vlc CVE-2008-1489: integer overflow leading to heap overflow

Debian Bug report logs - #472635
vlc CVE-2008-1489: integer overflow leading to heap overflow

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: vlc CVE-2008-1489: integer overflow leading to heap overflow

Date: Tue, 25 Mar 2008 14:24:06 +0100

[Message part 1 (text/plain, inline)]

Package: vlc
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for vlc.

CVE-2008-1489[0]:
| Integer overflow in the MP4_ReadBox_rdrf function in libmp4.c for VLC
| 0.8.6e allows remote attackers to cause a denial of service (crash)
| and possibly execute arbitrary code via a crafted MP4 RDRF box that
| triggers a heap-based buffer overflow, a different vulnerability than
| CVE-2008-0984.

Patch is on:
http://trac.videolan.org/vlc/changeset/09572892df7e72c0d4e598c0b5e076cf330d8b0a

I can provide some more details since I also discovered this 
in 0.8.6e independently :)

Quoting modules/demuxer/mp4/libmp4.c, MP4_ReadBox_rdrf() function:

  1954  static int MP4_ReadBox_rdrf( stream_t *p_stream, MP4_Box_t *p_box )
  1955  {
  1956      uint32_t i_len;
  1957      MP4_READBOX_ENTER( MP4_Box_data_rdrf_t );
  1958
  1959      MP4_GETVERSIONFLAGS( p_box->data.p_rdrf );
  1960      MP4_GETFOURCC( p_box->data.p_rdrf->i_ref_type );
  1961      MP4_GET4BYTES( i_len );
  1962      if( i_len > 0 )
  1963      {
  1964          uint32_t i;
  1965          p_box->data.p_rdrf->psz_ref = malloc( i_len  + 1);
  1966          for( i = 0; i < i_len; i++ )
  1967          {
  1968              MP4_GET1BYTE( p_box->data.p_rdrf->psz_ref[i] );
  1969          }
  1970          p_box->data.p_rdrf->psz_ref[i_len] = '\0';
  1971      }
  1972      else

In line 1961 MP4_GET4BYTES reads the atom length of the mov file as specified
in the apple quicktime standard and stores the value in the i_len variable.
On positive values it then allocates memory to store that atom data in a buffer.
There is a problem with this code here:
1965          p_box->data.p_rdrf->psz_ref = malloc( i_len  + 1);

When supplied 0xFFFFFFFF as the atom lenght i_len + 1 will overflow and resulting
in malloc allocating the smallest possible chunk because malloc is called with a length
argument of 0. It will not fail but it won't allocate the needed memory.
The for-loop in 1966 will then happily copy a lot more data into the buffer.
When exploited this could possibly lead to code execution.

Btw since i_len is of type uint32_t the else branch will be never used.

A check for malloc returning NULL doesn't hurt either.

A proof of concept mov file can be found on:
http://nion.modprobe.de/la.mov

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1489

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 472635@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 472635@bugs.debian.org

Subject: intent to NMU

Date: Wed, 26 Mar 2008 13:38:12 +0100

[Message part 1 (text/plain, inline)]

Hi,
debdiff attached and archived on:
http://people.debian.org/~nion/nmu-diff/vlc-0.8.6_0.8.6.c-6.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[vlc-0.8.6.e-1_0.8.6.e-1.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #15 received at 472635@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 472635@bugs.debian.org

Subject: Re: intent to NMU

Date: Wed, 26 Mar 2008 17:38:49 +0100

[Message part 1 (text/plain, inline)]

Hi,
copied the wrong URL, its:
http://people.debian.org/~nion/nmu-diff/vlc-0.8.6.e-1_0.8.6.e-1.1.patch

Uploading now after talking with lool.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 472635-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 472635-close@bugs.debian.org

Subject: Bug#472635: fixed in vlc 0.8.6.e-1.1

Date: Wed, 26 Mar 2008 17:17:06 +0000

Source: vlc
Source-Version: 0.8.6.e-1.1

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6.e-1.1_amd64.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6.e-1.1_amd64.deb
libvlc0_0.8.6.e-1.1_amd64.deb
  to pool/main/v/vlc/libvlc0_0.8.6.e-1.1_amd64.deb
mozilla-plugin-vlc_0.8.6.e-1.1_amd64.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.e-1.1_amd64.deb
vlc-nox_0.8.6.e-1.1_amd64.deb
  to pool/main/v/vlc/vlc-nox_0.8.6.e-1.1_amd64.deb
vlc-plugin-alsa_0.8.6.e-1.1_all.deb
  to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.e-1.1_all.deb
vlc-plugin-arts_0.8.6.e-1.1_amd64.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6.e-1.1_amd64.deb
vlc-plugin-esd_0.8.6.e-1.1_amd64.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6.e-1.1_amd64.deb
vlc-plugin-ggi_0.8.6.e-1.1_amd64.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.e-1.1_amd64.deb
vlc-plugin-jack_0.8.6.e-1.1_amd64.deb
  to pool/main/v/vlc/vlc-plugin-jack_0.8.6.e-1.1_amd64.deb
vlc-plugin-sdl_0.8.6.e-1.1_amd64.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.e-1.1_amd64.deb
vlc-plugin-svgalib_0.8.6.e-1.1_amd64.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.e-1.1_amd64.deb
vlc_0.8.6.e-1.1.diff.gz
  to pool/main/v/vlc/vlc_0.8.6.e-1.1.diff.gz
vlc_0.8.6.e-1.1.dsc
  to pool/main/v/vlc/vlc_0.8.6.e-1.1.dsc
vlc_0.8.6.e-1.1_amd64.deb
  to pool/main/v/vlc/vlc_0.8.6.e-1.1_amd64.deb
wxvlc_0.8.6.e-1.1_all.deb
  to pool/main/v/vlc/wxvlc_0.8.6.e-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 472635@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 26 Mar 2008 13:21:44 +0100
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all amd64
Version: 0.8.6.e-1.1
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-alsa - dummy transitional package
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
 wxvlc      - dummy transitional package
Closes: 472635
Changes: 
 vlc (0.8.6.e-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix Integer overflow in MP4_ReadBox_rdrf function
     that triggers a heap-based buffer overflow via a
     large atom length value (Closes: #472635).
Files: 
 bdcaa9730d2cd021e86db87e65708fb0 2703 graphics optional vlc_0.8.6.e-1.1.dsc
 fbb40c6aaade38e0cbf43e8749d9b191 35720 graphics optional vlc_0.8.6.e-1.1.diff.gz
 5719e622c7a71e80b36c2795e6dda29c 798 graphics optional vlc-plugin-alsa_0.8.6.e-1.1_all.deb
 a081b1f5aeffd3c603bba5c526649af0 792 graphics optional wxvlc_0.8.6.e-1.1_all.deb
 9d5a3083e149d120d9b2291732e7e0c6 1165900 graphics optional vlc_0.8.6.e-1.1_amd64.deb
 85942e15502272c737ee68c2bbefa4cb 4860156 net optional vlc-nox_0.8.6.e-1.1_amd64.deb
 72b499d123450b0415f46aec9b028386 485084 libs optional libvlc0_0.8.6.e-1.1_amd64.deb
 39f4e601e8971eb667a10c8e1fb35369 539958 libdevel optional libvlc0-dev_0.8.6.e-1.1_amd64.deb
 db99f1622b7779d89ad13c9461714550 4530 graphics optional vlc-plugin-esd_0.8.6.e-1.1_amd64.deb
 778cacd6f649ec3d0ca2122ccfc710de 11654 graphics optional vlc-plugin-sdl_0.8.6.e-1.1_amd64.deb
 87b41ecc0fcff93ce2362a81f740a4d0 6216 graphics optional vlc-plugin-ggi_0.8.6.e-1.1_amd64.deb
 a7285a54fe267cd5b0d7ef1e2b815d0e 4176 graphics optional vlc-plugin-arts_0.8.6.e-1.1_amd64.deb
 79fc47583effd10c6627af2c76515b79 38280 graphics optional mozilla-plugin-vlc_0.8.6.e-1.1_amd64.deb
 d9718dab24afec2ffafc48ebad82f79d 4802 graphics optional vlc-plugin-svgalib_0.8.6.e-1.1_amd64.deb
 a287f25350170a4abfdec86249efab3c 4872 graphics optional vlc-plugin-jack_0.8.6.e-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH6oD2HYflSXNkfP8RAtCIAJ9W46rIeQRKhPwHzQ0AABFZnc77agCfZ/fw
QNAOa/K2FhO9tqKC2HduvVA=
=5ONb
-----END PGP SIGNATURE-----

Message #25 received at 472635-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 472635-close@bugs.debian.org

Subject: Bug#472635: fixed in vlc 0.8.6.c-6+lenny3

Date: Mon, 31 Mar 2008 09:03:25 +0000

Source: vlc
Source-Version: 0.8.6.c-6+lenny3

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6.c-6+lenny3_amd64.deb
libvlc0_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/libvlc0_0.8.6.c-6+lenny3_amd64.deb
mozilla-plugin-vlc_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-6+lenny3_amd64.deb
vlc-nox_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc-nox_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-alsa_0.8.6.c-6+lenny3_all.deb
  to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-6+lenny3_all.deb
vlc-plugin-arts_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-esd_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-ggi_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-jack_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc-plugin-jack_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-sdl_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-svgalib_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-6+lenny3_amd64.deb
vlc_0.8.6.c-6+lenny3.diff.gz
  to pool/main/v/vlc/vlc_0.8.6.c-6+lenny3.diff.gz
vlc_0.8.6.c-6+lenny3.dsc
  to pool/main/v/vlc/vlc_0.8.6.c-6+lenny3.dsc
vlc_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc_0.8.6.c-6+lenny3_amd64.deb
wxvlc_0.8.6.c-6+lenny3_all.deb
  to pool/main/v/vlc/wxvlc_0.8.6.c-6+lenny3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 472635@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 28 Mar 2008 13:51:48 +0100
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all amd64
Version: 0.8.6.c-6+lenny3
Distribution: testing-security
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-alsa - dummy transitional package
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
 wxvlc      - dummy transitional package
Closes: 472635 473057
Changes: 
 vlc (0.8.6.c-6+lenny3) testing-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update addresses the following security issues:
     - CVE-2008-1489: an integer overflow in the MP4_ReadBox_rdrf function that
       can be triggered via crafted atom size values could possibly lead to
       arbitrary code execution (Closes: #472635).
     - CVE-2008-0073: possible code execution via a crafted rtsp stream with
       a large streamid SDP parameter (Closes: #473057).
Files: 
 a154adf5e340c056d48f690aea8d2aac 2713 graphics optional vlc_0.8.6.c-6+lenny3.dsc
 80193f533ef47d30463d3dfb2f79d491 39426 graphics optional vlc_0.8.6.c-6+lenny3.diff.gz
 68f059b691db7422cd3b0aef65594b9d 804 graphics optional vlc-plugin-alsa_0.8.6.c-6+lenny3_all.deb
 237c2429244caeff612ed430d9977ba3 798 graphics optional wxvlc_0.8.6.c-6+lenny3_all.deb
 31aa2f01b3d7702476b432a5c33775bf 1159496 graphics optional vlc_0.8.6.c-6+lenny3_amd64.deb
 01b7c4316e0c923e4ff0c0764efa0e48 4719008 net optional vlc-nox_0.8.6.c-6+lenny3_amd64.deb
 b633eb8ee19a3aefb4b7efa577de87ed 473634 libs optional libvlc0_0.8.6.c-6+lenny3_amd64.deb
 c7555dec2c1d9f32789a11622a367a8e 539922 libdevel optional libvlc0-dev_0.8.6.c-6+lenny3_amd64.deb
 8e5eca4e237d7489976784d791c8edc5 4544 graphics optional vlc-plugin-esd_0.8.6.c-6+lenny3_amd64.deb
 8c68f3ad13e185f37d6a5fafbadac038 11656 graphics optional vlc-plugin-sdl_0.8.6.c-6+lenny3_amd64.deb
 9f2cc3af1b9a375bbaa615ead68b568d 6222 graphics optional vlc-plugin-ggi_0.8.6.c-6+lenny3_amd64.deb
 a10c33e116f82037b4b9a4d577fdac51 4192 graphics optional vlc-plugin-arts_0.8.6.c-6+lenny3_amd64.deb
 81a6fe49b87cf4934e84d4365813bb70 38152 graphics optional mozilla-plugin-vlc_0.8.6.c-6+lenny3_amd64.deb
 5d9f64f2d20bee2eadb9f492e34c2469 4812 graphics optional vlc-plugin-svgalib_0.8.6.c-6+lenny3_amd64.deb
 60926a4e3dc3c4b0878396df1923bfa2 4882 graphics optional vlc-plugin-jack_0.8.6.c-6+lenny3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH74mSHYflSXNkfP8RAiYqAJ9aluODB9pwQ+jsGpMit2a6javNQgCgtioc
YB4CoZ1NOadL79cYo79d+oY=
=HB2M
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.