r1044 - in /unstable/vlc/debian: changelog patches/sec-CVE-2008-0296_CVE-2008-0295.diff patches/series
lool at users.alioth.debian.org
lool at users.alioth.debian.org
Mon Jan 21 15:50:22 UTC 2008
Author: lool
Date: Mon Jan 21 15:50:22 2008
New Revision: 1044
URL: http://svn.debian.org/wsvn/pkg-multimedia/?sc=1&rev=1044
Log:
* This update addresses the following security issues (Closes: #461544).
- CVE-2008-0295: Heap-based buffer overflow in real_sdpplin.c
which could lead to user-assisted arbitrary code execution
via crafted SDP data.
- CVE-2008-0296: Heap-based buffer overflow in libaccess_realrtsp plugin
which might lead to arbitrary code execution via a crafted RTSP server.
* Merge above changes by Nico Golde.
Added:
unstable/vlc/debian/patches/sec-CVE-2008-0296_CVE-2008-0295.diff
Modified:
unstable/vlc/debian/changelog
unstable/vlc/debian/patches/series
Modified: unstable/vlc/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/changelog?rev=1044&op=diff
==============================================================================
--- unstable/vlc/debian/changelog (original)
+++ unstable/vlc/debian/changelog Mon Jan 21 15:50:22 2008
@@ -1,3 +1,18 @@
+vlc (0.8.6.c-6) unstable; urgency=high
+
+ [ Nico Golde ]
+ * This update addresses the following security issues (Closes: #461544).
+ - CVE-2008-0295: Heap-based buffer overflow in real_sdpplin.c
+ which could lead to user-assisted arbitrary code execution
+ via crafted SDP data.
+ - CVE-2008-0296: Heap-based buffer overflow in libaccess_realrtsp plugin
+ which might lead to arbitrary code execution via a crafted RTSP server.
+
+ [ Loic Minier ]
+ * Merge above changes by Nico Golde.
+
+ -- Loic Minier <lool at dooz.org> Mon, 21 Jan 2008 16:16:51 +0100
+
vlc (0.8.6.c-5) unstable; urgency=low
[ Christophe Mutricy ]
Added: unstable/vlc/debian/patches/sec-CVE-2008-0296_CVE-2008-0295.diff
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/sec-CVE-2008-0296_CVE-2008-0295.diff?rev=1044&op=file
==============================================================================
--- unstable/vlc/debian/patches/sec-CVE-2008-0296_CVE-2008-0295.diff (added)
+++ unstable/vlc/debian/patches/sec-CVE-2008-0296_CVE-2008-0295.diff Mon Jan 21 15:50:22 2008
@@ -1,0 +1,165 @@
+--- vlc-0.8.6.c.orig/modules/access/rtsp/real_sdpplin.c (revision 14187)
++++ vlc-0.8.6.c/modules/access/rtsp/real_sdpplin.c (revision 24443)
+@@ -25,4 +25,5 @@
+
+ #include "real.h"
++#define BUFLEN 32000
+
+ /*
+@@ -89,5 +90,5 @@
+ }
+
+-static int filter(const char *in, const char *filter, char **out) {
++static int filter(const char *in, const char *filter, char **out, size_t outlen) {
+
+ int flen=strlen(filter);
+@@ -101,4 +102,9 @@
+ if(in[len-1]==13) len--;
+ if(in[len-1]=='"') len--;
++ if( len-flen+1 > outlen )
++ {
++ printf("Discarding end of string to avoid overflow");
++ len=outlen+flen-1;
++ }
+ memcpy(*out, in+flen, len-flen+1);
+ (*out)[len-flen]=0;
+@@ -111,6 +117,6 @@
+
+ sdpplin_stream_t *desc = malloc(sizeof(sdpplin_stream_t));
+- char *buf = malloc(32000);
+- char *decoded = malloc(32000);
++ char *buf = malloc(BUFLEN);
++ char *decoded = malloc(BUFLEN);
+ int handled;
+
+@@ -121,5 +127,5 @@
+ if( !decoded ) goto error;
+
+- if (filter(*data, "m=", &buf)) {
++ if (filter(*data, "m=", &buf, BUFLEN)) {
+ desc->id = strdup(buf);
+ } else {
+@@ -132,10 +138,10 @@
+ handled=0;
+
+- if(filter(*data,"a=control:streamid=",&buf)) {
++ if(filter(*data,"a=control:streamid=",&buf, BUFLEN)) {
+ desc->stream_id=atoi(buf);
+ handled=1;
+ *data=nl(*data);
+ }
+- if(filter(*data,"a=MaxBitRate:integer;",&buf)) {
++ if(filter(*data,"a=MaxBitRate:integer;",&buf, BUFLEN)) {
+ desc->max_bit_rate=atoi(buf);
+ if (!desc->avg_bit_rate)
+@@ -144,5 +150,5 @@
+ *data=nl(*data);
+ }
+- if(filter(*data,"a=MaxPacketSize:integer;",&buf)) {
++ if(filter(*data,"a=MaxPacketSize:integer;",&buf, BUFLEN)) {
+ desc->max_packet_size=atoi(buf);
+ if (!desc->avg_packet_size)
+@@ -151,20 +157,20 @@
+ *data=nl(*data);
+ }
+- if(filter(*data,"a=StartTime:integer;",&buf)) {
++ if(filter(*data,"a=StartTime:integer;",&buf, BUFLEN)) {
+ desc->start_time=atoi(buf);
+ handled=1;
+ *data=nl(*data);
+ }
+- if(filter(*data,"a=Preroll:integer;",&buf)) {
++ if(filter(*data,"a=Preroll:integer;",&buf, BUFLEN)) {
+ desc->preroll=atoi(buf);
+ handled=1;
+ *data=nl(*data);
+ }
+- if(filter(*data,"a=length:npt=",&buf)) {
++ if(filter(*data,"a=length:npt=",&buf, BUFLEN)) {
+ desc->duration=(uint32_t)(atof(buf)*1000);
+ handled=1;
+ *data=nl(*data);
+ }
+- if(filter(*data,"a=StreamName:string;",&buf)) {
++ if(filter(*data,"a=StreamName:string;",&buf, BUFLEN)) {
+ desc->stream_name=strdup(buf);
+ desc->stream_name_size=strlen(desc->stream_name);
+@@ -172,5 +178,5 @@
+ *data=nl(*data);
+ }
+- if(filter(*data,"a=mimetype:string;",&buf)) {
++ if(filter(*data,"a=mimetype:string;",&buf, BUFLEN)) {
+ desc->mime_type=strdup(buf);
+ desc->mime_type_size=strlen(desc->mime_type);
+@@ -178,5 +184,5 @@
+ *data=nl(*data);
+ }
+- if(filter(*data,"a=OpaqueData:buffer;",&buf)) {
++ if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
+ decoded = b64_decode(buf, decoded, &(desc->mlti_data_size));
+ desc->mlti_data = malloc(sizeof(char)*desc->mlti_data_size);
+@@ -186,5 +192,5 @@
+ lprintf("mlti_data_size: %i\n", desc->mlti_data_size);
+ }
+- if(filter(*data,"a=ASMRuleBook:string;",&buf)) {
++ if(filter(*data,"a=ASMRuleBook:string;",&buf, BUFLEN)) {
+ desc->asm_rule_book=strdup(buf);
+ handled=1;
+@@ -217,6 +223,6 @@
+ sdpplin_t *desc = malloc(sizeof(sdpplin_t));
+ sdpplin_stream_t *stream;
+- char *buf=malloc(3200);
+- char *decoded=malloc(3200);
++ char *buf=malloc(BUFLEN);
++ char *decoded=malloc(BUFLEN);
+ int handled;
+ int len;
+@@ -237,5 +243,5 @@
+ handled=0;
+
+- if (filter(data, "m=", &buf)) {
++ if (filter(data, "m=", &buf, BUFLEN)) {
+ stream=sdpplin_parse_stream(&data);
+ lprintf("got data for stream id %u\n", stream->stream_id);
+@@ -243,5 +249,5 @@
+ continue;
+ }
+- if(filter(data,"a=Title:buffer;",&buf)) {
++ if(filter(data,"a=Title:buffer;",&buf, BUFLEN)) {
+ decoded=b64_decode(buf, decoded, &len);
+ desc->title=strdup(decoded);
+@@ -249,5 +255,5 @@
+ data=nl(data);
+ }
+- if(filter(data,"a=Author:buffer;",&buf)) {
++ if(filter(data,"a=Author:buffer;",&buf, BUFLEN)) {
+ decoded=b64_decode(buf, decoded, &len);
+ desc->author=strdup(decoded);
+@@ -255,5 +261,5 @@
+ data=nl(data);
+ }
+- if(filter(data,"a=Copyright:buffer;",&buf)) {
++ if(filter(data,"a=Copyright:buffer;",&buf, BUFLEN)) {
+ decoded=b64_decode(buf, decoded, &len);
+ desc->copyright=strdup(decoded);
+@@ -261,5 +267,5 @@
+ data=nl(data);
+ }
+- if(filter(data,"a=Abstract:buffer;",&buf)) {
++ if(filter(data,"a=Abstract:buffer;",&buf, BUFLEN)) {
+ decoded=b64_decode(buf, decoded, &len);
+ desc->abstract=strdup(decoded);
+@@ -267,5 +273,5 @@
+ data=nl(data);
+ }
+- if(filter(data,"a=StreamCount:integer;",&buf)) {
++ if(filter(data,"a=StreamCount:integer;",&buf, BUFLEN)) {
+ desc->stream_count=atoi(buf);
+ desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
+@@ -273,5 +279,5 @@
+ data=nl(data);
+ }
+- if(filter(data,"a=Flags:integer;",&buf)) {
++ if(filter(data,"a=Flags:integer;",&buf, BUFLEN)) {
+ desc->flags=atoi(buf);
+ handled=1;
Modified: unstable/vlc/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/series?rev=1044&op=diff
==============================================================================
--- unstable/vlc/debian/patches/series (original)
+++ unstable/vlc/debian/patches/series Mon Jan 21 15:50:22 2008
@@ -11,3 +11,4 @@
sec-vlcopt_support.diff
sec-rtsp_remote_dos.diff
sec-subtitle_buffer_overflow.diff
+sec-CVE-2008-0296_CVE-2008-0295.diff
More information about the pkg-multimedia-commits
mailing list