Debian Bug report logs -
#443478
CVE remote denial of service in aviheader.c
Reported by: Nico Golde <nion@debian.org>
Date: Fri, 21 Sep 2007 17:00:02 UTC
Severity: important
Tags: security
Found in version mplayer/1.0~rc1-16
Fixed in versions mplayer/1.0~rc1-16.1, mplayer/1.0~rc1-16+lenny1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, A Mennucc1 <mennucc1@debian.org>
:
Bug#443478
; Package mplayer
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to A Mennucc1 <mennucc1@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: mplayer
Version: 1.0~rc1-16
Severity: important
Tags: security
Hi,
a CVE has been issued against mplayer.
CVE-2007-4938[0]:
Heap-based buffer overflow in libmpdemux/aviheader.c in
MPlayer 1.0rc1 and earlier allows remote attackers to cause
a denial of service (application crash) or possibly execute
arbitrary code via a .avi file with certain large "indx
truck size" and nEntriesInuse values, and a certain
wLongsPerEntry value.
This is not really an important issue, it is just possible
to create a NULL pointer dereference here which leads to an
application crash.
However in glibc < 2.5 (etch) this leads to an heap overflow
because of a missing integer overflow check in glibc < 2.5.
See http://cert.uni-stuttgart.de/advisories/calloc.php this
was merged into glibc in 2.5.
http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/aviheader.c?r1=23985&r2=24447
should fix this issue.
If you fix this issue please include the CVE id in your
changelog.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4938
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, A Mennucc1 <mennucc1@debian.org>
:
Bug#443478
; Package mplayer
.
(full text, mbox, link).
Acknowledgement sent to Reimar Döffinger <Reimar.Doeffinger@stud.uni-karlsruhe.de>
:
Extra info received and forwarded to list. Copy sent to A Mennucc1 <mennucc1@debian.org>
.
(full text, mbox, link).
Message #10 received at 443478@bugs.debian.org (full text, mbox, reply):
Hello,
On Fri, Sep 21, 2007 at 06:57:48PM +0200, Nico Golde wrote:
[...]
> However in glibc < 2.5 (etch) this leads to an heap overflow
> because of a missing integer overflow check in glibc < 2.5.
Did you test?
> See http://cert.uni-stuttgart.de/advisories/calloc.php this
> was merged into glibc in 2.5.
Because this page says it was already fixed since glibc 2.3
> http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/aviheader.c?r1=23985&r2=24447
> should fix this issue.
This is the wrong fix for the security issue, the glibc fix must be
ported if it is not already there.
Greetings,
Reimar Döffinger
Information forwarded to debian-bugs-dist@lists.debian.org, A Mennucc1 <mennucc1@debian.org>
:
Bug#443478
; Package mplayer
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to A Mennucc1 <mennucc1@debian.org>
.
(full text, mbox, link).
Message #15 received at 443478@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Reimar Döffinger <Reimar.Doeffinger@stud.uni-karlsruhe.de> [2007-09-21 19:41]:
> On Fri, Sep 21, 2007 at 06:57:48PM +0200, Nico Golde wrote:
> [...]
> > However in glibc < 2.5 (etch) this leads to an heap overflow
> > because of a missing integer overflow check in glibc < 2.5.
>
> Did you test?
>
> > See http://cert.uni-stuttgart.de/advisories/calloc.php this
> > was merged into glibc in 2.5.
>
> Because this page says it was already fixed since glibc 2.3
Args, thank you. I was wrong with this.
> > http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/aviheader.c?r1=23985&r2=24447
> > should fix this issue.
>
> This is the wrong fix for the security issue, the glibc fix must be
> ported if it is not already there.
Huh? This is at least the right fix for the NULL pointer
dereference. Not?
Sure it has to be ported if the integer overflow would be in
2.5 and not in 2.3. We treat DoS bugs as security issues
with low priority.
Kind regards and thanks for looking into this
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, A Mennucc1 <mennucc1@debian.org>
:
Bug#443478
; Package mplayer
.
(full text, mbox, link).
Acknowledgement sent to Reimar Döffinger <Reimar.Doeffinger@stud.uni-karlsruhe.de>
:
Extra info received and forwarded to list. Copy sent to A Mennucc1 <mennucc1@debian.org>
.
(full text, mbox, link).
Message #20 received at 443478@bugs.debian.org (full text, mbox, reply):
On Fri, Sep 21, 2007 at 07:58:01PM +0200, Nico Golde wrote:
> * Reimar Döffinger <Reimar.Doeffinger@stud.uni-karlsruhe.de> [2007-09-21 19:41]:
> > On Fri, Sep 21, 2007 at 06:57:48PM +0200, Nico Golde wrote:
[...]
> > > http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/aviheader.c?r1=23985&r2=24447
> > > should fix this issue.
> >
> > This is the wrong fix for the security issue, the glibc fix must be
> > ported if it is not already there.
>
> Huh? This is at least the right fix for the NULL pointer
> dereference. Not?
Yes, above patch fixes a NULL pointer dereference and applying it can't
hurt. With "security issue" above I _only_ meant the heap overflow,
above patch fixes that one as well (since it is "the same" problem, just
shows itself differently), but it is not the right way to fix that
aspect.
Information forwarded to debian-bugs-dist@lists.debian.org, A Mennucc1 <mennucc1@debian.org>
:
Bug#443478
; Package mplayer
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to A Mennucc1 <mennucc1@debian.org>
.
(full text, mbox, link).
Message #25 received at 443478@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I intent do NMU this bug.
The attached patch fixes this issue.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/mplayer-1.0~rc1-16_1.0~rc1-16.1.patch
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, A Mennucc1 <mennucc1@debian.org>
:
Bug#443478
; Package mplayer
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to A Mennucc1 <mennucc1@debian.org>
.
Your message did not contain a Subject field. They are recommended and
useful because the title of a Bug is determined using this field.
Please remember to include a Subject field in your messages in future.
(full text, mbox, link).
Message #30 received at 443478@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
hi,
forgot the patch.
Cheers
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[mplayer-1.0~rc1-16_1.0~rc1-16.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #35 received at 443478-close@bugs.debian.org (full text, mbox, reply):
Source: mplayer
Source-Version: 1.0~rc1-16.1
We believe that the bug you reported is fixed in the latest version of
mplayer, which is due to be installed in the Debian FTP archive:
mplayer-doc_1.0~rc1-16.1_all.deb
to pool/main/m/mplayer/mplayer-doc_1.0~rc1-16.1_all.deb
mplayer_1.0~rc1-16.1.diff.gz
to pool/main/m/mplayer/mplayer_1.0~rc1-16.1.diff.gz
mplayer_1.0~rc1-16.1.dsc
to pool/main/m/mplayer/mplayer_1.0~rc1-16.1.dsc
mplayer_1.0~rc1-16.1_i386.deb
to pool/main/m/mplayer/mplayer_1.0~rc1-16.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 443478@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated mplayer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 25 Sep 2007 12:39:15 +0200
Source: mplayer
Binary: mplayer-doc mplayer
Architecture: source i386 all
Version: 1.0~rc1-16.1
Distribution: unstable
Urgency: high
Maintainer: A Mennucc1 <mennucc1@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
mplayer - The Movie Player
mplayer-doc - documentation for MPlayer
Closes: 443478
Changes:
mplayer (1.0~rc1-16.1) unstable; urgency=high
.
* Non-maintainer upload by testing security team.
* Check wLongsPerEntry in aviheader.c before using it to prevent
possible NULL pointer dereference (CVE-2007-4938) (Closes: #443478).
Files:
19062c91fa0ee46b67121e70444a53d6 1282 graphics optional mplayer_1.0~rc1-16.1.dsc
bc393eff93ad297360258419580f1292 76258 graphics optional mplayer_1.0~rc1-16.1.diff.gz
9a50d4d2f7ffe898e69eeeff542f563a 2048724 graphics optional mplayer-doc_1.0~rc1-16.1_all.deb
eea29dd317b9f441f9c6f47157f391bc 4613928 graphics optional mplayer_1.0~rc1-16.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG+O5qHYflSXNkfP8RAnVWAJ0QgUO/KYh+34+2vPtJrU38njNyoQCgk1kK
rIxDfTBGVCr5YBvoPgmTleg=
=l5zy
-----END PGP SIGNATURE-----
Reply sent to Nico Golde <nion@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #40 received at 443478-close@bugs.debian.org (full text, mbox, reply):
Source: mplayer
Source-Version: 1.0~rc1-16+lenny1
We believe that the bug you reported is fixed in the latest version of
mplayer, which is due to be installed in the Debian FTP archive:
mplayer-doc_1.0~rc1-16+lenny1_all.deb
to pool/main/m/mplayer/mplayer-doc_1.0~rc1-16+lenny1_all.deb
mplayer_1.0~rc1-16+lenny1.diff.gz
to pool/main/m/mplayer/mplayer_1.0~rc1-16+lenny1.diff.gz
mplayer_1.0~rc1-16+lenny1.dsc
to pool/main/m/mplayer/mplayer_1.0~rc1-16+lenny1.dsc
mplayer_1.0~rc1-16+lenny1_i386.deb
to pool/main/m/mplayer/mplayer_1.0~rc1-16+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 443478@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated mplayer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 09 Oct 2007 10:19:15 +0200
Source: mplayer
Binary: mplayer-doc mplayer
Architecture: source i386 all
Version: 1.0~rc1-16+lenny1
Distribution: testing-security
Urgency: high
Maintainer: A Mennucc1 <mennucc1@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
mplayer - The Movie Player
mplayer-doc - documentation for MPlayer
Closes: 443478
Changes:
mplayer (1.0~rc1-16+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by testing security team.
* Check wLongsPerEntry in aviheader.c before using it to prevent
possible NULL pointer dereference (CVE-2007-4938) (Closes: #443478).
Files:
f6f123a1663d89b0de7c9a43999ac5e8 1292 graphics optional mplayer_1.0~rc1-16+lenny1.dsc
815482129b79cb9390904b145c5def6c 10286260 graphics optional mplayer_1.0~rc1.orig.tar.gz
7277cfa110d967513d220c5d13c1ddc3 75531 graphics optional mplayer_1.0~rc1-16+lenny1.diff.gz
97a0360d972ef05e15566873f4dbe03f 2050912 graphics optional mplayer-doc_1.0~rc1-16+lenny1_all.deb
b4a97e31ce022c3cfa04a5953b1e2cd9 4615798 graphics optional mplayer_1.0~rc1-16+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHC2fEHYflSXNkfP8RAvi3AKCKYzKg0ltX0liWMKxf1f6gb9tf0wCeL2jZ
c0tsKxSo0bW/Ppu9ZvlYqQQ=
=Sq1M
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 07 Nov 2007 07:30:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:51:24 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.