retitle 502726 vlc: CVE-2008-4654, CVE-2008-4686 buffer overflow in ty parsing and multiple integer overflows thanks
Hi Rémi, * Rémi Denis-Courmont <[EMAIL PROTECTED]> [2008-10-19 20:22]: > Le dimanche 19 octobre 2008 19:35:25 Nico Golde, vous avez écrit : > > > See also http://www.videolan.org/security/sa0809.html > > > > Are you sure that 0.8.6.h-4 in unstable is affected? > > Looking at > > http://git.videolan.org/?p=vlc.git;a=blob;f=modules/demux/ty.c;h=65a408f67a > >363747f7308a8a858a6dad50e54e67;hb=26d92b87bba99b5ea2e17b7eaa39c462d65e9133 > > the overflow happens because of the integer conversion in 8 > > + i_map_size or if i_map_size + 8 exceeds mst_buf. > > I had a look at the code in 0.8.6.h-4 and didn't see > > something similar. Only static size reads with correct > > sizes. > > > > Can you confirm that this does not affect 0.8.6.h-4 and if > > not, what do I miss? > > Probably so. Unfortunately, I have no samples. Here are the CVE ids: Name: CVE-2008-4654 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4654 Reference: BUGTRAQ:20081020 [TKADV2008-010] VLC media player TiVo ty Processing Stack Overflow Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/archive/1/497587/100/0/threaded Reference: MLIST:[oss-security] 20081019 CVE id request: vlc Reference: URL:http://www.openwall.com/lists/oss-security/2008/10/19/2 Reference: MISC:http://www.trapkit.de/advisories/TKADV2008-010.txt Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commit;h=fde9e1cc1fe1ec9635169fa071e42b3aa6436033 Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=26d92b87bba99b5ea2e17b7eaa39c462d65e9133 Reference: CONFIRM:http://www.videolan.org/security/sa0809.html Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502726 Reference: BID:31813 Reference: URL:http://www.securityfocus.com/bid/31813 Reference: FRSIRT:ADV-2008-2856 Reference: URL:http://www.frsirt.com/english/advisories/2008/2856 Reference: SECUNIA:32339 Reference: URL:http://secunia.com/advisories/32339 Reference: XF:vlcmediaplayer-ty-bo(45960) Reference: URL:http://xforce.iss.net/xforce/xfdb/45960 Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote attackers to execute arbitrary code via a TiVo TY media file with a header containing a crafted size value. Name: CVE-2008-4686 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4686 Reference: MLIST:[oss-security] 20081019 CVE id request: vlc Reference: URL:http://www.openwall.com/lists/oss-security/2008/10/19/2 Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=d859e6b9537af2d7326276f70de25a840f554dc3 Multiple integer overflows in ty.c in the TY demux plugin (aka the TiVo demuxer) in VideoLAN VLC media player, probably 0.9.4, allow remote attackers to have an unknown impact via a crafted .ty file, a different vulnerability than CVE-2008-4654. The second one was not covered by your original bug report but this is probably also security relevant. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpXhN9qMHX6V.pgp
Description: PGP signature