Your message dated Mon, 12 Jun 2006 10:17:24 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#369876: fixed in xine-lib 1.1.1-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libxine1
Version: 1.0.1-1
Severity: serious
Tags: security, patch
Two potential buffer overflows in xine-lib, both fixed in CVS HEAD. These
definitely affect 1.1.1, and look as if they affect 1.0.1 too. (These are
reported against 1.0.1-1 for that reason.)
1. Possible overflow via a specially-crafted AVI file
Local, remote via streamed content; possibly exploitable.
An AVI superindex chunk specifies both the number of entries and the size of
each entry. xine-lib uses both values when allocating memory, but then
assumes that the entry size is at least 16 bytes when writing to the
newly-allocated buffer. Too low an entry size given in the chunk and xine-lib
will (a) read past the end of the chunk and (b) write past the end of the
buffer.
This bug is related to <URL:http://www.xfocus.org/advisories/200603/11.html>.
I sent a patch (attached) to xine-devel for review on 2 April; it was
committed to CVS by Matthias Hopf on 22 May.
<URL:http://sourceforge.net/mailarchive/forum.php?thread_id=10088861&forum_id=7131>
2. Possible overflow in the HTTP header parser
Remote; possibly exploitable.
This is an unchecked write past the end of a buffer which is used for
receiving HTTP data from a remote server.
Reported by Diego Pettenò to xine-devel; committed to CVS by me yesterday.
Patch (with spelling fix) attached.
<URL:http://sourceforge.net/mailarchive/forum.php?thread_id=11076540&forum_id=7131>
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Use more efficient products. Use less. BE MORE ENERGY EFFICIENT.
Your enemies are closing in.
Index: src/demuxers/demux_avi.c
===================================================================
RCS file: /cvsroot/xine/xine-lib/src/demuxers/demux_avi.c,v
retrieving revision 1.223
diff -u -r1.223 demux_avi.c
--- src/demuxers/demux_avi.c 4 Mar 2006 12:04:42 -0000 1.223
+++ src/demuxers/demux_avi.c 1 Apr 2006 23:51:12 -0000
@@ -1029,7 +1029,14 @@
lprintf("Invalid Header, bIndexSubType != 0\n");
}
- superindex->aIndex = malloc (superindex->wLongsPerEntry *
superindex->nEntriesInUse * sizeof (uint32_t));
+ if (superindex->nEntriesInUse > n / sizeof (avisuperindex_entry))
+ {
+ lprintf("broken index !, dwSize=%d, entries=%d\n", n,
superindex->nEntriesInUse);
+ i += 8 + n;
+ continue;
+ }
+
+ superindex->aIndex = malloc (superindex->nEntriesInUse * sizeof
(avisuperindex_entry));
/* position of ix## chunks */
for (j = 0; j < superindex->nEntriesInUse; ++j) {
superindex->aIndex[j].qwOffset = LE_64 (a); a += 8;
Index: xine-lib-1.1.2cvs20060328/src/input/input_http.c
===================================================================
--- xine-lib-1.1.2cvs20060328.orig/src/input/input_http.c
+++ xine-lib-1.1.2cvs20060328/src/input/input_http.c
@@ -895,6 +895,12 @@ static int http_plugin_open (input_plugi
len = 0;
} else
len ++;
+ if ( len >= buflen ) {
+ _x_message(this->stream, XINE_MSG_PERMISSION_ERROR, this->mrl, NULL);
+ xine_log (this->stream->xine, XINE_LOG_MSG,
+ _("input_http: buffer exhausted after %d bytes."), buflen);
+ return 0;
+ }
}
lprintf ("end of headers\n");
--- End Message ---
--- Begin Message ---
Source: xine-lib
Source-Version: 1.1.1-2
We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:
libxine-dev_1.1.1-2_i386.deb
to pool/main/x/xine-lib/libxine-dev_1.1.1-2_i386.deb
libxine1_1.1.1-2_i386.deb
to pool/main/x/xine-lib/libxine1_1.1.1-2_i386.deb
xine-lib_1.1.1-2.diff.gz
to pool/main/x/xine-lib/xine-lib_1.1.1-2.diff.gz
xine-lib_1.1.1-2.dsc
to pool/main/x/xine-lib/xine-lib_1.1.1-2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[EMAIL PROTECTED]> (supplier of updated xine-lib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 12 Jun 2006 18:16:30 +0200
Source: xine-lib
Binary: libxine-dev libxine1
Architecture: source i386
Version: 1.1.1-2
Distribution: unstable
Urgency: medium
Maintainer: Siggi Langauf <[EMAIL PROTECTED]>
Changed-By: Reinhard Tartler <[EMAIL PROTECTED]>
Description:
libxine-dev - the xine video player library, development packages
libxine1 - the xine video/media player library, binary files
Closes: 281572 300852 320164 336437 354436 358429 368247 369658 369876 369974
Changes:
xine-lib (1.1.1-2) unstable; urgency=medium
.
[ Reinhard Tartler ]
.
* Use external libmad, acknowledging NMU (Closes: #336437)
* enable support for libxvmc1, now that we have xorg in debian
(Closes: #281572)
* Conflict/Replaces obsolete package 'xine' (Closes: #300852)
* Incorporated Darrens Changes into a new maintainer upload
* medium urgency, although security fixes a lot of other functionality
changes
* Some more fixages to inline usage in internal copy of ffmpeg, continuing
the patch from Darren Salt.
* Verified that this upload fixes build on mips, and other build failiures
look pretty similar. Therefore (Closes: #354436)
* Verified that /usr/share/doc/libxine1/faq/faq.{html,txt} is now installed
correctly (Closes: #369658)
* fix gnome-vfs plugin to allow play back of http URLs again. Patch from
upstream CVS, thank you for pointing this out, Sam Morris (Closes: #369974)
.
[ Darren Salt ]
.
* SECURITY FIXES (closes: #369876):
- Possible buffer overflow in the AVI demuxer, caused by
specially-crafted files or streams;
- Possible buffer overflow in the HTTP header-fetching code.
(CVE-2006-2802)
.
* Tidy up the FAQ list and README installation to quieten dh_install.
* Re-update the FSF address in debian/copyright. It got lost in 1.1.1-1.
* Add build-dep alternatives for those of us who do backports to sarge.
* Tidy up the package descriptions a little.
* Bump shlibs to >= 1.1.0 due to new functions. (Closes: #358429, #368247)
* Empty config file no longer prevents the config from being saved.
(Fixed in upstream 1.1.1) (Closes: #320164)
* Pulled in some patches from CVS:
- the above security fixes;
- fix ALSA resume-from-suspend;
- fix incorrect size calculation in interlaced Matroska demuxing;
- various uninitialised variables, some of which should be non-zero;
- HTTP MRLs requiring authentication would only work when using a proxy;
- fix possibly-broken locale handling in the SMB input plugin;
- avoid problems where the ffmpeg audio decoder can't find a codec;
- avoid a couple of compiler warnings (libavutil);
- fix up some typecasting in the win32 codec interface;
- avoid problems with negative sizes (general demuxing);
- some plugin cache reading code should also be used on ia64;
- fix a couple of printf warnings on 64-bit;
- add some locking around playback speed change code;
- incorrect default CPU acceleration setting on powerpc;
- fix crash at startup if VO deinterlacing is enabled, onefield_xv is
selected and the image format is YV12;
- avoid possible segfault with 1x1 PNGs when handled by the ffmpeg plugin;
- wrong names used for libX11 and libXv in the health check code (we now
detect the correct names at build time);
- add a missing -I to src/libffmpeg/libavcodec/sparc/Makefile.am (should
fix an FTBFS on sparc);
- alter configure.ac to avoid FTBFS when configure is regenerated with
autoconf 2.59c or later.
* Add AM_MAINTAINER_MODE.
* Fix usage of inlined functions in libffmpeg before they're defined. This is
not implemented for all architectures in gcc 4.0.x and was causing FTBFS.
* Kill some pointer<->int casting warnings on 64-bit architectures. (Taken
from CVS HEAD)
Files:
d981b0c9679ae5fa96871fbd7c007439 1220 libs optional xine-lib_1.1.1-2.dsc
f845b93ffa046be7fa3b8449786e6b40 224268 libs optional xine-lib_1.1.1-2.diff.gz
2d9aa9fdf67398438f035bff9d96bd54 111078 libdevel optional
libxine-dev_1.1.1-2_i386.deb
11a1cff18dcdb6ae2bb4c417a35c1c12 9389866 libs optional
libxine1_1.1.1-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEjZ6jXKRQ3lK3SH4RArsBAKCsBNdmk8oV+IR/V/+8WOU5RlatbgCdFKG/
E/y6EGfeipC/wIxo9ELnMFE=
=9wI5
-----END PGP SIGNATURE-----
--- End Message ---
