Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 261594 (CVE-2009-0586) - <media-libs/gst-plugins-base-0.10.23 gst_vorbis_tag_add_coverart base64 decoding memory corruption (CVE-2009-0586)
Summary: <media-libs/gst-plugins-base-0.10.23 gst_vorbis_tag_add_coverart base64 decod...
Alias: CVE-2009-0586
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
: 262552 (view as bug list)
Depends on: 266986
  Show dependency tree
Reported: 2009-03-07 17:46 UTC by Robert Buchholz (RETIRED)
Modified: 2009-07-12 17:48 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

gst-plugins-base-0.10.20-CVE-2009-0586.patch (gst-plugins-base-0.10.20-CVE-2009-0586.patch,2.45 KB, patch)
2009-03-07 17:48 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 17:46:46 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Tomas Hoger of the RedHat Security Response Team discovered that gst-plugins-base since 0.10.20 does not properly allocate memory when performing base64 decoding.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 17:48:50 UTC
Created attachment 184248 [details, diff]

upstream provided patch
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 17:50:27 UTC
upstream is going to release a new gstreamer package next thursday. However, it would be preferable to do prestable testing based on the current stable (or a later version) including the patch.
Please attach an ebuild to this bug, do not commit anything to CVS!
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-03-15 14:28:57 UTC
*** Bug 262552 has been marked as a duplicate of this bug. ***
Comment 5 Olivier Crete (RETIRED) gentoo-dev 2009-03-30 04:39:04 UTC
Added gst-plugins-base 0.10.22 ebuild with the patch, if we want it stable, we also want all of its separated plugins as well as gst-plugins-bad 0.10.11 and its separated plugins.
Comment 6 Olivier Crete (RETIRED) gentoo-dev 2009-03-30 04:46:31 UTC
Also, having the new -bad means we also need the new -ugly and -good.. So, if we want the new -base stable, we need to make all the latest gst packages stable.
Comment 7 Olivier Crete (RETIRED) gentoo-dev 2009-05-16 22:21:09 UTC
Adding the stabilization bug as a dependency
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-07-12 17:48:01 UTC
GLSA 200907-11