r1110 - in /unstable/vlc/debian: changelog patches/400-CVE-2008-1489.diff patches/401-CVE-2008-0073.diff patches/series

xtophe-guest at users.alioth.debian.org xtophe-guest at users.alioth.debian.org
Sat Mar 29 01:21:30 UTC 2008 

Author: xtophe-guest
Date: Sat Mar 29 01:21:29 2008
New Revision: 1110

URL: http://svn.debian.org/wsvn/pkg-multimedia/?sc=1&rev=1110
Log:
ACK NMU for CVE-2008-1489
Patch from upstream for CVE-2008-0073

Added:
    unstable/vlc/debian/patches/400-CVE-2008-1489.diff
    unstable/vlc/debian/patches/401-CVE-2008-0073.diff
Modified:
    unstable/vlc/debian/changelog
    unstable/vlc/debian/patches/series

Modified: unstable/vlc/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/changelog?rev=1110&op=diff
==============================================================================
--- unstable/vlc/debian/changelog (original)
+++ unstable/vlc/debian/changelog Sat Mar 29 01:21:29 2008
@@ -1,3 +1,20 @@
+vlc (0.8.6.e-2) unstable; urgency=low
+
+  * Acknowledge NMU by Nico Golde. Thanks
+  * New patch taken from upstream to fix an arbitrary code execution.
+    CVE-2008-0073 (Closes: #473057)
+
+ -- Christophe Mutricy <xtophe at videolan.org>  Fri, 28 Mar 2008 17:32:17 +0000
+
+vlc (0.8.6.e-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix Integer overflow in MP4_ReadBox_rdrf function
+    that triggers a heap-based buffer overflow via a
+    large atom length value (Closes: #472635).
+
+ -- Nico Golde <nion at debian.org>  Wed, 26 Mar 2008 13:21:44 +0100
+
 vlc (0.8.6.e-1) unstable; urgency=high
 
   [ Christophe Mutricy ]

Added: unstable/vlc/debian/patches/400-CVE-2008-1489.diff
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/400-CVE-2008-1489.diff?rev=1110&op=file
==============================================================================
--- unstable/vlc/debian/patches/400-CVE-2008-1489.diff (added)
+++ unstable/vlc/debian/patches/400-CVE-2008-1489.diff Sat Mar 29 01:21:29 2008
@@ -1,0 +1,16 @@
+--- vlc-0.8.6e.orig/modules/demux/mp4/libmp4.c (revision 0e90ac58d8d1476cfdd81eb57e2a2a0eca0e5d91)
++++ vlc-0.8.6e/modules/demux/mp4/libmp4.c (revision 09572892df7e72c0d4e598c0b5e076cf330d8b0a)
+@@ -1985,8 +1985,12 @@
+     MP4_GETFOURCC( p_box->data.p_rdrf->i_ref_type );
+     MP4_GET4BYTES( i_len );
++    i_len++;
++
+     if( i_len > 0 )
+     {
+         uint32_t i;
+-        p_box->data.p_rdrf->psz_ref = malloc( i_len  + 1);
++        p_box->data.p_rdrf->psz_ref = malloc( i_len );
++        i_len--;
++
+         for( i = 0; i < i_len; i++ )
+         {

Added: unstable/vlc/debian/patches/401-CVE-2008-0073.diff
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/401-CVE-2008-0073.diff?rev=1110&op=file
==============================================================================
--- unstable/vlc/debian/patches/401-CVE-2008-0073.diff (added)
+++ unstable/vlc/debian/patches/401-CVE-2008-0073.diff Sat Mar 29 01:21:29 2008
@@ -1,0 +1,90 @@
+From: Pavlov Konstantin <thresh at altlinux.ru>
+Date: Wed, 19 Mar 2008 15:31:07 +0000 (+0300)
+Subject: Fix Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073). (closes #1531).
+X-Git-Url: http://git.videolan.org/gitweb.cgi?p=vlc.git;a=commitdiff_plain;h=8c838a6fe5f3bdb4af4f5f73d7ac0206ea92e029
+
+Fix Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073). (closes #1531).
+Thanks to Alin Rad Pop, Secunia Research.
+Ported from libxine.
+---
+
+diff --git a/modules/access/rtsp/real_sdpplin.c b/modules/access/rtsp/real_sdpplin.c
+index fbd1cc6..7cb46eb 100644
+--- a/modules/access/rtsp/real_sdpplin.c
++++ b/modules/access/rtsp/real_sdpplin.c
+@@ -138,9 +138,16 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) {
+     handled=0;
+ 
+     if(filter(*data,"a=control:streamid=",&buf, BUFLEN)) {
+-      desc->stream_id=atoi(buf);
+-      handled=1;
+-      *data=nl(*data);
++        /* This way negative values are mapped to unfeasibly high
++         * values, and will be discarded afterward
++         */
++        unsigned long tmp = strtoul(buf, NULL, 10);
++        if ( tmp > UINT16_MAX )
++            lprintf("stream id out of bound: %lu\n", tmp);
++        else
++            desc->stream_id=tmp;
++        handled=1;
++        *data=nl(*data);
+     }
+     if(filter(*data,"a=MaxBitRate:integer;",&buf, BUFLEN)) {
+       desc->max_bit_rate=atoi(buf);
+@@ -254,7 +261,10 @@ sdpplin_t *sdpplin_parse(char *data) {
+         }
+         stream=sdpplin_parse_stream(&data);
+         lprintf("got data for stream id %u\n", stream->stream_id);
+-        desc->stream[stream->stream_id]=stream;
++        if ( stream->stream_id >= desc->stream_count )
++            lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count);
++        else
++            desc->stream[stream->stream_id]=stream;
+         continue;
+     }
+     if(filter(data,"a=Title:buffer;",&buf, BUFLEN)) {
+@@ -290,10 +300,17 @@ sdpplin_t *sdpplin_parse(char *data) {
+       }
+     }
+     if(filter(data,"a=StreamCount:integer;",&buf, BUFLEN)) {
+-      desc->stream_count=atoi(buf);
+-      desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
+-      handled=1;
+-      data=nl(data);
++        /* This way negative values are mapped to unfeasibly high
++         * values, and will be discarded afterward
++         */
++        unsigned long tmp = strtoul(buf, NULL, 10);
++        if ( tmp > UINT16_MAX )
++            lprintf("stream count out of bound: %lu\n", tmp);
++        else
++            desc->stream_count = tmp;
++        desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
++        handled=1;
++        data=nl(data);
+     }
+     if(filter(data,"a=Flags:integer;",&buf, BUFLEN)) {
+       desc->flags=atoi(buf);
+diff --git a/modules/access/rtsp/real_sdpplin.h b/modules/access/rtsp/real_sdpplin.h
+index 6014ee6..10d37b8 100644
+--- a/modules/access/rtsp/real_sdpplin.h
++++ b/modules/access/rtsp/real_sdpplin.h
+@@ -31,7 +31,7 @@ typedef struct {
+   char *id;
+   char *bandwidth;
+ 
+-  int stream_id;
++  uint16_t stream_id;
+   char *range;
+   char *length;
+   char *rtpmap;
+@@ -75,7 +75,7 @@ typedef struct {
+ 
+   int flags;
+   int is_real_data_type;
+-  int stream_count;
++  uint16_t stream_count;
+   char *title;
+   char *author;
+   char *copyright;

Modified: unstable/vlc/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-multimedia/unstable/vlc/debian/patches/series?rev=1110&op=diff
==============================================================================
--- unstable/vlc/debian/patches/series (original)
+++ unstable/vlc/debian/patches/series Sat Mar 29 01:21:29 2008
@@ -6,3 +6,5 @@
 104_notify.diff
 200_osdmenu_paths.diff
 300_manpage_syntax.diff
+400-CVE-2008-1489.diff
+401-CVE-2008-0073.diff

More information about the pkg-multimedia-commits mailing list