238445 – (CVE-2008-4201) media-libs/faad2 < 2.6.1-r2: heap overflow in the frontend (CVE-2008-4201)

Bug 238445 (CVE-2008-4201) - media-libs/faad2 < 2.6.1-r2: heap overflow in the frontend (CVE-2008-4201)

Summary: media-libs/faad2 < 2.6.1-r2: heap overflow in the frontend (CVE-2008-4201)

Status:	RESOLVED FIXED

Alias:	CVE-2008-4201

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-09-23 06:21 UTC by Alexis Ballier
Modified:	2008-11-10 17:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
main_overflow.diff (main_overflow.diff,609 bytes, patch) 2008-09-23 12:12 UTC, Robert Buchholz (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexis Ballier gentoo-dev

2008-09-23 06:21:09 UTC

While going on the faad2 homepage, I found this:

2008-09-16	
Security patch 	Earlier today I was notified of a possible security flaw in the command line frontend for FAAD2, on a specially constructed file the frontend can cause a heap overflow when reading from a buffer returned by the decoder library. A patch can be found here. Note that this only affects the frontend, not the library. Many thanks to ICST-ERCIS (Peking University) for reporting this issue.



I don't have more info; I think I could just apply the patch in a new revision. Do you have more information about this (like the impact, a POC, etc.)?

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-09-23 12:12:37 UTC

Created attachment 166174 [details, diff]
main_overflow.diff

Make the thing apply cleanly.

Comment 2 Peter Alfredsen (RETIRED) gentoo-dev

2008-09-23 12:38:38 UTC

+*faad2-2.6.1-r2 (23 Sep 2008)
+
+  23 Sep 2008; Peter Alfredsen <loki_val@gentoo.org>
+  +files/faad2-2.6.1-main-overflow.patch, +faad2-2.6.1-r2.ebuild:
+  Security bump w/ patch from bug 238445
+

Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-09-23 22:05:47 UTC

Arches, please test and mark stable media-libs/faad2-2.6.1-r2. Target keywords: "alpha amd64 ~arm hppa ia64 ~mips ppc ppc64 ~sh sparc x86 ~x86-fbsd"

Comment 4 Richard Freeman gentoo-dev

2008-09-24 00:21:19 UTC

amd64 stable

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2008-09-24 06:12:10 UTC

Stable for HPPA.

Comment 6 Ferris McCormick (RETIRED) gentoo-dev

2008-09-24 12:15:59 UTC

Sparc stable for -2.6.1-r2.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2008-09-24 15:45:09 UTC

CVE-2008-4201 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4201):
  Heap-based buffer overflow in the decodeMP4file function
  (frontend/main.c) in FAAD2 before 2.6.1 allows remote attackers to
  cause a denial of service (crash) and possibly execute arbitrary code
  via a crafted MPEG-4 (MP4) file.

Comment 8 Markus Rothe (RETIRED) gentoo-dev

2008-09-24 17:46:20 UTC

ppc64 stable

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2008-09-25 11:40:07 UTC

alpha/ia64/x86 stable

Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev

2008-10-01 17:49:04 UTC

ppc stable

Comment 11 Tobias Heinlein (RETIRED) gentoo-dev

2008-10-01 21:21:01 UTC

GLSA request filed.

Comment 12 Tobias Heinlein (RETIRED) gentoo-dev

2008-11-10 17:57:41 UTC

GLSA 200811-03, thanks everyone, sorry about the delay.