An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability. This affects versions earlier than 2018.10.17 CVSSv3 Score: 10.0 Reproducible: Always More information can be found at: https://blog.talosintelligence.com/2018/10/vulnerability-spotlight-live-networks.html
status: need to determine if the ABI needs a bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c293c2d398dbbe110b67473cc43835a43873c8c commit 8c293c2d398dbbe110b67473cc43835a43873c8c Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-25 03:22:33 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-03-31 08:38:58 +0000 media-plugins/live: Security bump to 2020.03.06 * Decided to bump to the latest while there. * Adds an optional ssl dependency. * Bumps from EAPI 5 => 7 Bug: https://bugs.gentoo.org/669276 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/15100 Signed-off-by: Joonas Niilola <juippis@gentoo.org> media-plugins/live/Manifest | 1 + media-plugins/live/files/config.gentoo-so-r3 | 17 +++++ media-plugins/live/live-2020.03.06.ebuild | 100 +++++++++++++++++++++++++++ 3 files changed, 118 insertions(+)
@maintainer(s), please advise if ready for stabilisation, or call yourself
Unable to check for sanity: > disallowed package spec (only = allowed): media-plugins/live
Unable to check for sanity: > no match for package: =media-plugins/live-2020.30.06
CVE-2019-9215 (https://nvd.nist.gov/vuln/detail/CVE-2019-9215): In Live555 before 2019.02.27, malformed headers lead to invalid memory access in the parseAuthorizationHeader function.
Maybe remove the vulnerable versions too: live-2017.10.28.ebuild live-2018.01.29.ebuild live-2018.07.07.ebuild would be bad to let users keep on using those versions.
(In reply to J.O. Aho from comment #7) > Maybe remove the vulnerable versions too: > live-2017.10.28.ebuild live-2018.01.29.ebuild live-2018.07.07.ebuild > > would be bad to let users keep on using those versions. We always cleanup after stabilisation if necessary, don't worry.
arm64 stable
CVE-2019-6256 (https://nvd.nist.gov/vuln/detail/CVE-2019-6256): A Denial of Service issue was discovered in the LIVE555 Streaming Media libraries as used in Live555 Media Server 0.93. It can cause an RTSPServer crash in handleHTTPCmd_TunnelingPOST, when RTSP-over-HTTP tunneling is supported, via x-sessioncookie HTTP headers in a GET request and a POST request within the same TCP session. This occurs because of a call to an incorrect virtual function pointer in the readSocket function in GroupsockHelper.cpp. CVE-2019-15232 (https://nvd.nist.gov/vuln/detail/CVE-2019-15232): Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors.
dropped to ~sparc
amd64 stable
arm stable
ppc stable
ppc64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
This issue was resolved and addressed in GLSA 202005-06 at https://security.gentoo.org/glsa/202005-06 by GLSA coordinator Thomas Deutschmann (whissi).