CVE remote denial of service in aviheader.c

Debian Bug report logs - #443478
CVE remote denial of service in aviheader.c

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: CVE remote denial of service in aviheader.c

Date: Fri, 21 Sep 2007 18:57:48 +0200

[Message part 1 (text/plain, inline)]

Package: mplayer
Version: 1.0~rc1-16
Severity: important
Tags: security

Hi,
a CVE has been issued against mplayer.
CVE-2007-4938[0]:
Heap-based buffer overflow in libmpdemux/aviheader.c in 
MPlayer 1.0rc1 and earlier allows remote attackers to cause 
a denial of service (application crash) or possibly execute 
arbitrary code via a .avi file with certain large "indx 
truck size" and nEntriesInuse values, and a certain 
wLongsPerEntry value.

This is not really an important issue, it is just possible 
to create a NULL pointer dereference here which leads to an 
application crash.

However in glibc < 2.5 (etch) this leads to an heap overflow 
because of a missing integer overflow check in glibc < 2.5.
See http://cert.uni-stuttgart.de/advisories/calloc.php this 
was merged into glibc in 2.5.

http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/aviheader.c?r1=23985&r2=24447
should fix this issue.

If you fix this issue please include the CVE id in your 
changelog.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4938

Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 443478@bugs.debian.org (full text, mbox, reply):

From: Reimar Döffinger <Reimar.Doeffinger@stud.uni-karlsruhe.de>

To: Nico Golde <nion@debian.org>, 443478@bugs.debian.org

Subject: Re: Bug#443478: CVE remote denial of service in aviheader.c

Date: Fri, 21 Sep 2007 19:24:08 +0200

Hello,
On Fri, Sep 21, 2007 at 06:57:48PM +0200, Nico Golde wrote:
[...]
> However in glibc < 2.5 (etch) this leads to an heap overflow 
> because of a missing integer overflow check in glibc < 2.5.

Did you test?

> See http://cert.uni-stuttgart.de/advisories/calloc.php this 
> was merged into glibc in 2.5.

Because this page says it was already fixed since glibc 2.3

> http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/aviheader.c?r1=23985&r2=24447
> should fix this issue.

This is the wrong fix for the security issue, the glibc fix must be
ported if it is not already there.

Greetings,
Reimar Döffinger

Message #15 received at 443478@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Reimar Döffinger <Reimar.Doeffinger@stud.uni-karlsruhe.de>, 443478@bugs.debian.org

Subject: Re: Bug#443478: CVE remote denial of service in aviheader.c

Date: Fri, 21 Sep 2007 19:58:01 +0200

[Message part 1 (text/plain, inline)]

Hi,
* Reimar Döffinger <Reimar.Doeffinger@stud.uni-karlsruhe.de> [2007-09-21 19:41]:
> On Fri, Sep 21, 2007 at 06:57:48PM +0200, Nico Golde wrote:
> [...]
> > However in glibc < 2.5 (etch) this leads to an heap overflow 
> > because of a missing integer overflow check in glibc < 2.5.
> 
> Did you test?
> 
> > See http://cert.uni-stuttgart.de/advisories/calloc.php this 
> > was merged into glibc in 2.5.
> 
> Because this page says it was already fixed since glibc 2.3

Args, thank you. I was wrong with this.

> > http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/aviheader.c?r1=23985&r2=24447
> > should fix this issue.
> 
> This is the wrong fix for the security issue, the glibc fix must be
> ported if it is not already there.

Huh? This is at least the right fix for the NULL pointer 
dereference. Not?
Sure it has to be ported if the integer overflow would be in 
2.5 and not in 2.3. We treat DoS bugs as security issues 
with low priority.

Kind regards and thanks for looking into this
Nico
-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 443478@bugs.debian.org (full text, mbox, reply):

From: Reimar Döffinger <Reimar.Doeffinger@stud.uni-karlsruhe.de>

To: 443478@bugs.debian.org

Subject: Re: Bug#443478: CVE remote denial of service in aviheader.c

Date: Fri, 21 Sep 2007 21:20:47 +0200

On Fri, Sep 21, 2007 at 07:58:01PM +0200, Nico Golde wrote:
> * Reimar Döffinger <Reimar.Doeffinger@stud.uni-karlsruhe.de> [2007-09-21 19:41]:
> > On Fri, Sep 21, 2007 at 06:57:48PM +0200, Nico Golde wrote:
[...]
> > > http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/aviheader.c?r1=23985&r2=24447
> > > should fix this issue.
> > 
> > This is the wrong fix for the security issue, the glibc fix must be
> > ported if it is not already there.
> 
> Huh? This is at least the right fix for the NULL pointer 
> dereference. Not?

Yes, above patch fixes a NULL pointer dereference and applying it can't
hurt. With "security issue" above I _only_ meant the heap overflow,
above patch fixes that one as well (since it is "the same" problem, just
shows itself differently), but it is not the right way to fix that
aspect.

Message #25 received at 443478@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 443478@bugs.debian.org

Subject: Re: CVE remote denial of service in aviheader.c

Date: Tue, 25 Sep 2007 13:00:29 +0200

[Message part 1 (text/plain, inline)]

Hi,
I intent do NMU this bug.
The attached patch fixes this issue.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/mplayer-1.0~rc1-16_1.0~rc1-16.1.patch

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #30 received at 443478@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 443478@bugs.debian.org

Date: Tue, 25 Sep 2007 13:46:08 +0200

[Message part 1 (text/plain, inline)]

hi,
forgot the patch.
Cheers
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[mplayer-1.0~rc1-16_1.0~rc1-16.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #35 received at 443478-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 443478-close@bugs.debian.org

Subject: Bug#443478: fixed in mplayer 1.0~rc1-16.1

Date: Tue, 25 Sep 2007 17:32:08 +0000

Source: mplayer
Source-Version: 1.0~rc1-16.1

We believe that the bug you reported is fixed in the latest version of
mplayer, which is due to be installed in the Debian FTP archive:

mplayer-doc_1.0~rc1-16.1_all.deb
  to pool/main/m/mplayer/mplayer-doc_1.0~rc1-16.1_all.deb
mplayer_1.0~rc1-16.1.diff.gz
  to pool/main/m/mplayer/mplayer_1.0~rc1-16.1.diff.gz
mplayer_1.0~rc1-16.1.dsc
  to pool/main/m/mplayer/mplayer_1.0~rc1-16.1.dsc
mplayer_1.0~rc1-16.1_i386.deb
  to pool/main/m/mplayer/mplayer_1.0~rc1-16.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 443478@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated mplayer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 25 Sep 2007 12:39:15 +0200
Source: mplayer
Binary: mplayer-doc mplayer
Architecture: source i386 all
Version: 1.0~rc1-16.1
Distribution: unstable
Urgency: high
Maintainer: A Mennucc1 <mennucc1@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 mplayer    - The Movie Player
 mplayer-doc - documentation for MPlayer
Closes: 443478
Changes: 
 mplayer (1.0~rc1-16.1) unstable; urgency=high
 .
   * Non-maintainer upload by testing security team.
   * Check wLongsPerEntry in aviheader.c before using it to prevent
     possible NULL pointer dereference (CVE-2007-4938) (Closes: #443478).
Files: 
 19062c91fa0ee46b67121e70444a53d6 1282 graphics optional mplayer_1.0~rc1-16.1.dsc
 bc393eff93ad297360258419580f1292 76258 graphics optional mplayer_1.0~rc1-16.1.diff.gz
 9a50d4d2f7ffe898e69eeeff542f563a 2048724 graphics optional mplayer-doc_1.0~rc1-16.1_all.deb
 eea29dd317b9f441f9c6f47157f391bc 4613928 graphics optional mplayer_1.0~rc1-16.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG+O5qHYflSXNkfP8RAnVWAJ0QgUO/KYh+34+2vPtJrU38njNyoQCgk1kK
rIxDfTBGVCr5YBvoPgmTleg=
=l5zy
-----END PGP SIGNATURE-----

Message #40 received at 443478-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 443478-close@bugs.debian.org

Subject: Bug#443478: fixed in mplayer 1.0~rc1-16+lenny1

Date: Tue, 09 Oct 2007 12:02:05 +0000

Source: mplayer
Source-Version: 1.0~rc1-16+lenny1

We believe that the bug you reported is fixed in the latest version of
mplayer, which is due to be installed in the Debian FTP archive:

mplayer-doc_1.0~rc1-16+lenny1_all.deb
  to pool/main/m/mplayer/mplayer-doc_1.0~rc1-16+lenny1_all.deb
mplayer_1.0~rc1-16+lenny1.diff.gz
  to pool/main/m/mplayer/mplayer_1.0~rc1-16+lenny1.diff.gz
mplayer_1.0~rc1-16+lenny1.dsc
  to pool/main/m/mplayer/mplayer_1.0~rc1-16+lenny1.dsc
mplayer_1.0~rc1-16+lenny1_i386.deb
  to pool/main/m/mplayer/mplayer_1.0~rc1-16+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 443478@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated mplayer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 09 Oct 2007 10:19:15 +0200
Source: mplayer
Binary: mplayer-doc mplayer
Architecture: source i386 all
Version: 1.0~rc1-16+lenny1
Distribution: testing-security
Urgency: high
Maintainer: A Mennucc1 <mennucc1@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 mplayer    - The Movie Player
 mplayer-doc - documentation for MPlayer
Closes: 443478
Changes: 
 mplayer (1.0~rc1-16+lenny1) testing-security; urgency=high
 .
   * Non-maintainer upload by testing security team.
   * Check wLongsPerEntry in aviheader.c before using it to prevent
     possible NULL pointer dereference (CVE-2007-4938) (Closes: #443478).
Files: 
 f6f123a1663d89b0de7c9a43999ac5e8 1292 graphics optional mplayer_1.0~rc1-16+lenny1.dsc
 815482129b79cb9390904b145c5def6c 10286260 graphics optional mplayer_1.0~rc1.orig.tar.gz
 7277cfa110d967513d220c5d13c1ddc3 75531 graphics optional mplayer_1.0~rc1-16+lenny1.diff.gz
 97a0360d972ef05e15566873f4dbe03f 2050912 graphics optional mplayer-doc_1.0~rc1-16+lenny1_all.deb
 b4a97e31ce022c3cfa04a5953b1e2cd9 4615798 graphics optional mplayer_1.0~rc1-16+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHC2fEHYflSXNkfP8RAvi3AKCKYzKg0ltX0liWMKxf1f6gb9tf0wCeL2jZ
c0tsKxSo0bW/Ppu9ZvlYqQQ=
=Sq1M
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.