Debian Bug report logs -
#423433
CVE-2007-2500: memory corruption vulnerability in gnash
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Fri, 11 May 2007 19:39:02 UTC
Severity: grave
Tags: patch, security
Found in version gnash/0.7.2-1
Fixed in version gnash/0.7.2+cvs20070518.1557-1
Done: Miriam Ruiz <little_miry@yahoo.es>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Miriam Ruiz <little_miry@yahoo.es>:
Bug#423433; Package gnash.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Miriam Ruiz <little_miry@yahoo.es>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gnash
Version: 0.7.2-1
Severity: grave
Tags: security patch
Justification: user security hole
A vulnerability has been found in gnash:
CVE-2007-2500:
"server/parser/sprite_definition.cpp in GNU Gnash (aka GNU Flash
Player) 0.7.2 allows remote attackers to execute arbitrary code via a
large number of SHOWFRAME elements within a DEFINESPRITE element,
which triggers memory corruption and enables the attacker to call free
with an arbitrary address, probably resultant from a buffer overflow."
At least 0.7.2-1 in lenny is affected. Please check whether this is fixed
in 0.7.2+cvs20070428.1515-1.
A patch is at http://savannah.gnu.org/bugs/?19774
Information forwarded to debian-bugs-dist@lists.debian.org, Miriam Ruiz <little_miry@yahoo.es>:
Bug#423433; Package gnash.
(full text, mbox, link).
Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Miriam Ruiz <little_miry@yahoo.es>.
(full text, mbox, link).
Message #10 received at 423433@bugs.debian.org (full text, mbox, reply):
upstream 423433 http://savannah.gnu.org/bugs/?19774
thanks
I had a look server/parser/sprite_definition.cpp in the
0.7.2+cvs20070512.1554-1 version, and the code in question now look
like this:
IF_VERBOSE_PARSE (
log_parse(_(" show_frame "
SIZET_FMT "/" SIZET_FMT
" (sprite)"),
m_loading_frame,
m_frame_count);
);
if ( m_loading_frame == m_frame_count )
{
// better break then sorry
in->close_tag();
while ( in->open_tag() != SWF::END )
{
IF_VERBOSE_MALFORMED_SWF(
log_swferror(_("last SHOWFRAME of a "
"DEFINESPRITE tag "
"isn't followed by an END."
" Seeking to next END tag."));
);
in->close_tag();
}
break;
}
I also tried to run the problematic flash code downloaded from
<URL:http://savannah.gnu.org/bugs/download.php?file_id=12671>, and got
no crash nor any message about malformed swf. Not sure how to
interpret this, os I just add this comment and leave the bug open.
Friendly,
--
Petter Reinholdtsen
Reply sent to Miriam Ruiz <little_miry@yahoo.es>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 423433-close@bugs.debian.org (full text, mbox, reply):
Source: gnash
Source-Version: 0.7.2+cvs20070518.1557-1
We believe that the bug you reported is fixed in the latest version of
gnash, which is due to be installed in the Debian FTP archive:
gnash-cygnal_0.7.2+cvs20070518.1557-1_i386.deb
to pool/main/g/gnash/gnash-cygnal_0.7.2+cvs20070518.1557-1_i386.deb
gnash-tools_0.7.2+cvs20070518.1557-1_i386.deb
to pool/main/g/gnash/gnash-tools_0.7.2+cvs20070518.1557-1_i386.deb
gnash_0.7.2+cvs20070518.1557-1.diff.gz
to pool/main/g/gnash/gnash_0.7.2+cvs20070518.1557-1.diff.gz
gnash_0.7.2+cvs20070518.1557-1.dsc
to pool/main/g/gnash/gnash_0.7.2+cvs20070518.1557-1.dsc
gnash_0.7.2+cvs20070518.1557-1_i386.deb
to pool/main/g/gnash/gnash_0.7.2+cvs20070518.1557-1_i386.deb
gnash_0.7.2+cvs20070518.1557.orig.tar.gz
to pool/main/g/gnash/gnash_0.7.2+cvs20070518.1557.orig.tar.gz
konqueror-plugin-gnash_0.7.2+cvs20070518.1557-1_i386.deb
to pool/main/g/gnash/konqueror-plugin-gnash_0.7.2+cvs20070518.1557-1_i386.deb
libgnash0_0.7.2+cvs20070518.1557-1_i386.deb
to pool/main/g/gnash/libgnash0_0.7.2+cvs20070518.1557-1_i386.deb
mozilla-plugin-gnash_0.7.2+cvs20070518.1557-1_i386.deb
to pool/main/g/gnash/mozilla-plugin-gnash_0.7.2+cvs20070518.1557-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 423433@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Miriam Ruiz <little_miry@yahoo.es> (supplier of updated gnash package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 18 May 2007 15:57:38 +0000
Source: gnash
Binary: gnash-cygnal gnash-tools libgnash0 mozilla-plugin-gnash konqueror-plugin-gnash gnash
Architecture: source i386
Version: 0.7.2+cvs20070518.1557-1
Distribution: unstable
Urgency: low
Maintainer: Miriam Ruiz <little_miry@yahoo.es>
Changed-By: Miriam Ruiz <little_miry@yahoo.es>
Description:
gnash - free Flash movie player
gnash-cygnal - free Flash movie player - Media server
gnash-tools - free Flash movie player - Command-line Tools
konqueror-plugin-gnash - free Flash movie player - Plugin for Konqueror
libgnash0 - free Flash movie player - shared libraries
mozilla-plugin-gnash - free Flash movie player - Plugin for Mozilla and derivatives
Closes: 423433 423884
Changes:
gnash (0.7.2+cvs20070518.1557-1) unstable; urgency=low
.
* New Upstream Release. Downloaded from CVS.
* Depending on libcurl?-gnutls-dev instead of libcurl?-openssl-dev for
not depending on OpenSSL (incompatible with GPL license). Closes: #423884
* Closes: #423433 , memory corruption vulnerability in gnash, due to a out
of bounds memory access ( http://savannah.gnu.org/bugs/?19774 )
* gstreamer0.10-audiosink is a virtual package, modifying control.
* Updated dependencies to use libcurl4 instead of libcurl3.
* Depending on swfmill for check (as well as from ming and mtasc)
* Make check is fatal error now.
* Upload sponsored by Petter Reinholdtsen.
Files:
7b91327c6694642f53216a8fbf0929a7 1330 utils optional gnash_0.7.2+cvs20070518.1557-1.dsc
60ef2d568a9f0555e2a9533aa5db17d1 3198312 utils optional gnash_0.7.2+cvs20070518.1557.orig.tar.gz
e0860f2f4c90c093de49fab645d94560 50129 utils optional gnash_0.7.2+cvs20070518.1557-1.diff.gz
33833e0c3d7818171e421d85ad38a2aa 1755126 libs optional libgnash0_0.7.2+cvs20070518.1557-1_i386.deb
3df1b8b4a74d66c522b45fcacbe24f61 224696 utils optional gnash_0.7.2+cvs20070518.1557-1_i386.deb
98f4cf247025622dbc0e7925db5e461e 240804 utils optional gnash-tools_0.7.2+cvs20070518.1557-1_i386.deb
a6898d90a965fdadcc06dd15f83bb0ba 234148 utils optional gnash-cygnal_0.7.2+cvs20070518.1557-1_i386.deb
86e1a62c08dc7d58773c25506b558377 232764 utils optional mozilla-plugin-gnash_0.7.2+cvs20070518.1557-1_i386.deb
981f8b4cda893ae20b25ff49d8008069 240882 utils optional konqueror-plugin-gnash_0.7.2+cvs20070518.1557-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGTtR620zMSyow1ykRAiuFAKC0Qve5UAc53R3qPYt8RY6Uf+OUIgCgsiZo
k3qHtuJYA4BB3YpHwm8IV/A=
=k4ms
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 12 Jan 2008 07:28:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:31:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon