Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 183145 - media-libs/xvid <1.1.3 Avi/H263/MPEG array index vulnerability (CVE-2007-3329)
Summary: media-libs/xvid <1.1.3 Avi/H263/MPEG array index vulnerability (CVE-2007-3329)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/25711/
Whiteboard: A2 [glsa+] aetius
Keywords:
: 183786 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-06-25 13:52 UTC by Matt Drew (RETIRED)
Modified: 2007-08-08 21:58 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Drew (RETIRED) gentoo-dev 2007-06-25 13:52:26 UTC
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3329

The xvid library is vulnerable to some array indexing problems when processing Avi, H.263, or MPEG files.

As of 25 June there's no patch, it may be that the maintainers don't even know about this yet.
Comment 1 Matt Drew (RETIRED) gentoo-dev 2007-06-25 13:55:49 UTC
setting status.
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2007-06-27 15:15:21 UTC
head is patched: 

http://cvs.xvid.org/cvs/viewvc.cgi/xvidcore/src/bitstream/mbcoding.c
Comment 3 trefoil 2007-06-28 19:55:15 UTC
xvid-1.1.3 was released today w/this fix
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2007-06-30 23:58:46 UTC
*** Bug 183786 has been marked as a duplicate of this bug. ***
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2007-07-03 15:27:26 UTC
Bumped but temp. masked for testing. Security, don't do anything yet..

Applications in tree using xvid:

media-tv/xdtv:xvid
media-video/avidemux:xvid
media-video/ffmpeg:xvid 
media-video/gpac:xvid
media-video/mpeg4ip:xvid
media-video/mplayer:xvid
media-video/transcode:xvid

Reporting back here when it's tested and unmasked.
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2007-07-03 16:09:46 UTC
Text relocation from bug 135326 is still present at version 1.1.3 which is now unmasked, it's NOT a regression to current stable 1.1.0-r3. I've tested mplayer and ffmpeg with multiple video files and they are fine.

Proceed and let arch teams test[1] and stable it.

[1] Would be nice to have input from arch testers about other applications listed in this bug.
Comment 7 Matt Drew (RETIRED) gentoo-dev 2007-07-12 13:17:40 UTC
ok moving to stable.  Arches, please stabilize:

media-libs/xvid-1.1.3

Sorry about the delay.
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-12 13:46:29 UTC
sparc stable.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2007-07-12 18:07:19 UTC
Stable for HPPA.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2007-07-12 18:31:54 UTC
ppc64 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-07-12 21:18:34 UTC
alpha/x86 stable
Comment 12 Steve Dibb (RETIRED) gentoo-dev 2007-07-13 00:27:26 UTC
amd64 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2007-07-13 13:47:59 UTC
ia64 stable, thanks drac for fixing this :)
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-15 21:17:26 UTC
ppc stable
Comment 15 Matt Drew (RETIRED) gentoo-dev 2007-07-30 10:37:45 UTC
arm folks, any progress?  I'm going ahead with the glsa-request on this, since we're already late.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-30 11:28:00 UTC
arm is not security supported, and the glsa has already been drafted by Dercorny, you may review it, and others drafts too actually :)
Comment 17 Mr. Bones. (RETIRED) gentoo-dev 2007-07-31 21:49:18 UTC
xvid-1.0.2.ebuild:KEYWORDS="~mips"
xvid-1.0.3.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
xvid-1.1.0-r1.ebuild:KEYWORDS="alpha amd64 ~arm hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd"
xvid-1.1.0-r3.ebuild:KEYWORDS="alpha amd64 arm ~hppa ia64 ~ppc ppc64 sparc x86 ~x86-fbsd"
xvid-1.1.3.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"

Looks done to me except for ~mips at xvid-1.0.2
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-08 21:58:55 UTC
GLSA 200708-02, thanks everybody.