Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 732598 (CVE-2020-24027) - <media-plugins/live-2021.05.22: Buffer overflow in handling of RTSP play command (CVE-2020-24027)
Summary: <media-plugins/live-2021.05.22: Buffer overflow in handling of RTSP play comm...
Status: RESOLVED FIXED
Alias: CVE-2020-24027
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.live555.com/liveMedia/publ...
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 795798
Blocks:
  Show dependency tree
 
Reported: 2020-07-14 19:52 UTC by Sam James
Modified: 2024-07-09 13:13 UTC (History)
1 user (show)

See Also:
Package list:
media-video/vlc-3.0.14-r6 amd64 arm64 ppc ppc64 x86 media-plugins/live-2021.05.22
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-14 19:52:37 UTC
From URL:
"2020.07.09:
- Fixed a potential buffer overflow bug in the server handling of a RTSP "PLAY" command,
  when the command specifies seeking by absolute time.
  (Thank to Xiaobo Xiang for reporting this.)"
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-14 19:53:17 UTC
Please bump to 2020.07.09.
Comment 2 Larry the Git Cow gentoo-dev 2021-06-12 18:43:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e14ff1a018a8d131838439a52a4849f675aaa6a

commit 8e14ff1a018a8d131838439a52a4849f675aaa6a
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-06-12 18:34:01 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-06-12 18:43:42 +0000

    media-plugins/live: add 2021.05.22
    
    Bug: https://bugs.gentoo.org/732598
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 media-plugins/live/Manifest               |   1 +
 media-plugins/live/live-2021.05.22.ebuild | 108 ++++++++++++++++++++++++++++++
 2 files changed, 109 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-12 18:45:32 UTC
Let's give it some time in unstable just in case.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-22 20:40:12 UTC
Need to stable VLC too due to media-plugins/live version restrictions thanks to bug 797436
Comment 5 NATTkA bot gentoo-dev 2021-07-10 17:32:37 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-17 21:32:33 UTC Comment hidden (obsolete)
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-10 23:57:09 UTC
amd64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-11 00:03:57 UTC
arm done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-11 00:05:19 UTC
arm64 done
Comment 10 Agostino Sarubbo gentoo-dev 2021-08-11 11:18:35 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2021-08-11 11:19:11 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2021-08-25 04:23:22 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Larry the Git Cow gentoo-dev 2021-08-26 21:54:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f17ed73482dc8b6a9cf94ef480a35cf40eb5909d

commit f17ed73482dc8b6a9cf94ef480a35cf40eb5909d
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-08-26 21:52:50 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-08-26 21:53:04 +0000

    media-plugins/live: drop 2020.05.15
    
    Bug: https://bugs.gentoo.org/732598
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 media-plugins/live/Manifest               |   1 -
 media-plugins/live/live-2020.05.15.ebuild | 108 ------------------------------
 2 files changed, 109 deletions(-)
Comment 14 NATTkA bot gentoo-dev 2021-10-09 19:49:13 UTC
Unable to check for sanity:

> no match for package: media-video/vlc-3.0.14-r6
Comment 15 Larry the Git Cow gentoo-dev 2024-07-09 13:09:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f8b1b6a35303555751a0d0e9f7ce20884e9c4145

commit f8b1b6a35303555751a0d0e9f7ce20884e9c4145
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-07-09 13:09:03 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-07-09 13:09:28 +0000

    [ GLSA 202407-23 ] LIVE555 Media Server: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/732598
    Bug: https://bugs.gentoo.org/807622
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202407-23.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)