Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600506 - media-libs/gst-plugins-good-*: Out of bounds write, code execution
Summary: media-libs/gst-plugins-good-*: Out of bounds write, code execution
Status: RESOLVED DUPLICATE of bug 601354
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-22 18:26 UTC by pachnekrobert
Modified: 2016-12-01 14:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description pachnekrobert 2016-11-22 18:26:17 UTC
Chris Evans discovered a vulnerability in the decoder for the FLIC file format which is part of media-libs/gst-plugins-good.
It's described on a private blog ( https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-advancing-exploitation.htmld ), no CVE has been assigned yet but one is requested ( http://seclists.org/oss-sec/2016/q4/491 ).

I checked the portage tree and the vulnerable code seems to be present in all versions of gst-plugins-good which are available in Gentoo, from gst-plugins-good-0.10.31-r1 to gst-plugins-good-1.8.3

The lack of bounds checking happens in the function 
flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest) {}
in 
gst-plugins-good-*/gst/flx/gstflxdec.c


There is a commit fixing the issue upstream:
https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bf43f44fcfada5ec4a3ce60cb374340486fe9fac
Comment 1 pachnekrobert 2016-11-24 03:05:11 UTC
CVEs have been assigned 
http://seclists.org/oss-sec/2016/q4/517
Comment 2 Thomas Deutschmann gentoo-dev 2016-12-01 14:54:32 UTC
The fix was incomplete, see https://scarybeastsecurity.blogspot.dk/2016/11/0day-poc-incorrect-fix-for-gstreamer.html

Merging this bug with bug 601354.

*** This bug has been marked as a duplicate of bug 601354 ***