remote attacker can exploit it to execute arbitrary code in the context of
the application.

Mplayer
Source file:    stream/realrtsp/real.c
function:       int real_get_rdt_chunk(rtsp_t *rtsp_session,
                                      char **buffer,
                                      int rdt_rawdata)
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-27 17:07:56 UTC
Advisory author suggests a patch similar to the one applied to VLC:

diff -Naur stream/realrtsp/real.c stream/realrtsp/real.c.new
--- stream/realrtsp/real.c      2009-07-27 01:09:18.000000000 +0100
+++ stream/realrtsp/real.c.new  2009-07-27 01:12:35.000000000 +0100
@@ -386,6 +386,7 @@
    return (n <= 0) ? 0 : n;
  }
  rmff_dump_pheader(&ph, *buffer);
+  if (size<12) return 0;
  size-=12;
  n=rtsp_read_data(rtsp_session, (*buffer)+12, size);
Comment 2 Duncan 2009-08-02 17:22:29 UTC
For users stumbling across this, mplayer-1.0_rc2_p20090731 seems to have the fix (the patch line is split in half and offset three lines, but it's there).  Since epkginfo indicates that's ~arch across the board, updated ~arch users shouldn't need to worry about this one.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-02 17:43:16 UTC
The fix is in:

------------------------------------------------------------------------
r29455 | uau | 2009-07-28 18:25:03 +0200 (Di, 28 Jul 2009) | 2 lines
stream/realrtsp/real.c: Fix another integer overflow
------------------------------------------------------------------------
r29447 | uau | 2009-07-27 18:53:48 +0200 (Mo, 27 Jul 2009) | 4 lines
stream/realrtsp/real.c: Fix integer overflow
Pointed-out-by: tixxDZ <tixxdz at gmail dot com> - DZCORE Labs, Algeria

Changes:
--- stream/realrtsp/real.c	(revision 29400)
+++ stream/realrtsp/real.c	(revision 29455)
@@ -382,10 +382,14 @@
     ph.flags=0;
   *buffer = xbuffer_ensure_size(*buffer, 12+size);
   if(rdt_rawdata) {
+      if (size < 12)
+          return 0;
     n=rtsp_read_data(rtsp_session, *buffer, size-12);
     return (n <= 0) ? 0 : n;
   }
   rmff_dump_pheader(&ph, *buffer);
+  if (size < 12)
+      return 0;
   size-=12;
   n=rtsp_read_data(rtsp_session, (*buffer)+12, size);
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-02 17:52:08 UTC
Arches, please test and mark stable:
=media-video/mplayer-1.0_rc2_p20090731
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-02 17:53:05 UTC
*** Bug 279826 has been marked as a duplicate of this bug. ***
Comment 6 Samuli Suominen gentoo-dev 2009-08-02 17:54:26 UTC
"cvs up" before testing, since the linguas stuff was badly broken
Comment 7 Tony Vroon gentoo-dev 2009-08-02 20:51:41 UTC
+  02 Aug 2009; <chainsaw@gentoo.org> mplayer-1.0_rc2_p20090731.ebuild:
+  Marked stable on AMD64 for security bug #279342 filed by Alex Legler
+  <a3li@gentoo.org>. Tested with fullscreen XV playback of XviD content on a
+  Radeon X600, dual hex-core Opteron system with USE="3dnow 3dnowext X a52
+  aac aalib alsa ass cddb cdio cdparanoia dirac dts dv dvd dvdnav enca
+  encode faac faad fbcon ftp gif iconv ipv6 jpeg libcaca live lzo mad md5sum
+  mmx mmxext mng mp2 mp3 nemesi network opengl osdmenu png pnm pulseaudio
+  quicktime rar real rtc schroedinger sdl shm speex sse sse2 ssse3 theora
+  tremor truetype unicode v4l2 vorbis x264 xinerama xv xvid xvmc (-altivec)
+  -bidi -bindist -bl -cpudetection -custom-cflags -custom-cpuopts -debug
+  -dga -directfb -doc -dvb -dxr3 -esd -ggi -gmplayer -jack -joystick -ladspa
+  -lirc -nas -nut -openal -oss -pvr -radio -samba (-svga) -teletext -tga
+  -v4l -vdpau (-vidix) (-win32codecs) -xanim -xscreensaver -zoran".
Comment 8 Jeroen Roovers gentoo-dev 2009-08-03 03:55:34 UTC
Stable for HPPA.
Comment 9 Markus Meier gentoo-dev 2009-08-03 20:46:17 UTC
x86 stable
Comment 10 Brent Baude (RETIRED) gentoo-dev 2009-08-08 14:59:34 UTC
ppc64 done
Comment 11 nixnut (RETIRED) gentoo-dev 2009-08-09 14:32:57 UTC
ppc stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2009-08-09 16:48:14 UTC
alpha/ia64/sparc stable
Comment 13 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-19 10:59:56 UTC
GLSA request filed.
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-10-19 03:24:21 UTC
Unable to find the CVE request, the reply or a CVE for this. Rerequesting.
Comment 15 Agostino Sarubbo gentoo-dev 2011-10-20 16:33:31 UTC
(In reply to comment #14)
> Unable to find the CVE request, the reply or a CVE for this. Rerequesting.

updated =)
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2011-10-21 20:59:01 UTC
Per http://www.openwall.com/lists/oss-security/2011/10/20/15, this should be CVE-2010-2062.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-10-25 19:17:03 UTC
This issue was resolved and addressed in
 GLSA 201310-13 at http://security.gentoo.org/glsa/glsa-201310-13.xml
by GLSA coordinator Sean Amoss (ackle).