Debian Bug report logs -
#522811
xine-lib: heap-based buffer overflow due to integer overflow in quicktime atom parsing
Reported by: Nico Golde <nion@debian.org>
Date: Mon, 6 Apr 2009 16:30:02 UTC
Severity: grave
Tags: patch, pending, security
Found in version 1.1.14-6
Fixed in version 1.1.16.3-1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Reinhard Tartler <siretart@tauware.de>
:
Bug#522811
; Package xine-lib
.
(Mon, 06 Apr 2009 16:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to Reinhard Tartler <siretart@tauware.de>
.
(Mon, 06 Apr 2009 16:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: xine-lib
Severity: grave
Tags: security patch
Hi,
Tobias Klein discovered an integer overflow in the quicktime
STTS atom processing that leads to a heap-based buffer
overflow probably resulting in arbitrary code execution.
As you are also upstream of xine I expect you are aware of:
http://trapkit.de/advisories/TKADV2009-005.txt.
You fixed this bug in 1.1.16.3.
A few words from my side, I expect you to contact the
security team in case you get notified of a security issue
in xine in the future as it's not nice to see other people
notifying us while we our Debian maintainer is also the
upstream. Sorry but this workflow sucks! Debian can allocate
CVE ids if you need them and I see no reason why a fixed
package is not already in unstable.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry if we get one in time.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Reinhard Tartler <siretart@tauware.de>
:
Bug#522811
; Package xine-lib
.
(Thu, 09 Apr 2009 00:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Reinhard Tartler <siretart@tauware.de>
.
(Thu, 09 Apr 2009 00:45:02 GMT) (full text, mbox, link).
Message #10 received at 522811@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
here is the CVE id:
======================================================
Name: CVE-2009-1274
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1274
Reference: BUGTRAQ:20090404 [TKADV2009-005] xine-lib Quicktime STTS Atom Integer Overflow
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/502481/100/0/threaded
Reference: MISC:http://www.trapkit.de/advisories/TKADV2009-005.txt
Reference: CONFIRM:http://bugs.xine-project.org/show_bug.cgi?id=224
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=673233
Reference: OSVDB:53288
Reference: URL:http://osvdb.org/53288
Reference: SECTRACK:1021989
Reference: URL:http://www.securitytracker.com/id?1021989
Reference: SECUNIA:34593
Reference: URL:http://secunia.com/advisories/34593
Reference: VUPEN:ADV-2009-0937
Reference: URL:http://www.vupen.com/english/advisories/2009/0937
Reference: XF:xinelib-demuxqt-bo(49714)
Reference: URL:http://xforce.iss.net/xforce/xfdb/49714
Integer overflow in the qt_error parse_trak_atom function in
demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote
attackers to execute arbitrary code via a Quicktime movie file with a
large count value in an STTS atom, which triggers a heap-based buffer
overflow.
CHeers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent
to Nico Golde <nion@debian.org>
:
You have taken responsibility.
(Wed, 22 Apr 2009 04:24:03 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(Wed, 22 Apr 2009 04:24:03 GMT) (full text, mbox, link).
Message #15 received at 522811-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 1.1.16.3-1
Darren,
you were neither able to reply on #522811, nor to notify the
security team of a security issue in xine-lib and you even
didn't comment on the bug afterwards that it is already
fixed in the version you uploaded nearly at the same time.
The bug was still open until now.
This wastes a lot of time which you as the maintainer should
spend. This is nothing personal but either you as upstream
are able to produce secure code or you are able to properly
communicate with your security team.
I talked with you about this problem in IRC and I would have
expected at least a notice that you uploaded a fixed version
if you are not able to close the bug by yourself.
This is nothing personal but on the next security related
bug of xine without maintainer reaction or coordination with
the security team I will file a removal bug for xine.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Reinhard Tartler <siretart@tauware.de>
:
Bug#522811
; Package xine-lib
.
(Wed, 22 Apr 2009 16:24:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Darren Salt <linux@youmustbejoking.demon.co.uk>
:
Extra info received and forwarded to list. Copy sent to Reinhard Tartler <siretart@tauware.de>
.
(Wed, 22 Apr 2009 16:24:05 GMT) (full text, mbox, link).
Message #20 received at 522811@bugs.debian.org (full text, mbox, reply):
I demand that Nico Golde may or may not have written...
> Darren,
> you were neither able to reply on #522811, nor to notify the security team
> of a security issue in xine-lib and you even didn't comment on the bug
> afterwards that it is already fixed in the version you uploaded nearly at
> the same time. The bug was still open until now.
I sent mail to security@debian.org two weeks ago with a complete diff from
1.1.14-6.
I have binaries built and waiting for upload.
No response...
[snip]
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Output less CO2 => avoid boiling weather. TIME IS RUNNING OUT *FAST*.
2+2=4. 2*2=4. 2^2=4. Therefore, +, *, and ^ are the same operation.
Message #21 received at 522811-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Darren Salt <linux@youmustbejoking.demon.co.uk> [2009-04-22 19:06]:
> I demand that Nico Golde may or may not have written...
>
> > Darren,
> > you were neither able to reply on #522811, nor to notify the security team
> > of a security issue in xine-lib and you even didn't comment on the bug
> > afterwards that it is already fixed in the version you uploaded nearly at
> > the same time. The bug was still open until now.
>
> I sent mail to security@debian.org two weeks ago with a complete diff from
> 1.1.14-6.
>
> I have binaries built and waiting for upload.
>
> No response...
Yes and that was about stable... I am talking about unstable
here.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug marked as found in version 1.1.14-6.
Request was from Laurent Bonnaud <Laurent.Bonnaud@inpg.fr>
to control@bugs.debian.org
.
(Fri, 03 Jul 2009 18:54:02 GMT) (full text, mbox, link).
Tags added: pending
Request was from Darren Salt <linux@youmustbejoking.demon.co.uk>
to control@bugs.debian.org
.
(Thu, 09 Jul 2009 19:21:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Darren Salt <linux@youmustbejoking.demon.co.uk>
:
Bug#522811
; Package xine-lib
.
(Mon, 08 Mar 2010 16:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Touko Korpela <tkorpela@phnet.fi>
:
Extra info received and forwarded to list. Copy sent to Darren Salt <linux@youmustbejoking.demon.co.uk>
.
(Mon, 08 Mar 2010 16:45:07 GMT) (full text, mbox, link).
Message #30 received at 522811@bugs.debian.org (full text, mbox, reply):
Is #523475 and #517792 same bug? And is it still in 1.1.14-6 (lenny)?
Also #522811 seems unfixed too.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 07 Mar 2011 07:55:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:00:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.