liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

Debian Bug report logs - #924655
liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: submit@bugs.debian.org

Subject: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

Date: Fri, 15 Mar 2019 15:05:21 +0100

[Message part 1 (text/plain, inline)]

Source: liblivemedia
Version: 2018.11.26-1
Severity: normal
Tags: security upstream

Hi,

The following vulnerability was published for liblivemedia.

CVE-2019-9215[0]: malformed headers lead to invalid memory access in
the parseAuthorizationHeader function.

I see this vulnerability was fixed in experimental via new upstream
release 2019.02.27-1. This is a fairly severe issue so we should
probably backport the patch to Buster as well.

regards,
Hugo

[0] https://security-tracker.debian.org/tracker/CVE-2019-9215

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 924655-done@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: Hugo Lefeuvre <hle@debian.org>, 924655-done@bugs.debian.org

Subject: Re: Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

Date: Fri, 15 Mar 2019 15:35:51 +0100

[Message part 1 (text/plain, inline)]

Version: 2019.02.27-1

On 2019-03-15 15:05:21, Hugo Lefeuvre wrote:
> Source: liblivemedia
> Version: 2018.11.26-1
> Severity: normal
> Tags: security upstream
> 
> Hi,
> 
> The following vulnerability was published for liblivemedia.
> 
> CVE-2019-9215[0]: malformed headers lead to invalid memory access in
> the parseAuthorizationHeader function.
> 
> I see this vulnerability was fixed in experimental via new upstream
> release 2019.02.27-1. This is a fairly severe issue so we should
> probably backport the patch to Buster as well.

Unless a CVE affects the client part of the library, I don't think it's
worth it. The client part is the only part used by reverse dependencies.

Cheers
-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 924655@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: Sebastian Ramacher <sramacher@debian.org>

Cc: 924655@bugs.debian.org

Subject: Re: Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

Date: Fri, 15 Mar 2019 15:43:15 +0100

[Message part 1 (text/plain, inline)]

Hi,

> Unless a CVE affects the client part of the library, I don't think it's
> worth it. The client part is the only part used by reverse dependencies.

What do you mean exactly with client part? The affected code is located
in liveMedia/RTSPServer.cpp.

regards,
Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 924655@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: Hugo Lefeuvre <hle@debian.org>

Cc: 924655@bugs.debian.org

Subject: Re: Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

Date: Fri, 15 Mar 2019 16:06:50 +0100

[Message part 1 (text/plain, inline)]

Hi

On 2019-03-15 15:43:15, Hugo Lefeuvre wrote:
> Hi,
> 
> > Unless a CVE affects the client part of the library, I don't think it's
> > worth it. The client part is the only part used by reverse dependencies.
> 
> What do you mean exactly with client part? The affected code is located
> in liveMedia/RTSPServer.cpp.

liblivemedia provides an implementation of the server and client side of
RTSP. So, unless a CVE affects the code path used by the RTSP client (as
for example used by vlc), I won't spend any time on it.

Before you start cherry-picking the patches from experimental, I'd
suggest to get in contact with the release team to do a proper
transition to the new upstream version (maybe even to the 2019.03.xx
release that's not yet packaged). Those new release effectively only
consists of the fixes for the recent CVEs. (Yes, I know that the freeze
already started.)

Cheers
-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 924655@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: Sebastian Ramacher <sramacher@debian.org>

Cc: 924655@bugs.debian.org

Subject: Re: Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

Date: Fri, 15 Mar 2019 16:26:25 +0100

[Message part 1 (text/plain, inline)]

> liblivemedia provides an implementation of the server and client side of
> RTSP. So, unless a CVE affects the code path used by the RTSP client (as
> for example used by vlc), I won't spend any time on it.

Ok, I thought live555 was also known as one of the main free rtsp
server implementations. Is this actually wrong ?

> Before you start cherry-picking the patches from experimental, I'd
> suggest to get in contact with the release team to do a proper
> transition to the new upstream version (maybe even to the 2019.03.xx
> release that's not yet packaged). Those new release effectively only
> consists of the fixes for the recent CVEs. (Yes, I know that the freeze
> already started.)

Agree. I will look into it if I manage to find time for this.

thanks

regards,
Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

[signature.asc (application/pgp-signature, inline)]

Message #36 received at 924655@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: Hugo Lefeuvre <hle@debian.org>

Cc: 924655@bugs.debian.org

Subject: Re: Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

Date: Fri, 15 Mar 2019 18:21:18 +0100

[Message part 1 (text/plain, inline)]

On 2019-03-15 16:26:25, Hugo Lefeuvre wrote:
> > liblivemedia provides an implementation of the server and client side of
> > RTSP. So, unless a CVE affects the code path used by the RTSP client (as
> > for example used by vlc), I won't spend any time on it.
> 
> Ok, I thought live555 was also known as one of the main free rtsp
> server implementations. Is this actually wrong ?

I don't know, but at least ffmpeg and vlc use alternative RTSP server
implementations.

Cheers

> 
> > Before you start cherry-picking the patches from experimental, I'd
> > suggest to get in contact with the release team to do a proper
> > transition to the new upstream version (maybe even to the 2019.03.xx
> > release that's not yet packaged). Those new release effectively only
> > consists of the fixes for the recent CVEs. (Yes, I know that the freeze
> > already started.)
> 
> Agree. I will look into it if I manage to find time for this.
> 
> thanks
> 
> regards,
> Hugo
> 
> -- 
>                 Hugo Lefeuvre (hle)    |    www.owl.eu.com
> RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
> ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C



-- 
Sebastian Ramacher

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 924655-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: control@bugs.debian.org

Cc: 924655-submitter@bugs.debian.org, 924656-submitter@bugs.debian.org

Subject: closing 924656, closing 924655

Date: Mon, 06 May 2019 21:15:18 +0200

close 924656 2018.11.26-1.1
close 924655 2018.11.26-1.1
thanks

Send a report that this bug log contains spam.