The function which handles the incoming queries from the clients is affected by a vulnerability which allows an attacker to crash the server remotely using the smallest RTSP query possible to use. This problem is caused by the absence of an instruction for checking if the amount of client's data (reqStrSize) is longer or equal than 8 bytes because the function makes use of unsigned numbers, so "7 - 8" is not -1 but 4294967295, resulting in a crash caused by the reaching of the end of the allocated memory. http://aluigi.altervista.org/adv/live555x-adv.txt
According to the advisory, it's fixed in version 2007.11.18. Media-video, please bump as necessary.
media-video please bump.
ok, we really suck here; this was expected to happen: - We build libs as non versionned .so's - If I bump it to 2008.02.08 like that, mplayer & vlc will badly fail if they're not rebuilt; and since the soname hasn't changed, it will not be forced. - It seems a rebuild is enough I don't know what'd be the best option there; I'd go for manual .so's versionning
bumped to 2008.02.08. I've added a loosy abi handling; however, for now, if you're upgrading to this version it will have no effect and one will need to rebuild apps like mplayer or vlc or they'll badly fail :(
Would revdep-rebuild find the breakage? People will rebuild VLC these days anyway (bug 211575). Do you want this to go stable then?
(In reply to comment #5) > Would revdep-rebuild find the breakage? no, and that's the problem > Do you want this to go stable then? If the security issue is serious then that's probably better. Anyway, waiting will probably not change anything and one day we'll have to ask for a new version to go stable...
(In reply to comment #6) > (In reply to comment #5) > > Would revdep-rebuild find the breakage? > > no, and that's the problem Hu? A post install message telling the user to do revdep-rebuild --library live.blah.x.so should do it or am I missing something? Don't know if it would make sense to add theis message in the GLSA as well. A real problem is that a lot of users don't read post install notices, though, and you can't even blame than, given that a lot of us apparently don't really think about keeping the messages as concise as possible, but quite verbose if not spammy, instead.
(In reply to comment #7) > revdep-rebuild --library live.blah.x.so Will not find ABI breakage without soname change. The postinstall message is good enough for me, so... Arches, please test and mark stable: =media-plugins/live-2008.02.08 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"
x86 stable
ppc64 stable
Stable for HPPA.
alpha/ia64/sparc stable
ppc stable
amd64 stable
Fixed in release snapshot.
This here requires a GLSA vote. I'd go for a NO here.
remotely crashing a "live" streaming server in such a way is easy, and i vote yes.
voting yes too.
(In reply to comment #3) > - If I bump it to 2008.02.08 like that, mplayer & vlc will badly fail if > they're not rebuilt; and since the soname hasn't changed, it will not be > forced. True. How about rev-bumping stable and unstable mplayer vlc and others with a >=media-plugins/live-2008.02.08 dep in order to force rebuilding ? Denis.
That would(In reply to comment #19) > True. How about rev-bumping stable and unstable mplayer vlc and others with a > >=media-plugins/live-2008.02.08 dep in order to force rebuilding ? That would force rebuilding for everyone, even the majority (?) not having USE=live enabled. I think the two are bumped and stabled often enough, but that's the maintainer's call.
(In reply to comment #20) > That would(In reply to comment #19) > > True. How about rev-bumping stable and unstable mplayer vlc and others with a > > >=media-plugins/live-2008.02.08 dep in order to force rebuilding ? > > That would force rebuilding for everyone, even the majority (?) not having > USE=live enabled. I think the two are bumped and stabled often enough, but > that's the maintainer's call. > Mm, I'd pass. I tested it and I didn't have any problems with the upgrade for live.
So are we ok for the GLSA? currently it doesn't mention any revdep-rebuild in the resolution part...
(In reply to comment #22) > So are we ok for the GLSA? currently it doesn't mention any revdep-rebuild in > the resolution part... > I'll add an ewarn to the ebuild
GLSA 200803-22