Debian Bug report logs - #509616
libavcodec51: CVE-2008-4610 possible null ptr derefence in vp3.c

Package: libavcodec51; Maintainer for libavcodec51 is (unknown);

Reported by: Nico Golde <nion@debian.org>

Date: Tue, 23 Dec 2008 20:18:02 UTC

Severity: grave

Tags: patch, security

Done: Reinhard Tartler <siretart@tauware.de>

Bug is archived. No further changes may be made.

Forwarded to http://bugzilla.mplayerhq.hu/show_bug.cgi?id=1212

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#509616; Package libavcodec51. (Tue, 23 Dec 2008 20:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Tue, 23 Dec 2008 20:18:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: libavcodec51: CVE-2008-4610 possible null ptr derefence in vp3.c
Date: Tue, 23 Dec 2008 21:13:40 +0100
[Message part 1 (text/plain, inline)]
Package: libavcodec51
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libavcodec51.

CVE-2008-4610[0]:
| MPlayer allows remote attackers to cause a denial of service
| (application crash) via (1) a malformed AAC file, as demonstrated by
| lol-vlc.aac; or (2) a malformed Ogg Media (OGM) file, as demonstrated
| by lol-ffplay.ogm, different vectors than CVE-2007-6718.

It turned out that the lol-ffplay.ogm crashing mplayer is 
not a bug in mplayer but a problem in ffmpeg itself. I 
tracked this down to libavcodec/vp3.c, table->table being 
NULL causes the GET_VLC macro in bitstream.h to dereference 
a NULL ptr which then causes mplayer to crash.

Attached is a patch to fix this, I am not sure if that is 
the correct way to fix this as I have no insight on the code 
functionality itself but at least it prevents mplayer from 
crashing. So you might want to check back with upstream.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4610
    http://security-tracker.debian.net/tracker/CVE-2008-4610

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[vp3.c.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Noted your statement that Bug has been forwarded to http://bugzilla.mplayerhq.hu/show_bug.cgi?id=1212. Request was from A Mennucc1 <debdev@mennucci.sns.it> to control@bugs.debian.org. (Tue, 23 Dec 2008 21:00:02 GMT) Full text and rfc822 format available.

Reply sent to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility. (Sat, 27 Dec 2008 21:48:04 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Sat, 27 Dec 2008 21:48:04 GMT) Full text and rfc822 format available.

Message #12 received at 509616-done@bugs.debian.org (full text, mbox):

From: Reinhard Tartler <siretart@tauware.de>
To: 509616-done@bugs.debian.org
Cc: Nico Golde <nion@debian.org>
Subject: [gmane.comp.video.ffmpeg.devel] [PATCH] fix crash in vp3.c
Date: Sat, 27 Dec 2008 22:46:58 +0100
[Message part 1 (text/plain, inline)]
Hi Nico,

I'm sorry but I think I'll have to reject your bug report. Please see
the full thread at:
<http://permalink.gmane.org/gmane.comp.video.ffmpeg.devel/79298>

I have to admit that I don't really understand as well what the code
here does, but I agree to michael that the approach to this patch is
wrong. FFmpeg cannot be made robust to all kind of wrong data. There
will always be some ways how to abuse a library.

In any case, I tried to reproduce the crash with the 'ffmpeg' command
but wasn't able to generate a segfault. I therefore conclude that the
demuxer in avformat does not inhibit the same bug as in mplayer.

If one could provide an example file that crashes the 'ffmpeg' commmand,
then we could reinvestigate this issue.

Anyway, thanks for your report!

[Message part 2 (message/rfc822, inline)]
From: Michael Niedermayer <michaelni@gmx.at>
To: FFmpeg development discussions and patches <ffmpeg-devel@mplayerhq.hu>
Subject: Re: [PATCH] fix crash in vp3.c
Date: Wed, 24 Dec 2008 18:23:03 +0100
[Message part 3 (text/plain, inline)]
On Wed, Dec 24, 2008 at 06:09:57PM +0100, Diego Biurrun wrote:
> Here is a patch from Nico Golde that I found in the Debian bug tracker.
> It fixes the crash I experience on my PPC box with
> 
> http://caca.zoy.org/attachment/wiki/zzuf/bugs/lol-ffplay.ogm

this patch is incorrect and insufficient

the first (though this might not be the only) bug is that
the return of read_huffman_tree() is ignored, that is errors are not
passed on to the caller

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.
[signature.asc (application/pgp-signature, inline)]
[Message part 5 (text/plain, inline)]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@mplayerhq.hu
https://lists.mplayerhq.hu/mailman/listinfo/ffmpeg-devel
[Message part 6 (text/plain, inline)]
-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Message #13 received at 509616-done@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Reinhard Tartler <siretart@tauware.de>
Cc: 509616-done@bugs.debian.org
Subject: Re: [gmane.comp.video.ffmpeg.devel] [PATCH] fix crash in vp3.c
Date: Sun, 28 Dec 2008 00:37:20 +0100
[Message part 1 (text/plain, inline)]
Hi,
* Reinhard Tartler <siretart@tauware.de> [2008-12-28 00:27]:
> I'm sorry but I think I'll have to reject your bug report. Please see
> the full thread at:
> <http://permalink.gmane.org/gmane.comp.video.ffmpeg.devel/79298>

Yeah I was pretty sure it doesn't fix the root cause :/

> I have to admit that I don't really understand as well what the code
> here does, but I agree to michael that the approach to this patch is
> wrong. FFmpeg cannot be made robust to all kind of wrong data. There
> will always be some ways how to abuse a library.

Why? I think that's wrong, it makes no sense to fix such 
things in vlc, xine and mplayer if it can be fixed in 
ffmpeg. I agree that it's bad that mplayer is passinf faulty 
data to ffmpeg here but I fail to see a reason why avcodec 
shouldn't handle this. I don't want to play bug pingpong but 
please let's talk about that.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Message #14 received at 509616-done@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Reinhard Tartler <siretart@tauware.de>
Cc: 509616-done@bugs.debian.org
Subject: Re: [gmane.comp.video.ffmpeg.devel] [PATCH] fix crash in vp3.c
Date: Sun, 28 Dec 2008 00:45:20 +0100
[Message part 1 (text/plain, inline)]
Hi,
* Reinhard Tartler <siretart@tauware.de> [2008-12-28 00:27]:
[...] 
> In any case, I tried to reproduce the crash with the 'ffmpeg' command
> but wasn't able to generate a segfault. I therefore conclude that the
> demuxer in avformat does not inhibit the same bug as in mplayer.

I just checked that, you are right, ffplay does not crash. 
But what about it getting into an endless loop (which it 
does on my system).

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information stored :
Bug#509616; Package libavcodec51. (Sun, 28 Dec 2008 09:06:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Reinhard Tartler <siretart@tauware.de>:
Extra info received and filed, but not forwarded. (Sun, 28 Dec 2008 09:06:36 GMT) Full text and rfc822 format available.

Message #19 received at 509616-quiet@bugs.debian.org (full text, mbox):

From: Reinhard Tartler <siretart@tauware.de>
To: Nico Golde <nion@debian.org>
Cc: 509616-quiet@bugs.debian.org
Subject: Re: [gmane.comp.video.ffmpeg.devel] [PATCH] fix crash in vp3.c
Date: Sun, 28 Dec 2008 10:01:52 +0100
Nico Golde <nion@debian.org> writes:
>> I have to admit that I don't really understand as well what the code
>> here does, but I agree to michael that the approach to this patch is
>> wrong. FFmpeg cannot be made robust to all kind of wrong data. There
>> will always be some ways how to abuse a library.
>
> Why? I think that's wrong, it makes no sense to fix such 
> things in vlc, xine and mplayer if it can be fixed in 
> ffmpeg. I agree that it's bad that mplayer is passinf faulty 
> data to ffmpeg here but I fail to see a reason why avcodec 
> shouldn't handle this. I don't want to play bug pingpong but 
> please let's talk about that.

of course, if there is a bug in ffmpeg, it of course should be
fixed. AFAIU Michael's response he acknowledges that there is a bug in
the function. However ffmpeg (and debian as well, btw) has a history of
fixing the bugs only with sensible fixes, which involves understanding
the fix fully. Your patch however does not match that description.

Moreover, I cannot really comment on the correctness of your patch. The
code is sufficiently complicated that I'd rather only include them in
the package if upstream gives it blessing. Diego wasn't sure himself, so
he forwarded the patch to the ffmpeg mailing list for you. Michael then
in turn rejected your patch. If you really want to investigate further,
I'd suggest that you follow up on the mail I forwarded to you.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4




Information stored :
Bug#509616; Package libavcodec51. (Sun, 28 Dec 2008 11:48:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and filed, but not forwarded. (Sun, 28 Dec 2008 11:48:08 GMT) Full text and rfc822 format available.

Message #24 received at 509616-quiet@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Reinhard Tartler <siretart@tauware.de>
Cc: 509616-quiet@bugs.debian.org
Subject: Re: [gmane.comp.video.ffmpeg.devel] [PATCH] fix crash in vp3.c
Date: Sun, 28 Dec 2008 12:42:16 +0100
Hi,
* Reinhard Tartler <siretart@tauware.de> [2008-12-28 12:37]:
> Nico Golde <nion@debian.org> writes:
> >> I have to admit that I don't really understand as well what the code
> >> here does, but I agree to michael that the approach to this patch is
> >> wrong. FFmpeg cannot be made robust to all kind of wrong data. There
> >> will always be some ways how to abuse a library.
> >
> > Why? I think that's wrong, it makes no sense to fix such 
> > things in vlc, xine and mplayer if it can be fixed in 
> > ffmpeg. I agree that it's bad that mplayer is passinf faulty 
> > data to ffmpeg here but I fail to see a reason why avcodec 
> > shouldn't handle this. I don't want to play bug pingpong but 
> > please let's talk about that.
> 
> of course, if there is a bug in ffmpeg, it of course should be
> fixed. AFAIU Michael's response he acknowledges that there is a bug in
> the function. However ffmpeg (and debian as well, btw) has a history of
> fixing the bugs only with sensible fixes, which involves understanding
> the fix fully. Your patch however does not match that description.

Yes, with that justification I understand why you refuse the 
patch but not why the bug report is closed.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.




Information stored :
Bug#509616; Package libavcodec51. (Sun, 28 Dec 2008 14:12:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Reinhard Tartler <siretart@tauware.de>:
Extra info received and filed, but not forwarded. (Sun, 28 Dec 2008 14:12:04 GMT) Full text and rfc822 format available.

Message #29 received at 509616-quiet@bugs.debian.org (full text, mbox):

From: Reinhard Tartler <siretart@tauware.de>
To: Nico Golde <nion@debian.org>
Cc: 509616-quiet@bugs.debian.org
Subject: Re: [gmane.comp.video.ffmpeg.devel] [PATCH] fix crash in vp3.c
Date: Sun, 28 Dec 2008 15:09:45 +0100
Nico Golde <nion@debian.org> writes:

>> of course, if there is a bug in ffmpeg, it of course should be
>> fixed. AFAIU Michael's response he acknowledges that there is a bug in
>> the function. However ffmpeg (and debian as well, btw) has a history of
>> fixing the bugs only with sensible fixes, which involves understanding
>> the fix fully. Your patch however does not match that description.
>
> Yes, with that justification I understand why you refuse the 
> patch but not why the bug report is closed.

If you intend to continue on this bug, feel free to reopen the
issue. For me, I don't see a strong need to investigate this further and
so I closed the issue for me.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 26 Jan 2009 07:27:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 07:03:06 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.