Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 570242 - <media-video/rtmpdump-2.4_p20161210: multiple vulnerabilities
Summary: <media-video/rtmpdump-2.4_p20161210: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-30 13:39 UTC by Agostino Sarubbo
Modified: 2017-07-16 01:10 UTC (History)
3 users (show)

See Also:
Package list:
=media-video/rtmpdump-2.4_p20161210
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-12-30 13:39:25 UTC
From ${URL} :

The git(git://git.ffmpeg.org/rtmpdump)log is:

commit fa8646daeb19dfd12c181f7d19de708d623704c0
Author: Howard Chu <hyc@...hlandsun.com>
Date:   Wed Dec 23 18:58:50 2015 +0000

    Fix issue 6-7/7 from LMX of Qihoo 360 Codesafe Team
    
    Additional decode input size checks

commit 07c10ae612bf5c2dbea594dcbd4da85c54dba1e4
Author: Howard Chu <hyc@...hlandsun.com>
Date:   Wed Dec 23 18:28:13 2015 +0000

    Fix issue 5/7 from LMX of Qihoo 360 Codesafe Team
    
    Ignore zero-length packets

commit 7c68ad18f4296911114470bb4caaa673d55c8447
Author: Howard Chu <hyc@...hlandsun.com>
Date:   Wed Dec 23 18:10:15 2015 +0000

    Fix issue 4/7 from LMX of Qihoo 360 Codesafe Team
    
    Potential integer overflow in RTMPPacket_Alloc().
    

commit f3042b5bb7dcb42eda32ad9dd88029b24a2c282b
Author: Howard Chu <hyc@...hlandsun.com>
Date:   Wed Dec 23 17:53:34 2015 +0000

    Fix issue 2/7 from LMX of Qihoo 360 Codesafe Team
    
    Obsolete RTMPPacket_Free() call left over from original C++ to C rewrite

commit 71fe4f2435beaccca046dad3905840615b76b085
Author: Howard Chu <hyc@...hlandsun.com>
Date:   Wed Dec 23 17:51:39 2015 +0000

    Fix issue 1/7 from LMX of Qihoo 360 Codesafe Team
    
    AMFProp_GetObject must make sure the prop is actually an object



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2016-04-23 03:19:29 UTC
This might be fixed as I see check in for the package (jlec), after the bug was announced. Can someone please confirm?
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2016-06-05 23:22:46 UTC
PING - Maintainers do we have an update?
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2016-08-10 16:48:42 UTC
Can maintainers please take a look at this bug and please provide an answer.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2016-09-07 06:53:42 UTC
Maintainers, please advice. If no comment then to assume package is not maintained.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2016-11-14 00:13:31 UTC
No Answer from maintainers in 11 Months.
Package is assumed not maintained. Will ask on @dev mailing list if someone want to main package and start process for masking / removing from tree.
Comment 6 Pacho Ramos gentoo-dev 2016-11-27 19:39:59 UTC
this has lots of reverse deps... hence, we couldn't treeclean it easily :/
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2016-12-10 19:27:13 UTC
I will prepare a new snapshot
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2016-12-10 19:38:03 UTC
(In reply to Markos Chandras from comment #7)
> I will prepare a new snapshot

I have committed rtmpdump-2.4_p20161210
Comment 9 Thomas Deutschmann gentoo-dev Security 2016-12-10 19:55:31 UTC
@ Arches,

please test and mark stable: =media-video/rtmpdump-2.4_p20161210
Comment 10 Agostino Sarubbo gentoo-dev 2016-12-13 11:05:25 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-12-13 11:30:53 UTC
x86 stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-01-01 12:47:22 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2017-01-03 10:40:42 UTC
ppc64 stable
Comment 14 Jeroen Roovers gentoo-dev 2017-01-15 20:49:20 UTC
Stable for HPPA.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2017-01-27 06:34:16 UTC
This was missed.

Maintainer(s), please drop the vulnerable version(s).
New GLSA Request Filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2017-02-06 02:13:10 UTC
This issue was resolved and addressed in
 GLSA 201702-02 at https://security.gentoo.org/glsa/201702-02
by GLSA coordinator Aaron Bauman (b-man).
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-02-06 02:13:38 UTC
@maintainer(s), please clean the vulnerable version.
Comment 18 Yury German Gentoo Infrastructure gentoo-dev Security 2017-02-19 14:06:17 UTC
Maintainers please drop the vulnerable version so we can close the bug.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-25 06:26:12 UTC
Maintainer(s), please drop the vulnerable version(s).