Summary: | <media-video/mplayer-1.0_rc2_p20090731 Real RDT Integer Underflow (CVE-2010-2062) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | 1i5t5.duncan, media-video |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/fulldisclosure/2009/Jul/0418.html | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2009-07-27 17:07:06 UTC
Advisory author suggests a patch similar to the one applied to VLC: diff -Naur stream/realrtsp/real.c stream/realrtsp/real.c.new --- stream/realrtsp/real.c 2009-07-27 01:09:18.000000000 +0100 +++ stream/realrtsp/real.c.new 2009-07-27 01:12:35.000000000 +0100 @@ -386,6 +386,7 @@ return (n <= 0) ? 0 : n; } rmff_dump_pheader(&ph, *buffer); + if (size<12) return 0; size-=12; n=rtsp_read_data(rtsp_session, (*buffer)+12, size); For users stumbling across this, mplayer-1.0_rc2_p20090731 seems to have the fix (the patch line is split in half and offset three lines, but it's there). Since epkginfo indicates that's ~arch across the board, updated ~arch users shouldn't need to worry about this one. The fix is in: ------------------------------------------------------------------------ r29455 | uau | 2009-07-28 18:25:03 +0200 (Di, 28 Jul 2009) | 2 lines stream/realrtsp/real.c: Fix another integer overflow ------------------------------------------------------------------------ r29447 | uau | 2009-07-27 18:53:48 +0200 (Mo, 27 Jul 2009) | 4 lines stream/realrtsp/real.c: Fix integer overflow Pointed-out-by: tixxDZ <tixxdz at gmail dot com> - DZCORE Labs, Algeria Changes: --- stream/realrtsp/real.c (revision 29400) +++ stream/realrtsp/real.c (revision 29455) @@ -382,10 +382,14 @@ ph.flags=0; *buffer = xbuffer_ensure_size(*buffer, 12+size); if(rdt_rawdata) { + if (size < 12) + return 0; n=rtsp_read_data(rtsp_session, *buffer, size-12); return (n <= 0) ? 0 : n; } rmff_dump_pheader(&ph, *buffer); + if (size < 12) + return 0; size-=12; n=rtsp_read_data(rtsp_session, (*buffer)+12, size); Arches, please test and mark stable: =media-video/mplayer-1.0_rc2_p20090731 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" *** Bug 279826 has been marked as a duplicate of this bug. *** "cvs up" before testing, since the linguas stuff was badly broken + 02 Aug 2009; <chainsaw@gentoo.org> mplayer-1.0_rc2_p20090731.ebuild: + Marked stable on AMD64 for security bug #279342 filed by Alex Legler + <a3li@gentoo.org>. Tested with fullscreen XV playback of XviD content on a + Radeon X600, dual hex-core Opteron system with USE="3dnow 3dnowext X a52 + aac aalib alsa ass cddb cdio cdparanoia dirac dts dv dvd dvdnav enca + encode faac faad fbcon ftp gif iconv ipv6 jpeg libcaca live lzo mad md5sum + mmx mmxext mng mp2 mp3 nemesi network opengl osdmenu png pnm pulseaudio + quicktime rar real rtc schroedinger sdl shm speex sse sse2 ssse3 theora + tremor truetype unicode v4l2 vorbis x264 xinerama xv xvid xvmc (-altivec) + -bidi -bindist -bl -cpudetection -custom-cflags -custom-cpuopts -debug + -dga -directfb -doc -dvb -dxr3 -esd -ggi -gmplayer -jack -joystick -ladspa + -lirc -nas -nut -openal -oss -pvr -radio -samba (-svga) -teletext -tga + -v4l -vdpau (-vidix) (-win32codecs) -xanim -xscreensaver -zoran". Stable for HPPA. x86 stable ppc64 done ppc stable alpha/ia64/sparc stable GLSA request filed. Unable to find the CVE request, the reply or a CVE for this. Rerequesting. (In reply to comment #14) > Unable to find the CVE request, the reply or a CVE for this. Rerequesting. updated =) Per http://www.openwall.com/lists/oss-security/2011/10/20/15, this should be CVE-2010-2062. This issue was resolved and addressed in GLSA 201310-13 at http://security.gentoo.org/glsa/glsa-201310-13.xml by GLSA coordinator Sean Amoss (ackle). |