From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Jan 15 08:20:03 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 362051065673 for ; Thu, 15 Jan 2009 08:20:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1361A8FC1D; Thu, 15 Jan 2009 08:20:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n0F8K2eJ075838; Thu, 15 Jan 2009 08:20:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n0F8K20f075837; Thu, 15 Jan 2009 08:20:02 GMT (envelope-from gnats) Resent-Date: Thu, 15 Jan 2009 08:20:02 GMT Resent-Message-Id: <200901150820.n0F8K20f075837@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: riggs@rrr.de Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D446A1065670 for ; Thu, 15 Jan 2009 08:16:03 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 641E58FC08 for ; Thu, 15 Jan 2009 08:16:03 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1LNNOT-000FlM-Oi for FreeBSD-gnats-submit@freebsd.org; Thu, 15 Jan 2009 11:16:01 +0300 Message-Id: <20090115081601.0B18DDA830@void.codelabs.ru> Date: Thu, 15 Jan 2009 11:16:00 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: riggs@rrr.de Cc: Subject: ports/130573: [patch] [vuxml] multimedia/mplayer: fix and document CVE-2008-3162 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jan 2009 08:20:03 -0000 >Number: 130573 >Category: ports >Synopsis: [patch] [vuxml] multimedia/mplayer: fix and document CVE-2008-3162 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jan 15 08:20:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-STABLE amd64 >Organization: Code Labs >Environment: System: FreeBSD void.codelabs.ru 7.1-STABLE FreeBSD 7.1-STABLE #1: Tue Jan 13 18:06:32 MSK 2009 root@void.codelabs.ru:/usr/src/sys/amd64/compile/VOID amd64 >Description: There is CVE-2008-3162 [1] and FreeBSD port is still based on the 1.0rc2 sources that aren't received this fix. The fix is in the Subversion repository for MPlayer, [2]. [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3162 [2] http://svn.mplayerhq.hu/ffmpeg?view=rev&revision=13993 >How-To-Repeat: Look at above URLs and to the current MPlayer port sources after 'make patch'. >Fix: The following patch fixes the issue. It uses plain upstream patch: I had verified that the port builds and works for mpeg/avi files. I don't have any STR files at hand, so I am not able to test them, sorry. --- fix-CVE-2008-3162.diff begins here --- >From 33b39401242cd68fed36fcf3a88b8d41f42fb4cd Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Thu, 15 Jan 2009 11:02:47 +0300 See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3162 See also: https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311 See also: http://secunia.com/advisories/30994 Signed-off-by: Eygene Ryabinkin --- multimedia/mplayer/Makefile | 2 +- multimedia/mplayer/files/patch-CVE-2008-3162 | 56 ++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletions(-) create mode 100644 multimedia/mplayer/files/patch-CVE-2008-3162 diff --git a/multimedia/mplayer/Makefile b/multimedia/mplayer/Makefile index 0f79b24..5d153ba 100644 --- a/multimedia/mplayer/Makefile +++ b/multimedia/mplayer/Makefile @@ -7,7 +7,7 @@ PORTNAME= mplayer PORTVERSION= ${MPLAYER_PORT_VERSION} -PORTREVISION= 9 +PORTREVISION= 10 COMMENT= High performance media player supporting many formats diff --git a/multimedia/mplayer/files/patch-CVE-2008-3162 b/multimedia/mplayer/files/patch-CVE-2008-3162 new file mode 100644 index 0000000..bc66a3a --- /dev/null +++ b/multimedia/mplayer/files/patch-CVE-2008-3162 @@ -0,0 +1,56 @@ +Obtained from upstream: http://svn.mplayerhq.hu/ffmpeg/trunk/libavformat/psxstr.c?view=patch&r1=13993&r2=13992&pathrev=13993 +See also: http://svn.mplayerhq.hu/ffmpeg?diff_format=h&view=rev&revision=13993 +See also: https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311 + +--- libavformat/psxstr.c 2008/06/26 20:50:15 13992 ++++ libavformat/psxstr.c 2008/06/26 22:22:10 13993 +@@ -274,12 +274,23 @@ + int current_sector = AV_RL16(§or[0x1C]); + int sector_count = AV_RL16(§or[0x1E]); + int frame_size = AV_RL32(§or[0x24]); +- int bytes_to_copy; ++ ++ if(!( frame_size>=0 ++ && current_sector < sector_count ++ && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){ ++ av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size); ++ return AVERROR_INVALIDDATA; ++ } ++ + // printf("%d %d %d\n",current_sector,sector_count,frame_size); + /* if this is the first sector of the frame, allocate a pkt */ + pkt = &str->tmp_pkt; +- if (current_sector == 0) { +- if (av_new_packet(pkt, frame_size)) ++ ++ if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){ ++ if(pkt->data) ++ av_log(s, AV_LOG_ERROR, "missmatching sector_count\n"); ++ av_free_packet(pkt); ++ if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE)) + return AVERROR(EIO); + + pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE; +@@ -293,15 +304,15 @@ + str->pts += (90000 / 15); + } + +- /* load all the constituent chunks in the video packet */ +- bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE; +- if (bytes_to_copy>0) { +- if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE; +- memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, +- sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy); +- } ++ memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE, ++ sector + VIDEO_DATA_HEADER_SIZE, ++ VIDEO_DATA_CHUNK_SIZE); ++ + if (current_sector == sector_count-1) { ++ pkt->size= frame_size; + *ret_pkt = *pkt; ++ pkt->data= NULL; ++ pkt->size= -1; + return 0; + } + -- 1.6.0.6 --- fix-CVE-2008-3162.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- mplayer -- vulnerability in STR files processor mplayer 0.99.11_10

Secunia reports:

A vulnerability has been reported in FFmpeg, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the "str_read_packet()" function in libavformat/psxstr.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted STR file.

 CVE-2008-3162 30157 http://secunia.com/advisories/30994 2008-07-14 TODAY --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: