Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 807622 (CVE-2021-38380, CVE-2021-38381, CVE-2021-38382, CVE-2021-39282, CVE-2021-39283)

Summary: <media-plugins/live-2021.08.24: multiple vulnerabilities (CVE-2021-{38380,38381,38382,39282,39283})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.live555.com/liveMedia/public/changelog.txt#[2021.08.09]
Whiteboard: B2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 829391    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-10 20:52:56 UTC 
CVE-2021-38380 (http://lists.live555.com/pipermail/live-devel/2021-August/021954.html):

Live555 through 1.08 mishandles huge requests for the same MP3 stream, leading to recursion and s stack-based buffer over-read. An attacker can leverage this to launch a DoS attack.

CVE-2021-38381 (http://lists.live555.com/pipermail/live-devel/2021-August/021961.html):

Live555 through 1.08 does not handle MPEG-1 or 2 files properly. Sending two successive RTSP SETUP commands for the same track causes a Use-After-Free and daemon crash.

CVE-2021-38382 (http://lists.live555.com/pipermail/live-devel/2021-August/021959.html):

Live555 through 1.08 does not handle Matroska and Ogg files properly. Sending two successive RTSP SETUP commands for the same track causes a Use-After-Free and daemon crash.


Fixes seem to be in 2021.08.09, please bump.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-21 02:12:07 UTC 
http://www.live555.com/liveMedia/public/changelog.txt#[2021.08.13]

CVE-2021-39282:

Live555 through 1.08 has a memory leak in AC3AudioStreamParser for AC3 files.

CVE-2021-39283:

liveMedia/FramedSource.cpp in Live555 through 1.08 allows an assertion failure and application exit via multiple SETUP and PLAY commands.

Now need bump to 2021.08.13.
Comment 2 Larry the Git Cow gentoo-dev 2021-10-17 16:08:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ce2011ee53967755f627e809477b2435df673621

commit ce2011ee53967755f627e809477b2435df673621
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-10-17 16:07:16 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-10-17 16:08:23 +0000

    media-plugins/live: add 2021.08.24
    
    Bug: https://bugs.gentoo.org/807622
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 media-plugins/live/Manifest               |   1 +
 media-plugins/live/live-2021.08.24.ebuild | 108 ++++++++++++++++++++++++++++++
 2 files changed, 109 insertions(+)
Comment 3 Hans de Graaff gentoo-dev Security 2023-10-05 12:22:20 UTC 
commit db3c29d2f8eea9f1e6088aa3d5b17de779920929
Author: Matt Turner <mattst88@gentoo.org>
Date:   Sat Nov 12 12:28:53 2022 -0500

    media-plugins/live: Drop old versions
Comment 4 Larry the Git Cow gentoo-dev 2024-07-09 13:09:36 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f8b1b6a35303555751a0d0e9f7ce20884e9c4145

commit f8b1b6a35303555751a0d0e9f7ce20884e9c4145
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-07-09 13:09:03 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-07-09 13:09:28 +0000

    [ GLSA 202407-23 ] LIVE555 Media Server: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/732598
    Bug: https://bugs.gentoo.org/807622
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202407-23.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)