r1110 - in /unstable/vlc/debian: changelog patches/400-CVE-2008-1489.diff patches/401-CVE-2008-0073.diff patches/series
xtophe-guest at users.alioth.debian.org
xtophe-guest at users.alioth.debian.org
Sat Mar 29 01:21:30 UTC 2008
Author: xtophe-guest
Date: Sat Mar 29 01:21:29 2008
New Revision: 1110
URL: http://svn.debian.org/wsvn/pkg-multimedia/?sc=1&rev=1110
Log:
ACK NMU for CVE-2008-1489
Patch from upstream for CVE-2008-0073
Added:
unstable/vlc/debian/patches/400-CVE-2008-1489.diff
unstable/vlc/debian/patches/401-CVE-2008-0073.diff
Modified:
unstable/vlc/debian/changelog
unstable/vlc/debian/patches/series
Modified: unstable/vlc/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/changelog?rev=1110&op=diff
==============================================================================
--- unstable/vlc/debian/changelog (original)
+++ unstable/vlc/debian/changelog Sat Mar 29 01:21:29 2008
@@ -1,3 +1,20 @@
+vlc (0.8.6.e-2) unstable; urgency=low
+
+ * Acknowledge NMU by Nico Golde. Thanks
+ * New patch taken from upstream to fix an arbitrary code execution.
+ CVE-2008-0073 (Closes: #473057)
+
+ -- Christophe Mutricy <xtophe at videolan.org> Fri, 28 Mar 2008 17:32:17 +0000
+
+vlc (0.8.6.e-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix Integer overflow in MP4_ReadBox_rdrf function
+ that triggers a heap-based buffer overflow via a
+ large atom length value (Closes: #472635).
+
+ -- Nico Golde <nion at debian.org> Wed, 26 Mar 2008 13:21:44 +0100
+
vlc (0.8.6.e-1) unstable; urgency=high
[ Christophe Mutricy ]
Added: unstable/vlc/debian/patches/400-CVE-2008-1489.diff
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/400-CVE-2008-1489.diff?rev=1110&op=file
==============================================================================
--- unstable/vlc/debian/patches/400-CVE-2008-1489.diff (added)
+++ unstable/vlc/debian/patches/400-CVE-2008-1489.diff Sat Mar 29 01:21:29 2008
@@ -1,0 +1,16 @@
+--- vlc-0.8.6e.orig/modules/demux/mp4/libmp4.c (revision 0e90ac58d8d1476cfdd81eb57e2a2a0eca0e5d91)
++++ vlc-0.8.6e/modules/demux/mp4/libmp4.c (revision 09572892df7e72c0d4e598c0b5e076cf330d8b0a)
+@@ -1985,8 +1985,12 @@
+ MP4_GETFOURCC( p_box->data.p_rdrf->i_ref_type );
+ MP4_GET4BYTES( i_len );
++ i_len++;
++
+ if( i_len > 0 )
+ {
+ uint32_t i;
+- p_box->data.p_rdrf->psz_ref = malloc( i_len + 1);
++ p_box->data.p_rdrf->psz_ref = malloc( i_len );
++ i_len--;
++
+ for( i = 0; i < i_len; i++ )
+ {
Added: unstable/vlc/debian/patches/401-CVE-2008-0073.diff
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/401-CVE-2008-0073.diff?rev=1110&op=file
==============================================================================
--- unstable/vlc/debian/patches/401-CVE-2008-0073.diff (added)
+++ unstable/vlc/debian/patches/401-CVE-2008-0073.diff Sat Mar 29 01:21:29 2008
@@ -1,0 +1,90 @@
+From: Pavlov Konstantin <thresh at altlinux.ru>
+Date: Wed, 19 Mar 2008 15:31:07 +0000 (+0300)
+Subject: Fix Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073). (closes #1531).
+X-Git-Url: http://git.videolan.org/gitweb.cgi?p=vlc.git;a=commitdiff_plain;h=8c838a6fe5f3bdb4af4f5f73d7ac0206ea92e029
+
+Fix Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073). (closes #1531).
+Thanks to Alin Rad Pop, Secunia Research.
+Ported from libxine.
+---
+
+diff --git a/modules/access/rtsp/real_sdpplin.c b/modules/access/rtsp/real_sdpplin.c
+index fbd1cc6..7cb46eb 100644
+--- a/modules/access/rtsp/real_sdpplin.c
++++ b/modules/access/rtsp/real_sdpplin.c
+@@ -138,9 +138,16 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) {
+ handled=0;
+
+ if(filter(*data,"a=control:streamid=",&buf, BUFLEN)) {
+- desc->stream_id=atoi(buf);
+- handled=1;
+- *data=nl(*data);
++ /* This way negative values are mapped to unfeasibly high
++ * values, and will be discarded afterward
++ */
++ unsigned long tmp = strtoul(buf, NULL, 10);
++ if ( tmp > UINT16_MAX )
++ lprintf("stream id out of bound: %lu\n", tmp);
++ else
++ desc->stream_id=tmp;
++ handled=1;
++ *data=nl(*data);
+ }
+ if(filter(*data,"a=MaxBitRate:integer;",&buf, BUFLEN)) {
+ desc->max_bit_rate=atoi(buf);
+@@ -254,7 +261,10 @@ sdpplin_t *sdpplin_parse(char *data) {
+ }
+ stream=sdpplin_parse_stream(&data);
+ lprintf("got data for stream id %u\n", stream->stream_id);
+- desc->stream[stream->stream_id]=stream;
++ if ( stream->stream_id >= desc->stream_count )
++ lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count);
++ else
++ desc->stream[stream->stream_id]=stream;
+ continue;
+ }
+ if(filter(data,"a=Title:buffer;",&buf, BUFLEN)) {
+@@ -290,10 +300,17 @@ sdpplin_t *sdpplin_parse(char *data) {
+ }
+ }
+ if(filter(data,"a=StreamCount:integer;",&buf, BUFLEN)) {
+- desc->stream_count=atoi(buf);
+- desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
+- handled=1;
+- data=nl(data);
++ /* This way negative values are mapped to unfeasibly high
++ * values, and will be discarded afterward
++ */
++ unsigned long tmp = strtoul(buf, NULL, 10);
++ if ( tmp > UINT16_MAX )
++ lprintf("stream count out of bound: %lu\n", tmp);
++ else
++ desc->stream_count = tmp;
++ desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
++ handled=1;
++ data=nl(data);
+ }
+ if(filter(data,"a=Flags:integer;",&buf, BUFLEN)) {
+ desc->flags=atoi(buf);
+diff --git a/modules/access/rtsp/real_sdpplin.h b/modules/access/rtsp/real_sdpplin.h
+index 6014ee6..10d37b8 100644
+--- a/modules/access/rtsp/real_sdpplin.h
++++ b/modules/access/rtsp/real_sdpplin.h
+@@ -31,7 +31,7 @@ typedef struct {
+ char *id;
+ char *bandwidth;
+
+- int stream_id;
++ uint16_t stream_id;
+ char *range;
+ char *length;
+ char *rtpmap;
+@@ -75,7 +75,7 @@ typedef struct {
+
+ int flags;
+ int is_real_data_type;
+- int stream_count;
++ uint16_t stream_count;
+ char *title;
+ char *author;
+ char *copyright;
Modified: unstable/vlc/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/series?rev=1110&op=diff
==============================================================================
--- unstable/vlc/debian/patches/series (original)
+++ unstable/vlc/debian/patches/series Sat Mar 29 01:21:29 2008
@@ -6,3 +6,5 @@
104_notify.diff
200_osdmenu_paths.diff
300_manpage_syntax.diff
+400-CVE-2008-1489.diff
+401-CVE-2008-0073.diff
More information about the pkg-multimedia-commits
mailing list