Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 261594 (CVE-2009-0586) - <media-libs/gst-plugins-base-0.10.23 gst_vorbis_tag_add_coverart base64 decoding memory corruption (CVE-2009-0586)
Summary: <media-libs/gst-plugins-base-0.10.23 gst_vorbis_tag_add_coverart base64 decod...
Status: RESOLVED FIXED
Alias: CVE-2009-0586
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://www.ocert.org/advisories/ocert...
Whiteboard: B2 [glsa]
Keywords:
: 262552 (view as bug list)
Depends on: 266986
Blocks:
  Show dependency tree
 
Reported: 2009-03-07 17:46 UTC by Robert Buchholz (RETIRED)
Modified: 2009-07-12 17:48 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
gst-plugins-base-0.10.20-CVE-2009-0586.patch (gst-plugins-base-0.10.20-CVE-2009-0586.patch,2.45 KB, patch)
2009-03-07 17:48 UTC, Robert Buchholz (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 17:46:46 UTC 
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Tomas Hoger of the RedHat Security Response Team discovered that gst-plugins-base since 0.10.20 does not properly allocate memory when performing base64 decoding.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 17:48:50 UTC 
Created attachment 184248 [details, diff]
gst-plugins-base-0.10.20-CVE-2009-0586.patch

upstream provided patch
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 17:50:27 UTC 
upstream is going to release a new gstreamer package next thursday. However, it would be preferable to do prestable testing based on the current stable (or a later version) including the patch.
Please attach an ebuild to this bug, do not commit anything to CVS!
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-03-15 14:28:57 UTC 
*** Bug 262552 has been marked as a duplicate of this bug. ***
Comment 5 Olivier Crete (RETIRED) gentoo-dev 2009-03-30 04:39:04 UTC 
Added gst-plugins-base 0.10.22 ebuild with the patch, if we want it stable, we also want all of its separated plugins as well as gst-plugins-bad 0.10.11 and its separated plugins.
Comment 6 Olivier Crete (RETIRED) gentoo-dev 2009-03-30 04:46:31 UTC 
Also, having the new -bad means we also need the new -ugly and -good.. So, if we want the new -base stable, we need to make all the latest gst packages stable.
Comment 7 Olivier Crete (RETIRED) gentoo-dev 2009-05-16 22:21:09 UTC 
Adding the stabilization bug as a dependency
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-07-12 17:48:01 UTC 
GLSA 200907-11