[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE Request -- (sort of urgent)
From: Jan Lieskovsky <jlieskov () redhat ! com>
Date: 2009-01-29 11:15:22
Message-ID: 1233227722.4126.29.camel () dhcp-lab-164 ! englab ! brq ! redhat ! com
[Download RAW message or body]
Hello Steve,
by mistake sent my previous post too early :(. so fixing it.
Wanted to provide more details about the affected versions
for the gstreamer-plugins-good issues yet:
Original advisory:
http://trapkit.de/advisories/TKADV2009-003.txt
The patch:
http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bdc20b9baf13564d9a061343416395f8f9a92b53
References:
http://trapkit.de/advisories/TKADV2009-003.txt
http://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=bdc20b9baf13564d9a061343416395f8f9a92b53
https://bugzilla.redhat.com/show_bug.cgi?id=481267
Three problems:
[A] heap buffer overflow vulnerability in QuickTime 'ctts' Atom parsing (vuln #1)
[B] the array index out of bounds vulnerability QuickTime 'stss' Atom parsing (vuln #2)
[C] heap buffer overflow vulnerability QuickTime 'stts' Atom parsing (vuln #3)
---------------------------------------------------------------------------------
i, Vulnerability [A] and [B] affects gstreamer-plugins-good versions (CVE id#1):
gst-plugins-good-0.10.9 <= x < gst-plugins-good-0.10.12 (latest upstream)
CVE desc proposal: "A heap based buffer overflow in QuickTime 'ctts' Atom
parsing and array index out of bounds vulnerability in QuickTimes Sync
Sample Atom was found in gstreamer-plugins-good versions from 0.10.9
through to 0.10.11..."
---------------------------------------------------------------------------------
ii, Vulnerability [C] affects gstreamer-plugins and gstreamer-plugins-good versions (CVE id#2)
gst-plugins-good-0.10.9 <= x < gst-plugins-good-0.10.12 (latest upstream)
gstreamer-plugins-0.8.5
CVE desc proposal: "A heap based buffer overflow in QuickTime Sync Sample
Atom parsing has been found in gstreamer-plugins-good version from 0.10.9
through to 0.10.11 and in gstreamer-plugins version of 0.8.5.."
----------------------------------------------------------------------------------
iii, Tomas Hoger discovered the similar vulnerability like the [B] one is present
also in upstream code of gstreamer-plugins in version (CVE id#3)
gstreamer-plugins-0.6.0
CVE desc proposal "An array index out ouf bounds vulnerability has been found
in gstreamer-plugins version of 0.6.0 ..."
To be more exact on lines from 537 to 565 in gst-plugins-0.6.0/gst/qtdemux/qtdemux.c
(the relevant function is "gst_qtp_trak_handler"):
556 for(i=0;i<GUINT32_FROM_BE(stsc[stsc_idx].samples_per_chunk);i++,sample++) {
557 guint32 size = GUINT32_FROM_BE(stsz[sample]);
558 track_to_be->samples[sample].offset = offset;
559 track_to_be->samples[sample].size = size;
560 track_to_be->samples[sample].timestamp =
sample*((1000000*track_to_be->sample_duration)/track_to_be->time_scale);
561 track_to_be->samples[sample].track = track_to_be;
562
g_tree_insert(qtdemux->samples,&(track_to_be->samples[sample].offset),&(track_to_be->samples[sample]));
563 offset += size;
564 }
565 }
There is also missing check if "sample" is still lower than "nsamples"
and if write attempt to e.g. track_to_be->samples[sample].size = size;
wouldn't overflow.
-----------------------------------------------------------------------------------------
More explanation about all the mystical QuicTime Atom names ('stts') can
be found for example here:
http://developer.apple.com/DOCUMENTATION/QuickTime/QTFF/qtff.pdf (part Sample Table Atoms on page# 74).
Could you please allocate the 3 CVE ids for the above three cases?
Let me know, if I could be of any other help.
Thanks && regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic