Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

liblivemedia: CVE-2019-7314: mishandling of RTSP stream termination causes use-after-free and crash

Related Vulnerabilities: CVE-2019-7314  

Source

Debian Bug report logs - #924656
liblivemedia: CVE-2019-7314: mishandling of RTSP stream termination causes use-after-free and crash

version graph

Package: src:liblivemedia; Maintainer for src:liblivemedia is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>;

Reported by: Hugo Lefeuvre <hle@debian.org>

Date: Fri, 15 Mar 2019 14:45:02 UTC

Severity: serious

Tags: security, upstream

Found in versions liblivemedia/2016.11.28-1, liblivemedia/2018.11.26-1

Fixed in versions liblivemedia/2019.02.03-1, liblivemedia/2016.11.28-1+deb9u2, 2019.02.03-1, liblivemedia/2018.11.26-1.1

Done: Sebastian Ramacher <sramacher@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#924656; Package src:liblivemedia. (Fri, 15 Mar 2019 14:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Hugo Lefeuvre <hle@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Fri, 15 Mar 2019 14:45:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>
To: submit@bugs.debian.org
Subject: liblivemedia: CVE-2019-7314: mishandling of RTSP stream termination causes use-after-free and crash
Date: Fri, 15 Mar 2019 15:21:29 +0100
[Message part 1 (text/plain, inline)]
Source: liblivemedia
Version: 2018.11.26-1
Severity: normal
Tags: security upstream

Hi,

The following vulnerability was published for liblivemedia.

CVE-2019-7314[0]: 
liblivemedia in Live555 before 2019.02.03 mishandles the termination of an
RTSP stream after RTP/RTCP-over-RTSP has been set up, which could lead to a
Use-After-Free error that causes the RTSP server to crash (Segmentation
fault) or possibly have unspecified other impact.

We might want to fix this in Buster, the patch is straightforward. I can
provide a debdiff if needed, already uploaded fixes for stretch and jessie.

regards,
Hugo

[0] https://security-tracker.debian.org/tracker/CVE-2019-7314

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

[signature.asc (application/pgp-signature, inline)]

Severity set to 'serious' from 'normal' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 15 Mar 2019 15:21:07 GMT) (full text, mbox, link).

Marked as found in versions liblivemedia/2016.11.28-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 15 Mar 2019 15:21:08 GMT) (full text, mbox, link).

Marked as fixed in versions liblivemedia/2016.11.28-1+deb9u2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 15 Mar 2019 15:21:09 GMT) (full text, mbox, link).

Marked as fixed in versions liblivemedia/2019.02.03-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 15 Mar 2019 15:21:09 GMT) (full text, mbox, link).

Reply sent to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility. (Fri, 15 Mar 2019 17:33:09 GMT) (full text, mbox, link).

Notification sent to Hugo Lefeuvre <hle@debian.org>:
Bug acknowledged by developer. (Fri, 15 Mar 2019 17:33:09 GMT) (full text, mbox, link).

Message #18 received at 924656-done@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>
To: Hugo Lefeuvre <hle@debian.org>, 924656-doe@bugs.debian.org
Subject: Re: Bug#924656: liblivemedia: CVE-2019-7314: mishandling of RTSP stream termination causes use-after-free and crash
Date: Fri, 15 Mar 2019 18:23:01 +0100
[Message part 1 (text/plain, inline)]
Version: 2019.02.03-1

Marking as fixed with the upload of 2019.02.03-1.

On 2019-03-15 15:21:29, Hugo Lefeuvre wrote:
> Source: liblivemedia
> Version: 2018.11.26-1
> Severity: normal
> Tags: security upstream
> 
> Hi,
> 
> The following vulnerability was published for liblivemedia.
> 
> CVE-2019-7314[0]: 
> liblivemedia in Live555 before 2019.02.03 mishandles the termination of an
> RTSP stream after RTP/RTCP-over-RTSP has been set up, which could lead to a
> Use-After-Free error that causes the RTSP server to crash (Segmentation
> fault) or possibly have unspecified other impact.
> 
> We might want to fix this in Buster, the patch is straightforward. I can
> provide a debdiff if needed, already uploaded fixes for stretch and jessie.
> 
> regards,
> Hugo
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2019-7314
> 
> -- 
>                 Hugo Lefeuvre (hle)    |    www.owl.eu.com
> RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
> ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C



-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, inline)]

Marked as fixed in versions liblivemedia/2018.11.26-1.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 06 May 2019 19:24:02 GMT) (full text, mbox, link).

Message sent on to Hugo Lefeuvre <hle@debian.org>:
Bug#924656. (Mon, 06 May 2019 19:24:06 GMT) (full text, mbox, link).

Message #23 received at 924656-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 924655-submitter@bugs.debian.org, 924656-submitter@bugs.debian.org
Subject: closing 924656, closing 924655
Date: Mon, 06 May 2019 21:15:18 +0200
close 924656 2018.11.26-1.1
close 924655 2018.11.26-1.1
thanks

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 04 Jun 2019 07:28:15 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:48:29 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started