Hi David, On Mon, 14 May 2012 12:50:38 -0700 (PDT) David Walser <[email protected]> wrote:
> --- On Mon, 5/14/12, Shlomi Fish <[email protected]> wrote: > > From: Shlomi Fish <[email protected]> > > Subject: Re: [Mageia-dev] taglib CVE for MP4 files > > To: "Mageia development mailing-list" <[email protected]> > > Cc: [email protected] > > Date: Monday, May 14, 2012, 3:21 PM > > Hi David, > > > > On Mon, 14 May 2012 11:43:46 -0700 (PDT) > > David Walser <[email protected]> > > wrote: > > > > > taglib 1.7.2 was issued to fix a minor security DoS > > issue due to a divide by zero error in the MP4 file > > decoder. > > > > > > I built it in updates_testing but I don't have an MP4 > > file to test it with. > > > > > > If interested people could test it, it could be pushed > > to updates. Thanks. > > > > > > > Thanks for your work. I have some .mp4s files (mostly > > videos) around, which I > > have downloaded from YouTube using youtube-dl (and you can > > too). But what > > should I do to test that the bug was fixed? Can you provide > > instructions? > > Thanks for your interest. > > Basically all you need to do is use an application that uses taglib and make > sure it can read the metadata (mainly the length) from mp4 files without > regressions from the previous version. You can find such applications with > the command: > urpmq --whatrequires libtaglib1 (or lib64taglib1 on x86_64). > > Examples include amarok, clementine, juk, and vlc. > > If you really want to do a deep investigation you can see if there are any > Proof of Concept files out there. The CVE affects the reading of the media > header (mdhd) portion of the MP4 file. You don't really need to worry about > this though. Using VLC and the lib64taglib1 from x86_64 I was able to save the tags header on an .mp4 file and load it again correctly. The length of the track also seemed fine. Is that OK? Regards, Shlomi Fish -- ----------------------------------------------------------------- Shlomi Fish http://www.shlomifish.org/ What Makes Software Apps High Quality - http://shlom.in/sw-quality The bad thing about hardware is that it sometimes works and it sometimes doesn’t. The good thing about software is that it’s consistent: it always does not work, and it always does not work in exactly the same way. Please reply to list if it's a mailing list post - http://shlom.in/reply .
