+++ This bug was initially created as a clone of Bug #279340 +++ From $URL: Function real_get_rdt_chunk() calls rtsp_read_data() to read RDT (Real Data Transport) chunks headers from the network and after that it will parse them. A controled variable is used to allocate a buffer and later passed on to the rtsp_read_data() function in order to specify the length of an RDT chunk data to read from the network. An integer underflow can be triggered when parsing a malformed RDT header chunk, a remote attacker can exploit it to execute arbitrary code in the context of the application. Mplayer Source file: stream/realrtsp/real.c function: int real_get_rdt_chunk(rtsp_t *rtsp_session, char **buffer, int rdt_rawdata)
Advisory author suggests a patch similar to the one applied to VLC: diff -Naur stream/realrtsp/real.c stream/realrtsp/real.c.new --- stream/realrtsp/real.c 2009-07-27 01:09:18.000000000 +0100 +++ stream/realrtsp/real.c.new 2009-07-27 01:12:35.000000000 +0100 @@ -386,6 +386,7 @@ return (n <= 0) ? 0 : n; } rmff_dump_pheader(&ph, *buffer); + if (size<12) return 0; size-=12; n=rtsp_read_data(rtsp_session, (*buffer)+12, size);
For users stumbling across this, mplayer-1.0_rc2_p20090731 seems to have the fix (the patch line is split in half and offset three lines, but it's there). Since epkginfo indicates that's ~arch across the board, updated ~arch users shouldn't need to worry about this one.
The fix is in: ------------------------------------------------------------------------ r29455 | uau | 2009-07-28 18:25:03 +0200 (Di, 28 Jul 2009) | 2 lines stream/realrtsp/real.c: Fix another integer overflow ------------------------------------------------------------------------ r29447 | uau | 2009-07-27 18:53:48 +0200 (Mo, 27 Jul 2009) | 4 lines stream/realrtsp/real.c: Fix integer overflow Pointed-out-by: tixxDZ <tixxdz at gmail dot com> - DZCORE Labs, Algeria Changes: --- stream/realrtsp/real.c (revision 29400) +++ stream/realrtsp/real.c (revision 29455) @@ -382,10 +382,14 @@ ph.flags=0; *buffer = xbuffer_ensure_size(*buffer, 12+size); if(rdt_rawdata) { + if (size < 12) + return 0; n=rtsp_read_data(rtsp_session, *buffer, size-12); return (n <= 0) ? 0 : n; } rmff_dump_pheader(&ph, *buffer); + if (size < 12) + return 0; size-=12; n=rtsp_read_data(rtsp_session, (*buffer)+12, size);
Arches, please test and mark stable: =media-video/mplayer-1.0_rc2_p20090731 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
*** Bug 279826 has been marked as a duplicate of this bug. ***
"cvs up" before testing, since the linguas stuff was badly broken
+ 02 Aug 2009; <chainsaw@gentoo.org> mplayer-1.0_rc2_p20090731.ebuild: + Marked stable on AMD64 for security bug #279342 filed by Alex Legler + <a3li@gentoo.org>. Tested with fullscreen XV playback of XviD content on a + Radeon X600, dual hex-core Opteron system with USE="3dnow 3dnowext X a52 + aac aalib alsa ass cddb cdio cdparanoia dirac dts dv dvd dvdnav enca + encode faac faad fbcon ftp gif iconv ipv6 jpeg libcaca live lzo mad md5sum + mmx mmxext mng mp2 mp3 nemesi network opengl osdmenu png pnm pulseaudio + quicktime rar real rtc schroedinger sdl shm speex sse sse2 ssse3 theora + tremor truetype unicode v4l2 vorbis x264 xinerama xv xvid xvmc (-altivec) + -bidi -bindist -bl -cpudetection -custom-cflags -custom-cpuopts -debug + -dga -directfb -doc -dvb -dxr3 -esd -ggi -gmplayer -jack -joystick -ladspa + -lirc -nas -nut -openal -oss -pvr -radio -samba (-svga) -teletext -tga + -v4l -vdpau (-vidix) (-win32codecs) -xanim -xscreensaver -zoran".
Stable for HPPA.
x86 stable
ppc64 done
ppc stable
alpha/ia64/sparc stable
GLSA request filed.
Unable to find the CVE request, the reply or a CVE for this. Rerequesting.
(In reply to comment #14) > Unable to find the CVE request, the reply or a CVE for this. Rerequesting. updated =)
Per http://www.openwall.com/lists/oss-security/2011/10/20/15, this should be CVE-2010-2062.
This issue was resolved and addressed in GLSA 201310-13 at http://security.gentoo.org/glsa/glsa-201310-13.xml by GLSA coordinator Sean Amoss (ackle).