xine-lib: heap-based buffer overflow due to integer overflow in quicktime atom parsing

Debian Bug report logs - #522811
xine-lib: heap-based buffer overflow due to integer overflow in quicktime atom parsing

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Cc: team@security.debian.org

Subject: xine-lib: heap-based buffer overflow due to integer overflow in quicktime atom parsing

Date: Mon, 6 Apr 2009 18:27:40 +0200

[Message part 1 (text/plain, inline)]

Source: xine-lib
Severity: grave
Tags: security patch

Hi,
Tobias Klein discovered an integer overflow in the quicktime 
STTS atom processing that leads to a heap-based buffer 
overflow probably resulting in arbitrary code execution.

As you are also upstream of xine I expect you are aware of:
http://trapkit.de/advisories/TKADV2009-005.txt.

You fixed this bug in 1.1.16.3.

A few words from my side, I expect you to contact the 
security team in case you get notified of a security issue 
in xine in the future as it's not nice to see other people 
notifying us while we our Debian maintainer is also the 
upstream. Sorry but this workflow sucks! Debian can allocate 
CVE ids if you need them and I see no reason why a fixed 
package is not already in unstable.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry if we get one in time.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 522811@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 522811@bugs.debian.org

Subject: CVE id

Date: Thu, 9 Apr 2009 02:41:38 +0200

[Message part 1 (text/plain, inline)]

Hi,
here is the CVE id:
======================================================
Name: CVE-2009-1274
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1274
Reference: BUGTRAQ:20090404 [TKADV2009-005] xine-lib Quicktime STTS Atom Integer Overflow
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/502481/100/0/threaded
Reference: MISC:http://www.trapkit.de/advisories/TKADV2009-005.txt
Reference: CONFIRM:http://bugs.xine-project.org/show_bug.cgi?id=224
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=673233
Reference: OSVDB:53288
Reference: URL:http://osvdb.org/53288
Reference: SECTRACK:1021989
Reference: URL:http://www.securitytracker.com/id?1021989
Reference: SECUNIA:34593
Reference: URL:http://secunia.com/advisories/34593
Reference: VUPEN:ADV-2009-0937
Reference: URL:http://www.vupen.com/english/advisories/2009/0937
Reference: XF:xinelib-demuxqt-bo(49714)
Reference: URL:http://xforce.iss.net/xforce/xfdb/49714

Integer overflow in the qt_error parse_trak_atom function in
demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote
attackers to execute arbitrary code via a Quicktime movie file with a
large count value in an STTS atom, which triggers a heap-based buffer
overflow.

CHeers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 522811-done@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 522811-done@bugs.debian.org

Cc: team@security.debian.org, linux@youmustbejoking.demon.co.uk

Subject: CVE-2009-1274 is fixed

Date: Wed, 22 Apr 2009 06:18:33 +0200

[Message part 1 (text/plain, inline)]

Version: 1.1.16.3-1

Darren,
you were neither able to reply on #522811, nor to notify the 
security team of a security issue in xine-lib and you even 
didn't comment on the bug afterwards that it is already 
fixed in the version you uploaded nearly at the same time. 
The bug was still open until now.

This wastes a lot of time which you as the maintainer should 
spend. This is nothing personal but either you as upstream
are able to produce secure code or you are able to properly 
communicate with your security team.

I talked with you about this problem in IRC and I would have 
expected at least a notice that you uploaded a fixed version 
if you are not able to close the bug by yourself.

This is nothing personal but on the next security related 
bug of xine without maintainer reaction or coordination with 
the security team I will file a removal bug for xine.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 522811@bugs.debian.org (full text, mbox, reply):

From: Darren Salt <linux@youmustbejoking.demon.co.uk>

To: 522811@bugs.debian.org, team@security.debian.org

Cc: nion@debian.org

Subject: Re: CVE-2009-1274 is fixed

Date: Wed, 22 Apr 2009 17:08:14 +0100

I demand that Nico Golde may or may not have written...

> Darren,
> you were neither able to reply on #522811, nor to notify the security team
> of a security issue in xine-lib and you even didn't comment on the bug
> afterwards that it is already fixed in the version you uploaded nearly at
> the same time. The bug was still open until now.

I sent mail to security@debian.org two weeks ago with a complete diff from
1.1.14-6.

I have binaries built and waiting for upload.

No response...

[snip]
-- 
| Darren Salt    | linux or ds at              | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Output less CO2 => avoid boiling weather.     TIME IS RUNNING OUT *FAST*.

2+2=4. 2*2=4. 2^2=4. Therefore, +, *, and ^ are the same operation.

Message #21 received at 522811-done@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 522811-done@bugs.debian.org, team@security.debian.org, linux@youmustbejoking.demon.co.uk

Subject: Re: CVE-2009-1274 is fixed

Date: Wed, 22 Apr 2009 20:59:27 +0200

[Message part 1 (text/plain, inline)]

Hi,
* Darren Salt <linux@youmustbejoking.demon.co.uk> [2009-04-22 19:06]:
> I demand that Nico Golde may or may not have written...
> 
> > Darren,
> > you were neither able to reply on #522811, nor to notify the security team
> > of a security issue in xine-lib and you even didn't comment on the bug
> > afterwards that it is already fixed in the version you uploaded nearly at
> > the same time. The bug was still open until now.
> 
> I sent mail to security@debian.org two weeks ago with a complete diff from
> 1.1.14-6.
> 
> I have binaries built and waiting for upload.
> 
> No response...

Yes and that was about stable... I am talking about unstable 
here.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #30 received at 522811@bugs.debian.org (full text, mbox, reply):

From: Touko Korpela <tkorpela@phnet.fi>

To: 517792@bugs.debian.org

Cc: 523475@bugs.debian.org, 522811@bugs.debian.org

Subject: Unfixed bugs in lenny version

Date: Mon, 8 Mar 2010 18:38:46 +0200

Is #523475 and #517792 same bug? And is it still in 1.1.14-6 (lenny)?
Also #522811 seems unfixed too.

Send a report that this bug log contains spam.