When I try to download a wmv movie from mms://stream4.rbb-online.de/rbb/abendschau/abendschau_20090912_demo_m_16_9_512x288.wmv I geht this output: $ mmsclient mms://stream4.rbb-online.de/rbb/abendschau/abendschau_20090912_demo_m_16_9_512x288.wmv host : >stream4.rbb-online.de< path : >rbb/abendschau/abendschau_20090912_demo_m_16_9_512x288.wmv< file : >/abendschau_20090912_demo_m_16_9_512x288.wmv< creating output file 'abendschau_20090912_demo_m_16_9_512x288.wmv' port: 0000db06 socket open connected *************************************************** command sent, 236 bytes start sequence 00000001 command id b00bface length dc len8 1c sequence # 00000000 len8 (II) 1a dir | comm 00030001 switches 00000000 ascii contents>..NSPlayer/7.0.0.1956; {33715801-BAB3-9D85-24E9-03B90328270A}; Host: stream4.rbb-online.de.... complete hexdump of package follows: 0100 0000 cefa 0bb0 dc00 0000 4d4d 5320 1c00 0000 0000 0000 0000 0000 0000 0000 1a00 0000 0100 0300 0000 0000 0b00 0400 1c00 0300 4e00 5300 5000 6c00 6100 7900 6500 7200 2f00 3700 2e00 3000 2e00 3000 2e00 3100 3900 3500 3600 3b00 2000 7b00 3300 3300 3700 3100 3500 3800 3000 3100 2d00 4200 4100 4200 3300 2d00 3900 4400 3800 3500 2d00 3200 3400 4500 3900 2d00 3000 3300 4200 3900 3000 3300 3200 3800 3200 3700 3000 4100 7d00 3b00 2000 4800 6f00 7300 7400 3a00 2000 7300 7400 7200 6500 6100 6d00 3400 2e00 7200 6200 6200 2d00 6f00 6e00 6c00 6900 6e00 6500 2e00 6400 6500 0000 0100 0000 0000 *** buffer overflow detected ***: mmsclient terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x37)[0x7f1ade5127e7] /lib/libc.so.6[0x7f1ade5105c0] /lib/libc.so.6(__read_chk+0x28)[0x7f1ade510b28] mmsclient[0x401a30] /lib/libc.so.6(__libc_start_main+0xe6)[0x7f1ade448a26] mmsclient[0x400bc9] ======= Memory map: ======== 00400000-00403000 r-xp 00000000 fe:02 808802546 /usr/bin/mmsclient 00602000-00603000 r--p 00002000 fe:02 808802546 /usr/bin/mmsclient 00603000-00604000 rw-p 00003000 fe:02 808802546 /usr/bin/mmsclient 013c9000-013ea000 rw-p 00000000 00:00 0 [heap] 7f1addbea000-7f1addbff000 r-xp 00000000 fe:02 294821454 /lib64/libgcc_s.so.1 7f1addbff000-7f1adddfe000 ---p 00015000 fe:02 294821454 /lib64/libgcc_s.so.1 7f1adddfe000-7f1adddff000 r--p 00014000 fe:02 294821454 /lib64/libgcc_s.so.1 7f1adddff000-7f1adde00000 rw-p 00015000 fe:02 294821454 /lib64/libgcc_s.so.1 7f1adde00000-7f1adde13000 r-xp 00000000 fe:02 889343555 /lib64/libresolv-2.10.1.so 7f1adde13000-7f1ade013000 ---p 00013000 fe:02 889343555 /lib64/libresolv-2.10.1.so 7f1ade013000-7f1ade014000 r--p 00013000 fe:02 889343555 /lib64/libresolv-2.10.1.so 7f1ade014000-7f1ade015000 rw-p 00014000 fe:02 889343555 /lib64/libresolv-2.10.1.so 7f1ade015000-7f1ade017000 rw-p 00000000 00:00 0 7f1ade017000-7f1ade01c000 r-xp 00000000 fe:02 889343559 /lib64/libnss_dns-2.10.1.so 7f1ade01c000-7f1ade21b000 ---p 00005000 fe:02 889343559 /lib64/libnss_dns-2.10.1.so 7f1ade21b000-7f1ade21c000 r--p 00004000 fe:02 889343559 /lib64/libnss_dns-2.10.1.so 7f1ade21c000-7f1ade21d000 rw-p 00005000 fe:02 889343559 /lib64/libnss_dns-2.10.1.so 7f1ade21d000-7f1ade228000 r-xp 00000000 fe:02 889343561 /lib64/libnss_files-2.10.1.so 7f1ade228000-7f1ade428000 ---p 0000b000 fe:02 889343561 /lib64/libnss_files-2.10.1.so 7f1ade428000-7f1ade429000 r--p 0000b000 fe:02 889343561 /lib64/libnss_files-2.10.1.so 7f1ade429000-7f1ade42a000 rw-p 0000c000 fe:02 889343561 /lib64/libnss_files-2.10.1.so 7f1ade42a000-7f1ade57b000 r-xp 00000000 fe:02 889343597 /lib64/libc-2.10.1.so 7f1ade57b000-7f1ade77b000 ---p 00151000 fe:02 889343597 /lib64/libc-2.10.1.so 7f1ade77b000-7f1ade77f000 r--p 00151000 fe:02 889343597 /lib64/libc-2.10.1.so 7f1ade77f000-7f1ade780000 rw-p 00155000 fe:02 889343597 /lib64/libc-2.10.1.so 7f1ade780000-7f1ade785000 rw-p 00000000 00:00 0 7f1ade785000-7f1ade7a2000 r-xp 00000000 fe:02 889343595 /lib64/ld-2.10.1.so 7f1ade964000-7f1ade966000 rw-p 00000000 00:00 0 7f1ade99e000-7f1ade9a1000 rw-p 00000000 00:00 0 7f1ade9a1000-7f1ade9a2000 r--p 0001c000 fe:02 889343595 /lib64/ld-2.10.1.so 7f1ade9a2000-7f1ade9a3000 rw-p 0001d000 fe:02 889343595 /lib64/ld-2.10.1.so 7fff017e3000-7fff0181a000 rw-p 00000000 00:00 0 [stack] 7fff019a2000-7fff019a3000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Segmentation fault (core dumped) Reproducible: Always Steps to Reproduce: 1. emerge mmslcient 2. call it with the given url Actual Results: The execution results in an empty wmv file and the buffer overflow. Expected Results: expecting video downloaded A pcap file and the core file can be provided on request.
I just recompiled the source manually and I get: In function 'read', inlined from 'main' at client.c:575: /usr/include/bits/unistd.h:43: warning: call to '__read_chk_warn' declared with attribute warning: read called with bigger length than size of the destination buffer In function 'read', inlined from 'main' at client.c:586: /usr/include/bits/unistd.h:43: warning: call to '__read_chk_warn' declared with attribute warning: read called with bigger length than size of the destination buffer gcc -g -ggdb -O2 -Wall -o mmsclient client.o
the reason for all this is in client.c: 31 #define BUF_SIZE 102400 [...] 473 char data[1024]; [...] 575 len = read (s, data, BUF_SIZE) ; [...] 586 len = read (s, data, BUF_SIZE) ;
I reported this back in March as bug #263413, but since I cannot make that bug public I won't mark this as a duplicate.
(In reply to comment #3) > I reported this back in March as bug #263413, but since I cannot make that bug > public I won't mark this as a duplicate. > ehrm - just to get that right - thats 6 months! As far as I see code execution is possible here? I suggest removing that ebuild from the tree - the whole code looks just ... bad.
(In reply to comment #4) > ehrm - just to get that right - thats 6 months! I know. > As far as I see code execution > is possible here? Code execution would have been possible for this buffer overflow, but gcc/glibc's patches to enable _FORTIFY_SOURCE by default prevent this. You can only get the program to abort, nothing else.
$URL in ebuild is not available anymore, and we have no maintainer. I'd say we remove this...
Masked for removal # Víctor Ostorga <vostorga@gentoo.org> (09 Nov 2009) # Last version bump in 2004, allows buffer overflow # Upstream not available net-misc/mmsclient
*** Bug 263413 has been marked as a duplicate of this bug. ***
Maybe try to provide mimms as a replacement: http://savannah.nongnu.org/projects/mimms/ https://launchpad.net/mimms It seems to have originated at mmsclient but has seen more recent activity, and probably provides more reliable infrastructure (homepage, bug tracker) as well.
If you really want it, you should write an ebuild and attach it. :)
(In reply to comment #10) > If you really want it, you should write an ebuild and attach it. :) > …on a new ebuild request bug.
(In reply to comment #11) > (In reply to comment #10) > > If you really want it, you should write an ebuild and attach it. :) > > …on a new ebuild request bug. …called bug #293650. :)
Removed from tree