*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Jamie Strandboge (jdstrand):
Binary package hint: vlc http://www.trapkit.de/advisories/TKADV2008-012.txt Distro affected: gutsy, hardy, intrepid, jaunty Advisory: VLC media player cue Processing Stack Overflow Vulnerability Advisory ID: TKADV2008-012 Revision: 1.0 Release Date: 2008/11/05 Last Modified: 2008/11/05 Date Reported: 2008/11/03 Author: Tobias Klein (tk at trapkit.de) Affected Software: VLC media player < 0.9.6 Remotely Exploitable: Yes Locally Exploitable: No Vendor URL: http://www.videolan.org/ Vendor Status: Vendor has released an updated version Patch development time: 2 days ====================== Vulnerability details: ====================== The VLC media player contains a stack overflow vulnerability while parsing malformed cue files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player. ================== Technical Details: ================== Source code file: modules\access\vcd\cdrom.c [...] 913 /* Try to parse the i_tracks and p_sectors info so we can just forget 914 * about the cuefile */ 915 if( i_ret == 0 ) 916 { 917 [1] int p_sectors[100]; 918 int i_tracks = 0; 919 int i_num; 920 char psz_dummy[10]; 921 922 [2] while( fgets( line, 1024, cuefile ) ) 923 { 924 /* look for a TRACK line */ 925 if( !sscanf( line, "%9s", psz_dummy ) || 926 strcmp(psz_dummy, "TRACK") ) 927 continue; 928 929 /* look for an INDEX line */ 930 [3] while( fgets( line, 1024, cuefile ) ) 931 { 932 int i_min, i_sec, i_frame; 933 934 [4] if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num, 935 &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) ) 936 continue; 937 938 [5] i_tracks++; 939 [6] p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame); 940 msg_Dbg( p_this, "vcd track %i begins at sector:%i", 941 i_tracks - 1, p_sectors[i_tracks - 1] ); 942 break; 943 } 944 } [...] [1] This stack buffer can be overflowed [2] + [3] User controlled data from the cue file is stored in "line". [4] The user controlled file data is parsed and copied into "i_min", "i_sec" and "i_frame" [5] The "i_tracks" counter gets incremented [6] The user controlled data from "i_min", "i_sec" and "i_frame" is copied into the stack buffer "p_sectors" while "i_tracks" is used as an array index. As "i_tracks" has no upper limit it is possible to overflow the "p_sectors" stack buffer by specifying a large number of tracks in the cue file. As the data that gets written beyond the stack buffer (a combination of "i_min", "i_sec" and "i_frame") can only be controlled to some extend (see the "MSF_TO_LBA" macro) exploitation of this vulnerability is not trivial and may even be impossible. ========= Solution: ========= See "Workarounds" and "Solution" sections of the VideoLAN-SA-0810 [1]. ======== History: ======== 2008/11/03 - Vendor notified 2008/11/04 - Patch developed by VideoLAN team 2008/11/05 - Public disclosure of vulnerability details by the vendor 2008/11/05 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://www.videolan.org/security/sa0810.html [2] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=5f63f1562 d43f32331006c2c1a61742de031b84d [3] http://www.trapkit.de/advisories/TKADV2008-012.txt ** Affects: vlc (Ubuntu) Importance: Undecided Status: New -- VLC media player cue Processing Stack Overflow Vulnerability https://bugs.launchpad.net/bugs/295465 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
