Date: Fri, 5 Dec 2008 23:38:34 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/129442: [patch] [vuxml] multimedia/vlc-devel: fix CVE-2008-5276 Message-ID: <20081205203834.EC762B801D@phoenix.codelabs.ru> Resent-Message-ID: <200812052040.mB5Ke0Ts056923@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129442 >Category: ports >Synopsis: [patch] [vuxml] multimedia/vlc-devel: fix CVE-2008-5276 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 05 20:40:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: New remotely exploitable flaw was found in the RealMedia demuxer: ----- Integer overflow in the ReadRealIndex function in real.c in the Real demuxer plugin in VideoLAN VLC media player 0.9.0 through 0.9.7 allows remote attackers to execute arbitrary code via a malformed RealMedia (.rm) file that triggers a heap-based buffer overflow. ----- >How-To-Repeat: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5276 http://www.trapkit.de/advisories/TKADV2008-013.txt http://www.videolan.org/security/sa0811.html >Fix: The following patch adds the upstream fix. In principle, there is 0.9.8a that has this fix along some new code. But I am not able to test it locally, so I am just patching 0.9.6. --- fix-CVE-2008-5276.diff begins here --- >From 73f8890ffdbdce3b844ce5af45dde304baf780c6 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Fri, 5 Dec 2008 23:33:16 +0300 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- multimedia/vlc-devel/Makefile | 1 + multimedia/vlc-devel/files/patch-CVE-2008-5276 | 77 ++++++++++++++++++++++++ 2 files changed, 78 insertions(+), 0 deletions(-) create mode 100644 multimedia/vlc-devel/files/patch-CVE-2008-5276 diff --git a/multimedia/vlc-devel/Makefile b/multimedia/vlc-devel/Makefile index e6ed311..61a08b6 100644 --- a/multimedia/vlc-devel/Makefile +++ b/multimedia/vlc-devel/Makefile @@ -11,6 +11,7 @@ PORTNAME= vlc DISTVERSION= 0.9.6 PORTEPOCH= 3 +PORTREVISION= 1 CATEGORIES= multimedia audio ipv6 net www MASTER_SITES= http://download.videolan.org/pub/videolan/${PORTNAME}/${DISTVERSION}/ \ http://ftp.snt.utwente.nl/pub/software/videolan/${PORTNAME}/${DISTVERSION}/ \ diff --git a/multimedia/vlc-devel/files/patch-CVE-2008-5276 b/multimedia/vlc-devel/files/patch-CVE-2008-5276 new file mode 100644 index 0000000..929b4d9 --- /dev/null +++ b/multimedia/vlc-devel/files/patch-CVE-2008-5276 @@ -0,0 +1,77 @@ +Patch for CVE-2008-5276 +Combined patch from + http://git.videolan.org/?p=vlc.git;a=commitdiff;h=d19de4e9f2211cbe5bde00726b66c47a424f4e07#patch1 + http://git.videolan.org/?p=vlc.git;a=commitdiff;h=4bc422b0de26c38e70b87f63ee3391d6b6322ac5#patch1 + http://git.videolan.org/?p=vlc.git;a=commitdiff;h=a684d0267892b3cafed7cbf2ae8175a806bb547d#patch1 +index 7574739..ddfb64d 100644 (file) +--- modules/demux/real.c ++++ modules/demux/real.c +@@ -932,16 +932,13 @@ static void ReadRealIndex( demux_t *p_demux ) + msg_Dbg( p_demux, "Real Index: Does next index exist? %d ", + GetDWBE( &buffer[16] ) ); + +- p_sys->p_index = +- (rm_index_t *)malloc( sizeof( rm_index_t ) * (i_index_count+1) ); ++ p_sys->p_index = calloc( i_index_count + 1, sizeof( rm_index_t ) ); + if( p_sys->p_index == NULL ) + { + msg_Err( p_demux, "Memory allocation error" ); + return; + } + +- memset( p_sys->p_index, 0, sizeof(rm_index_t) * (i_index_count+1) ); +- + for( i=0; i<i_index_count; i++ ) + { + if( stream_Read( p_demux->s, buffer, 14 ) < 14 ) +index ddfb64d..cfadef2 100644 (file) +--- modules/demux/real.c ++++ modules/demux/real.c +@@ -925,14 +925,14 @@ static void ReadRealIndex( demux_t *p_demux ) + + msg_Dbg( p_demux, "Real Index : num : %d ", i_index_count ); + +- if( i_index_count == 0 ) ++ if( i_index_count > ( 0xffffffff / sizeof( rm_index_t ) ) ) + return; + + if( GetDWBE( &buffer[16] ) > 0 ) + msg_Dbg( p_demux, "Real Index: Does next index exist? %d ", + GetDWBE( &buffer[16] ) ); + +- p_sys->p_index = calloc( i_index_count + 1, sizeof( rm_index_t ) ); ++ p_sys->p_index = malloc( ( i_index_count + 1 ) * sizeof( rm_index_t ) ); + if( p_sys->p_index == NULL ) + { + msg_Err( p_demux, "Memory allocation error" ); +@@ -954,12 +954,13 @@ static void ReadRealIndex( demux_t *p_demux ) + p_sys->p_index[i].time_offset = GetDWBE( &buffer[2] ); + p_sys->p_index[i].file_offset = GetDWBE( &buffer[6] ); + p_sys->p_index[i].frame_index = GetDWBE( &buffer[10] ); +- msg_Dbg( p_demux, "Real Index: time %d file %d frame %d ", +- p_sys->p_index[i].time_offset, +- p_sys->p_index[i].file_offset, +- p_sys->p_index[i].frame_index ); +- ++ msg_Dbg( p_demux, ++ "Real Index: time %"PRIu32" file %"PRIu32" frame %"PRIu32, ++ p_sys->p_index[i].time_offset, ++ p_sys->p_index[i].file_offset, ++ p_sys->p_index[i].frame_index ); + } ++ memset( p_sys->p_index + i_index_count, 0, sizeof( rm_index_t ) ); + } + + /***************************************************************************** +index cfadef2..84dde9b 100644 (file) +--- modules/demux/real.c ++++ modules/demux/real.c +@@ -925,7 +925,7 @@ static void ReadRealIndex( demux_t *p_demux ) + + msg_Dbg( p_demux, "Real Index : num : %d ", i_index_count ); + +- if( i_index_count > ( 0xffffffff / sizeof( rm_index_t ) ) ) ++ if( i_index_count >= ( 0xffffffff / sizeof( rm_index_t ) ) ) + return; + + if( GetDWBE( &buffer[16] ) > 0 ) -- 1.6.0.4 --- fix-CVE-2008-5276.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="93e87ccd-c30a-11dd-a16b-001fc66e7203"> <topic>vlc-devel -- arbitrary code execution in the RealMedia processor</topic> <affects> <package> <name>vlc-devel</name> <range><lt>0.9.6_1,3</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Tobias Klein from TrapKit reports:</p> <blockquote cite="http://www.trapkit.de/advisories/TKADV2008-013.txt">; <p>The VLC media player contains an integer overflow vulnerability while parsing malformed RealMedia (.rm) files. The vulnerability leads to a heap overflow that can be exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-5276</cvename> <bid>32545</bid> <url>http://www.trapkit.de/advisories/TKADV2008-013.txt</url>; <url>http://www.videolan.org/security/sa0811.html</url>; </references> <dates> <discovery>28-11-2008</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081205203834.EC762B801D>