Drew Yao and Nico Golde reported (public):
Integer overflow in the MP4_ReadBox_rdrf function in libmp4.c for VLC
0.8.6e allows remote attackers to cause a denial of service (crash)
and possibly execute arbitrary code via a crafted MP4 RDRF box that
triggers a heap-based buffer overflow, a different vulnerability than
Drew Yao also reported these, which are SEMI-PUBLIC:
* Integer overflow in MP4 demuxer MP4_ReadBox_padb
* Integer overflow in Real demuxer ReadCodecSpecificData()
* Integer overflow in Cinepak codec
I'm opening this bug restricted. Since the patches are public, i'm rating it SEMI-PUBLIC. I enquired with Drew Yao about the publicity status.
IMHO we can wait until the xine issues from bug 214270 are fixed, and stable a big bump. Alexis, what do you think?
(In reply to comment #1)
> I'm opening this bug restricted. Since the patches are public, i'm rating it
> SEMI-PUBLIC. I enquired with Drew Yao about the publicity status.
hmm damn; I had completely forgot about the mp4's ones for -r1. The other ones have been pushed only very recently.
> IMHO we can wait until the xine issues from bug 214270 are fixed, and stable a
> big bump. Alexis, what do you think?
What I would prefer is waiting for 0.8.6f to be sure we do not forget anything, but as we have the patches, just ping me when you think its time.
(In reply to comment #0)
> * Integer overflow in Cinepak codec
if we choose to patch we mustn't forget:
cinepak: do not access arrays beyond allocated size 0.8.6-bugfix
I heard the release should come out within a week, so we could wait.
Public, as agreed by both Drew and VLC upstream.
0.8.6f is out, I wonder how many of these changes were actually merged (judging from the changelog, not all) and what the xine bug 214270 status is.
(In reply to comment #6)
> 0.8.6f is out, I wonder how many of these changes were actually merged
bumped; all the fixes should be there:
Changes between 0.8.6e and 0.8.6f:
* Really fixed subtitle buffer overflow (CVE-2007-6681)
* Fixed Real RTSP code execution problem (CVE-2008-0073)
* Fixed MP4 integer overflows (CVE-2008-1489)
* Fixed cinepak integer overflow
* The Mozilla plugin registers a usable range of MIME-types on Mac OS X
* Improved VLC's video output behavior on multi-screen setups running Mac OS X
* Fixed crashes in H264 packetizer
* Close MMS access on network timeout
* Fix some problems with AAC decoder & packetizer
Arches, please test and mark stable:
Target keywords : "alpha amd64 ppc release sparc x86"
Stable on alpha.
Fixed in release snapshot.
CVE-2008-1768 covers the last four links of the initial posting (all integer overflows except for CVE-2008-1489).
CVE-2008-1769 covers the issue from comment 3.