Debian Bug report logs - #369876
CVE-2006-2802: buffer overflow in the HTTP input

version graph

Package: libxine1; Maintainer for libxine1 is Darren Salt <devspam@moreofthesa.me.uk>; Source for libxine1 is src:xine-lib.

Reported by: Darren Salt <linux@youmustbejoking.demon.co.uk>

Date: Thu, 1 Jun 2006 22:18:13 UTC

Severity: grave

Tags: patch, security

Found in version xine-lib/1.0.1-1

Fixed in version xine-lib/1.1.1-2

Done: Reinhard Tartler <siretart@tauware.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>:
Bug#369876; Package libxine1. Full text and rfc822 format available.

Acknowledgement sent to Darren Salt <linux@youmustbejoking.demon.co.uk>:
New Bug report received and forwarded. Copy sent to Siggi Langauf <siggi@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Darren Salt <linux@youmustbejoking.demon.co.uk>
To: submit@bugs.debian.org
Subject: libxine1: buffer overflows
Date: Thu, 01 Jun 2006 22:58:56 +0100
[Message part 1 (text/plain, inline)]
Package: libxine1
Version: 1.0.1-1
Severity: serious
Tags: security, patch

Two potential buffer overflows in xine-lib, both fixed in CVS HEAD. These
definitely affect 1.1.1, and look as if they affect 1.0.1 too. (These are
reported against 1.0.1-1 for that reason.)

1. Possible overflow via a specially-crafted AVI file

Local, remote via streamed content; possibly exploitable.

An AVI superindex chunk specifies both the number of entries and the size of
each entry. xine-lib uses both values when allocating memory, but then
assumes that the entry size is at least 16 bytes when writing to the
newly-allocated buffer. Too low an entry size given in the chunk and xine-lib
will (a) read past the end of the chunk and (b) write past the end of the
buffer.

This bug is related to <URL:http://www.xfocus.org/advisories/200603/11.html>.

I sent a patch (attached) to xine-devel for review on 2 April; it was
committed to CVS by Matthias Hopf on 22 May.
<URL:http://sourceforge.net/mailarchive/forum.php?thread_id=10088861&forum_id=7131>

2. Possible overflow in the HTTP header parser

Remote; possibly exploitable.

This is an unchecked write past the end of a buffer which is used for
receiving HTTP data from a remote server.

Reported by Diego Pettenò to xine-devel; committed to CVS by me yesterday.
Patch (with spelling fix) attached.
<URL:http://sourceforge.net/mailarchive/forum.php?thread_id=11076540&forum_id=7131>

-- 
| Darren Salt    | linux or ds at              | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Use more efficient products. Use less.          BE MORE ENERGY EFFICIENT.

Your enemies are closing in.
[demux_avi_indx_buffer.patch (text/plain, attachment)]
[280_all_http-buffer-overflow.patch (text/plain, attachment)]

Severity set to `grave' from `serious' Request was from Darren Salt <linux@youmustbejoking.demon.co.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>:
Bug#369876; Package libxine1. Full text and rfc822 format available.

Acknowledgement sent to Darren Salt <linux@youmustbejoking.demon.co.uk>:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>. Full text and rfc822 format available.

Message #12 received at 369876@bugs.debian.org (full text, mbox):

From: Darren Salt <linux@youmustbejoking.demon.co.uk>
To: 369876@bugs.debian.org
Subject: Re: libxine1: buffer overflows
Date: Wed, 07 Jun 2006 21:58:04 +0100
[Message part 1 (text/plain, inline)]
[snip]
> 2. Possible overflow in the HTTP header parser

> Remote; possibly exploitable.

> This is an unchecked write past the end of a buffer which is used for
> receiving HTTP data from a remote server.
[snip]

Buggy patch, noticed and fixed in CVS HEAD by Matthias Hopf. Fixed patch
attached (basically, s/buflen/BUFSIZE/).

-- 
| Darren Salt    | linux or ds at              | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Use more efficient products. Use less.          BE MORE ENERGY EFFICIENT.

The decision doesn't have to be logical; it was unanimous.
[http_buffer_overflow.patch (text/plain, attachment)]

Changed Bug title. Request was from Reinhard Tartler <siretart@tauware.de> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Darren Salt <linux@youmustbejoking.demon.co.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #19 received at 369876-close@bugs.debian.org (full text, mbox):

From: Reinhard Tartler <siretart@tauware.de>
To: 369876-close@bugs.debian.org
Subject: Bug#369876: fixed in xine-lib 1.1.1-2
Date: Mon, 12 Jun 2006 10:17:24 -0700
Source: xine-lib
Source-Version: 1.1.1-2

We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:

libxine-dev_1.1.1-2_i386.deb
  to pool/main/x/xine-lib/libxine-dev_1.1.1-2_i386.deb
libxine1_1.1.1-2_i386.deb
  to pool/main/x/xine-lib/libxine1_1.1.1-2_i386.deb
xine-lib_1.1.1-2.diff.gz
  to pool/main/x/xine-lib/xine-lib_1.1.1-2.diff.gz
xine-lib_1.1.1-2.dsc
  to pool/main/x/xine-lib/xine-lib_1.1.1-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 369876@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated xine-lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 12 Jun 2006 18:16:30 +0200
Source: xine-lib
Binary: libxine-dev libxine1
Architecture: source i386
Version: 1.1.1-2
Distribution: unstable
Urgency: medium
Maintainer: Siggi Langauf <siggi@debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description: 
 libxine-dev - the xine video player library, development packages
 libxine1   - the xine video/media player library, binary files
Closes: 281572 300852 320164 336437 354436 358429 368247 369658 369876 369974
Changes: 
 xine-lib (1.1.1-2) unstable; urgency=medium
 .
   [ Reinhard Tartler ]
 .
   * Use external libmad, acknowledging NMU (Closes: #336437)
   * enable support for libxvmc1, now that we have xorg in debian
     (Closes: #281572)
   * Conflict/Replaces obsolete package 'xine' (Closes: #300852)
   * Incorporated Darrens Changes into a new maintainer upload
   * medium urgency, although security fixes a lot of other functionality
     changes
   * Some more fixages to inline usage in internal copy of ffmpeg, continuing
     the patch from Darren Salt.
   * Verified that this upload fixes build on mips, and other build failiures
     look pretty similar. Therefore (Closes: #354436)
   * Verified that /usr/share/doc/libxine1/faq/faq.{html,txt} is now installed
     correctly (Closes: #369658)
   * fix gnome-vfs plugin to allow play back of http URLs again. Patch from
     upstream CVS, thank you for pointing this out, Sam Morris (Closes: #369974)
 .
   [ Darren Salt ]
 .
    * SECURITY FIXES (closes: #369876):
     - Possible buffer overflow in the AVI demuxer, caused by
       specially-crafted files or streams;
     - Possible buffer overflow in the HTTP header-fetching code.
       (CVE-2006-2802)
 .
   * Tidy up the FAQ list and README installation to quieten dh_install.
   * Re-update the FSF address in debian/copyright. It got lost in 1.1.1-1.
   * Add build-dep alternatives for those of us who do backports to sarge.
   * Tidy up the package descriptions a little.
   * Bump shlibs to >= 1.1.0 due to new functions. (Closes: #358429, #368247)
   * Empty config file no longer prevents the config from being saved.
     (Fixed in upstream 1.1.1) (Closes: #320164)
   * Pulled in some patches from CVS:
     - the above security fixes;
     - fix ALSA resume-from-suspend;
     - fix incorrect size calculation in interlaced Matroska demuxing;
     - various uninitialised variables, some of which should be non-zero;
     - HTTP MRLs requiring authentication would only work when using a proxy;
     - fix possibly-broken locale handling in the SMB input plugin;
     - avoid problems where the ffmpeg audio decoder can't find a codec;
     - avoid a couple of compiler warnings (libavutil);
     - fix up some typecasting in the win32 codec interface;
     - avoid problems with negative sizes (general demuxing);
     - some plugin cache reading code should also be used on ia64;
     - fix a couple of printf warnings on 64-bit;
     - add some locking around playback speed change code;
     - incorrect default CPU acceleration setting on powerpc;
     - fix crash at startup if VO deinterlacing is enabled, onefield_xv is
       selected and the image format is YV12;
     - avoid possible segfault with 1x1 PNGs when handled by the ffmpeg plugin;
     - wrong names used for libX11 and libXv in the health check code (we now
       detect the correct names at build time);
     - add a missing -I to src/libffmpeg/libavcodec/sparc/Makefile.am (should
       fix an FTBFS on sparc);
     - alter configure.ac to avoid FTBFS when configure is regenerated with
       autoconf 2.59c or later.
   * Add AM_MAINTAINER_MODE.
   * Fix usage of inlined functions in libffmpeg before they're defined. This is
     not implemented for all architectures in gcc 4.0.x and was causing FTBFS.
   * Kill some pointer<->int casting warnings on 64-bit architectures. (Taken
     from CVS HEAD)
Files: 
 d981b0c9679ae5fa96871fbd7c007439 1220 libs optional xine-lib_1.1.1-2.dsc
 f845b93ffa046be7fa3b8449786e6b40 224268 libs optional xine-lib_1.1.1-2.diff.gz
 2d9aa9fdf67398438f035bff9d96bd54 111078 libdevel optional libxine-dev_1.1.1-2_i386.deb
 11a1cff18dcdb6ae2bb4c417a35c1c12 9389866 libs optional libxine1_1.1.1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEjZ6jXKRQ3lK3SH4RArsBAKCsBNdmk8oV+IR/V/+8WOU5RlatbgCdFKG/
E/y6EGfeipC/wIxo9ELnMFE=
=9wI5
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 14:49:56 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 20:43:22 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.