Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 204065 (CVE-2007-6036) - media-plugins/live < 2008.02.08 remote crash via rtsp query (CVE-2007-6036)
Summary: media-plugins/live < 2008.02.08 remote crash via rtsp query (CVE-2007-6036)
Status: RESOLVED FIXED
Alias: CVE-2007-6036
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://aluigi.altervista.org/adv/live...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-02 15:11 UTC by Carsten Lohrke (RETIRED)
Modified: 2011-10-20 05:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2008-01-02 15:11:26 UTC
The function which handles the incoming queries from the clients is
affected by a vulnerability which allows an attacker to crash the
server remotely using the smallest RTSP query possible to use.

This problem is caused by the absence of an instruction for checking if
the amount of client's data (reqStrSize) is longer or equal than 8
bytes because the function makes use of unsigned numbers, so "7 - 8" is
not -1 but 4294967295, resulting in a crash caused by the reaching of
the end of the allocated memory.

http://aluigi.altervista.org/adv/live555x-adv.txt
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-06 22:28:18 UTC
According to the advisory, it's fixed in version 2007.11.18. Media-video, please bump as necessary.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-26 20:52:48 UTC
media-video please bump.
Comment 3 Alexis Ballier gentoo-dev 2008-02-29 11:59:40 UTC
ok, we really suck here; this was expected to happen:
- We build libs as non versionned .so's
- If I bump it to 2008.02.08 like that, mplayer & vlc will badly fail if they're not rebuilt; and since the soname hasn't changed, it will not be forced.
- It seems a rebuild is enough

I don't know what'd be the best option there; I'd go for manual .so's versionning
Comment 4 Alexis Ballier gentoo-dev 2008-02-29 20:21:29 UTC
bumped to 2008.02.08.


I've added a loosy abi handling; however, for now, if you're upgrading to this version it will have no effect and one will need to rebuild apps like mplayer or vlc or they'll badly fail :(
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-01 16:36:47 UTC
Would revdep-rebuild find the breakage? 
People will rebuild VLC these days anyway (bug 211575).

Do you want this to go stable then?
Comment 6 Alexis Ballier gentoo-dev 2008-03-01 16:46:24 UTC
(In reply to comment #5)
> Would revdep-rebuild find the breakage? 

no, and that's the problem

> Do you want this to go stable then?


If the security issue is serious then that's probably better.
Anyway, waiting will probably not change anything and one day we'll have to ask for a new version to go stable...

Comment 7 Carsten Lohrke (RETIRED) gentoo-dev 2008-03-01 17:25:06 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > Would revdep-rebuild find the breakage? 
> 
> no, and that's the problem

Hu? A post install message telling the user to do 

revdep-rebuild --library live.blah.x.so

should do it or am I missing something? Don't know if it would make sense to add theis message in the GLSA as well.

A real problem is that a lot of users don't read post install notices, though, and you can't even blame than, given that a lot of us apparently don't really think about keeping the messages as concise as possible, but quite verbose if not spammy, instead.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-03-02 11:24:27 UTC
(In reply to comment #7)
> revdep-rebuild --library live.blah.x.so

Will not find ABI breakage without soname change. The postinstall message is good enough for me, so...

Arches, please test and mark stable:
=media-plugins/live-2008.02.08
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"
Comment 9 Markus Meier gentoo-dev 2008-03-02 14:57:09 UTC
x86 stable
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2008-03-02 20:29:58 UTC
ppc64 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-03 01:28:21 UTC
Stable for HPPA.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2008-03-04 10:48:33 UTC
alpha/ia64/sparc stable
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-04 21:01:06 UTC
ppc stable
Comment 14 Steve Dibb (RETIRED) gentoo-dev 2008-03-06 14:17:47 UTC
amd64 stable
Comment 15 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 18:18:06 UTC
Fixed in release snapshot.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-03-08 17:02:59 UTC
This here requires a GLSA vote.
I'd go for a NO here.
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-03-09 17:42:48 UTC
remotely crashing a "live" streaming server in such a way is easy, and i vote yes.
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-11 12:17:42 UTC
voting yes too.
Comment 19 Denis Dupeyron (RETIRED) gentoo-dev 2008-03-11 14:29:34 UTC
(In reply to comment #3)
> - If I bump it to 2008.02.08 like that, mplayer & vlc will badly fail if
> they're not rebuilt; and since the soname hasn't changed, it will not be
> forced.

True. How about rev-bumping stable and unstable mplayer vlc and others with a >=media-plugins/live-2008.02.08 dep in order to force rebuilding ?

Denis.
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2008-03-12 02:21:04 UTC
That would(In reply to comment #19)
> True. How about rev-bumping stable and unstable mplayer vlc and others with a
> >=media-plugins/live-2008.02.08 dep in order to force rebuilding ?

That would force rebuilding for everyone, even the majority (?) not having USE=live enabled. I think the two are bumped and stabled often enough, but that's the maintainer's call.
Comment 21 Steve Dibb (RETIRED) gentoo-dev 2008-03-12 14:44:32 UTC
(In reply to comment #20)
> That would(In reply to comment #19)
> > True. How about rev-bumping stable and unstable mplayer vlc and others with a
> > >=media-plugins/live-2008.02.08 dep in order to force rebuilding ?
> 
> That would force rebuilding for everyone, even the majority (?) not having
> USE=live enabled. I think the two are bumped and stabled often enough, but
> that's the maintainer's call.
> 

Mm, I'd pass.  I tested it and I didn't have any problems with the upgrade for live.
Comment 22 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-12 21:25:48 UTC
So are we ok for the GLSA? currently it doesn't mention any revdep-rebuild in the resolution part...
Comment 23 Steve Dibb (RETIRED) gentoo-dev 2008-03-12 21:30:02 UTC
(In reply to comment #22)
> So are we ok for the GLSA? currently it doesn't mention any revdep-rebuild in
> the resolution part...
> 

I'll add an ewarn to the ebuild
Comment 24 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-13 22:37:23 UTC
GLSA 200803-22