Date: Thu, 15 Jan 2009 11:16:00 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/130573: [patch] [vuxml] multimedia/mplayer: fix and document CVE-2008-3162 Message-ID: <20090115081601.0B18DDA830@void.codelabs.ru> Resent-Message-ID: <200901150820.n0F8K20f075837@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 130573 >Category: ports >Synopsis: [patch] [vuxml] multimedia/mplayer: fix and document CVE-2008-3162 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jan 15 08:20:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-STABLE amd64 >Organization: Code Labs >Environment: System: FreeBSD void.codelabs.ru 7.1-STABLE FreeBSD 7.1-STABLE #1: Tue Jan 13 18:06:32 MSK 2009 root@void.codelabs.ru:/usr/src/sys/amd64/compile/VOID amd64 >Description: There is CVE-2008-3162 [1] and FreeBSD port is still based on the 1.0rc2 sources that aren't received this fix. The fix is in the Subversion repository for MPlayer, [2]. [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3162 [2] http://svn.mplayerhq.hu/ffmpeg?view=rev&revision=13993 >How-To-Repeat: Look at above URLs and to the current MPlayer port sources after 'make patch'. >Fix: The following patch fixes the issue. It uses plain upstream patch: I had verified that the port builds and works for mpeg/avi files. I don't have any STR files at hand, so I am not able to test them, sorry. --- fix-CVE-2008-3162.diff begins here --- >From 33b39401242cd68fed36fcf3a88b8d41f42fb4cd Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Thu, 15 Jan 2009 11:02:47 +0300 See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3162 See also: https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311 See also: http://secunia.com/advisories/30994 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- multimedia/mplayer/Makefile | 2 +- multimedia/mplayer/files/patch-CVE-2008-3162 | 56 ++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletions(-) create mode 100644 multimedia/mplayer/files/patch-CVE-2008-3162 diff --git a/multimedia/mplayer/Makefile b/multimedia/mplayer/Makefile index 0f79b24..5d153ba 100644 --- a/multimedia/mplayer/Makefile +++ b/multimedia/mplayer/Makefile @@ -7,7 +7,7 @@ PORTNAME= mplayer PORTVERSION= ${MPLAYER_PORT_VERSION} -PORTREVISION= 9 +PORTREVISION= 10 COMMENT= High performance media player supporting many formats diff --git a/multimedia/mplayer/files/patch-CVE-2008-3162 b/multimedia/mplayer/files/patch-CVE-2008-3162 new file mode 100644 index 0000000..bc66a3a --- /dev/null +++ b/multimedia/mplayer/files/patch-CVE-2008-3162 @@ -0,0 +1,56 @@ +Obtained from upstream: http://svn.mplayerhq.hu/ffmpeg/trunk/libavformat/psxstr.c?view=patch&r1=13993&r2=13992&pathrev=13993 +See also: http://svn.mplayerhq.hu/ffmpeg?diff_format=h&view=rev&revision=13993 +See also: https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311 + +--- libavformat/psxstr.c 2008/06/26 20:50:15 13992 ++++ libavformat/psxstr.c 2008/06/26 22:22:10 13993 +@@ -274,12 +274,23 @@ + int current_sector = AV_RL16(§or[0x1C]); + int sector_count = AV_RL16(§or[0x1E]); + int frame_size = AV_RL32(§or[0x24]); +- int bytes_to_copy; ++ ++ if(!( frame_size>=0 ++ && current_sector < sector_count ++ && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){ ++ av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size); ++ return AVERROR_INVALIDDATA; ++ } ++ + // printf("%d %d %d\n",current_sector,sector_count,frame_size); + /* if this is the first sector of the frame, allocate a pkt */ + pkt = &str->tmp_pkt; +- if (current_sector == 0) { +- if (av_new_packet(pkt, frame_size)) ++ ++ if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){ ++ if(pkt->data) ++ av_log(s, AV_LOG_ERROR, "missmatching sector_count\n"); ++ av_free_packet(pkt); ++ if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE)) + return AVERROR(EIO); + + pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE; +@@ -293,15 +304,15 @@ + str->pts += (90000 / 15); + } + +- /* load all the constituent chunks in the video packet */ +- bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE; +- if (bytes_to_copy>0) { +- if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE; +- memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, +- sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy); +- } ++ memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, ++ sector + VIDEO_DATA_HEADER_SIZE, ++ VIDEO_DATA_CHUNK_SIZE); ++ + if (current_sector == sector_count-1) { ++ pkt->size= frame_size; + *ret_pkt = *pkt; ++ pkt->data= NULL; ++ pkt->size= -1; + return 0; + } + -- 1.6.0.6 --- fix-CVE-2008-3162.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="f4ac906b-e2d8-11dd-8bb6-0022156e8794"> <topic>mplayer -- vulnerability in STR files processor</topic> <affects> <package> <name>mplayer</name> <range><lt>0.99.11_10</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Secunia reports:</p> <blockquote cite="http://secunia.com/advisories/30994">; <p>A vulnerability has been reported in FFmpeg, which potentially can be exploited by malicious people to compromise a user's system.</p> <p>The vulnerability is caused due to a boundary error within the "str_read_packet()" function in libavformat/psxstr.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted STR file.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-3162</cvename> <bid>30157</bid> <url>http://secunia.com/advisories/30994</url>; </references> <dates> <discovery>2008-07-14</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090115081601.0B18DDA830>