Debian Bug report logs -
#514177
gstreamer0.10-plugins-good: Several security issues: CVE-2009-0386 CVE-2009-0387 CVE-2009-0397 CVE-2009-0398
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Wed, 4 Feb 2009 22:48:01 UTC
Severity: grave
Tags: security
Found in version gst-plugins-good0.10/0.10.8-4.1
Done: Sebastian Dröge <slomo@circular-chaos.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org>:
Bug#514177; Package gstreamer0.10-plugins-good.
(Wed, 04 Feb 2009 22:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org>.
(Wed, 04 Feb 2009 22:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gstreamer0.10-plugins-good
Version: 0.10.8-4.1
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for gst-plugins-good0.10.
CVE-2009-0386[0]:
| Heap-based buffer overflow in the qtdemux_parse_samples function in
| gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka
| gst-plugins-good) 0.10.9 through 0.10.11 might allow remote attackers
| to execute arbitrary code via crafted Composition Time To Sample
| (ctts) atom data in a malformed QuickTime media .mov file.
CVE-2009-0387[1]:
| Array index error in the qtdemux_parse_samples function in
| gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka
| gst-plugins-good) 0.10.9 through 0.10.11 allows remote attackers to
| cause a denial of service (application crash) and possibly execute
| arbitrary code via crafted Sync Sample (aka stss) atom data in a
| malformed QuickTime media .mov file, related to "mark keyframes."
CVE-2009-0397[2]:
| Heap-based buffer overflow in the qtdemux_parse_samples function in
| gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka
| gst-plugins-good) 0.10.9 through 0.10.11, and GStreamer Plug-ins (aka
| gstreamer-plugins) 0.8.5, might allow remote attackers to execute
| arbitrary code via crafted Time-to-sample (aka stts) atom data in a
| malformed QuickTime media .mov file.
CVE-2009-0398[3]:
| Array index error in the gst_qtp_trak_handler function in
| gst/qtdemux/qtdemux.c in GStreamer Plug-ins (aka gstreamer-plugins)
| 0.6.0 allows remote attackers to have an unknown impact via a crafted
| QuickTime media file.
There is also a redhat bugreport[4] and a mail[5] on the public security
list with more information. The upstream patch[6] seems to fix all, but
CVE-2009-0398 according to upstream.
These issues should be fixed for lenny. It would also be good, if you as
the maintainer could prepare an update for etch and contact the security
team, if you have something ready.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
Thanks in advance for your work.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0386
http://security-tracker.debian.net/tracker/CVE-2009-0386
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0387
http://security-tracker.debian.net/tracker/CVE-2009-0387
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0397
http://security-tracker.debian.net/tracker/CVE-2009-0397
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0398
http://security-tracker.debian.net/tracker/CVE-2009-0398
[4] https://bugzilla.redhat.com/show_bug.cgi?id=481267
[5] http://www.openwall.com/lists/oss-security/2009/01/29/3
[6] http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bdc20b9baf13564d9a061343416395f8f9a92b53
Information forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org>:
Bug#514177; Package gstreamer0.10-plugins-good.
(Thu, 05 Feb 2009 09:15:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Dröge <slomo@circular-chaos.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of GStreamer packages <pkg-gstreamer-maintainers@lists.alioth.debian.org>.
(Thu, 05 Feb 2009 09:15:12 GMT) (full text, mbox, link).
Message #10 received at 514177@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Am Mittwoch, den 04.02.2009, 17:43 -0500 schrieb Steffen Joeris:
> Package: gstreamer0.10-plugins-good
> Version: 0.10.8-4.1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for gst-plugins-good0.10.
>
> CVE-2009-0386[0]:
> | Heap-based buffer overflow in the qtdemux_parse_samples function in
> | gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka
> | gst-plugins-good) 0.10.9 through 0.10.11 might allow remote attackers
> | to execute arbitrary code via crafted Composition Time To Sample
> | (ctts) atom data in a malformed QuickTime media .mov file.
>
> CVE-2009-0387[1]:
> | Array index error in the qtdemux_parse_samples function in
> | gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka
> | gst-plugins-good) 0.10.9 through 0.10.11 allows remote attackers to
> | cause a denial of service (application crash) and possibly execute
> | arbitrary code via crafted Sync Sample (aka stss) atom data in a
> | malformed QuickTime media .mov file, related to "mark keyframes."
>
> CVE-2009-0397[2]:
> | Heap-based buffer overflow in the qtdemux_parse_samples function in
> | gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka
> | gst-plugins-good) 0.10.9 through 0.10.11, and GStreamer Plug-ins (aka
> | gstreamer-plugins) 0.8.5, might allow remote attackers to execute
> | arbitrary code via crafted Time-to-sample (aka stts) atom data in a
> | malformed QuickTime media .mov file.
>
> CVE-2009-0398[3]:
> | Array index error in the gst_qtp_trak_handler function in
> | gst/qtdemux/qtdemux.c in GStreamer Plug-ins (aka gstreamer-plugins)
> | 0.6.0 allows remote attackers to have an unknown impact via a crafted
> | QuickTime media file.
>
> There is also a redhat bugreport[4] and a mail[5] on the public security
> list with more information. The upstream patch[6] seems to fix all, but
> CVE-2009-0398 according to upstream.
Hi,
the patch is already in unstable, testing and experimental. I'll take a
look at the other issue later, thanks.
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Sebastian Dröge <slomo@circular-chaos.org>:
You have taken responsibility.
(Thu, 05 Feb 2009 10:18:08 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Thu, 05 Feb 2009 10:18:08 GMT) (full text, mbox, link).
Message #15 received at 514177-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Am Donnerstag, den 05.02.2009, 10:11 +0100 schrieb Sebastian Dröge:
> Am Mittwoch, den 04.02.2009, 17:43 -0500 schrieb Steffen Joeris:
> > Package: gstreamer0.10-plugins-good
> > Version: 0.10.8-4.1
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) ids were
> > published for gst-plugins-good0.10.
> >
> > CVE-2009-0386[0]:
> > | Heap-based buffer overflow in the qtdemux_parse_samples function in
> > | gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka
> > | gst-plugins-good) 0.10.9 through 0.10.11 might allow remote attackers
> > | to execute arbitrary code via crafted Composition Time To Sample
> > | (ctts) atom data in a malformed QuickTime media .mov file.
> >
> > CVE-2009-0387[1]:
> > | Array index error in the qtdemux_parse_samples function in
> > | gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka
> > | gst-plugins-good) 0.10.9 through 0.10.11 allows remote attackers to
> > | cause a denial of service (application crash) and possibly execute
> > | arbitrary code via crafted Sync Sample (aka stss) atom data in a
> > | malformed QuickTime media .mov file, related to "mark keyframes."
> >
> > CVE-2009-0397[2]:
> > | Heap-based buffer overflow in the qtdemux_parse_samples function in
> > | gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins (aka
> > | gst-plugins-good) 0.10.9 through 0.10.11, and GStreamer Plug-ins (aka
> > | gstreamer-plugins) 0.8.5, might allow remote attackers to execute
> > | arbitrary code via crafted Time-to-sample (aka stts) atom data in a
> > | malformed QuickTime media .mov file.
> >
> > CVE-2009-0398[3]:
> > | Array index error in the gst_qtp_trak_handler function in
> > | gst/qtdemux/qtdemux.c in GStreamer Plug-ins (aka gstreamer-plugins)
> > | 0.6.0 allows remote attackers to have an unknown impact via a crafted
> > | QuickTime media file.
> >
> > There is also a redhat bugreport[4] and a mail[5] on the public security
> > list with more information. The upstream patch[6] seems to fix all, but
> > CVE-2009-0398 according to upstream.
>
> Hi,
> the patch is already in unstable, testing and experimental. I'll take a
> look at the other issue later, thanks.
The function that is referenced in CVE-2009-0398 doesn't exist anymore
and it's for a very very old version. I don't think this is still
relevant as the code doesn't exist anymore and will close this bug. All
other issues are fixed already.
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 06 Mar 2009 07:30:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:23:32 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon