From: Matthias H. <ma...@ms...> - 2006-07-11 09:55:04
Attachments:
xine-lib-mms-fixes.diff
|
Hi all, unfortunately this only made it through after xine-lib 1.1.2 release: There has been a vulnerability report about libmms on [vendor-sec]. (CVE-2006-2200) Please note that the original patch from the Debian maintainer is partially incorrect (it should read memset(dest,0,2*len)), but the memset isn't really necessary and could be nuked anyway. The use of memset in the patch certainly doesn't do any harm, though, and it fixes the potential overflow. Luckily, xine uses libmms in a way that these vulnerabilities cannot be exploited (buffers are large enough), and the xine module even seems to rely on the side effects of the memset of the 'broken' library. Note that the library sources are included (not an externally linked library). While analyzing the source I found a couple of potential heap overflows, though, which I'm pretty sure that they can be exploited with some effort. They are fixed in CVS. I also attached the according patch. But I'm pretty sure that I overlooked some additional ones. This source is a wormhole. Sorry, Thibaut, but then you maybe coded the glue layer only :-] Matthias -- Matthias Hopf <mh...@su...> __ __ __ Maxfeldstr. 5 / 90409 Nuernberg (_ | | (_ |__ ma...@ms... Phone +49-911-74053-715 __) |_| __) |__ labs www.mshopf.de |
From: M. <lo...@vi...> - 2006-07-11 11:53:23
Attachments:
libmms_0.2-7.diff
libmms_0.2-7-cumulative.diff
|
Hi, On Tue, Jul 11, 2006, Matthias Hopf wrote: > Please note that the original patch from the Debian maintainer is > partially incorrect (it should read memset(dest,0,2*len)), but the mems= et > isn't really necessary and could be nuked anyway. The use of memset in > the patch certainly doesn't do any harm, though, and it fixes the > potential overflow. [...] > While analyzing the source I found a couple of potential heap overflows= , > though, which I'm pretty sure that they can be exploited with some > effort. They are fixed in CVS. I also attached the according patch. But > I'm pretty sure that I overlooked some additional ones. Thanks for your review and for the additional fixes, I've adapted the patch and added the memset() fixes you mention for the libmms source package in Debian, I attach the incremental patch, "libmms_0.2-7.diff". I also attach the cumulative patch of all successive patches I have applied for CVE-2006-2200 to the libmms tree, "libmms_0.2-7-cumulative.diff". Bye, --=20 Lo=EFc Minier <lo...@do...> |