Subject: Re: kdemultimedia pkg and xine-lib security problems
To: Nuno Teixeira <nu@nunotex.freeshell.org>
From: Lubomir Sedlacik <salo@Xtrmntr.org>
List: netbsd-users
Date: 02/27/2005 21:42:40
--ahWNmK+0tXt5sn0+
Content-Type: multipart/mixed; boundary="qM0hR3HHz0xGm96J"
Content-Disposition: inline
--qM0hR3HHz0xGm96J
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Feb 27, 2005 at 06:30:35PM +0000, Nuno Teixeira wrote:
> I've updated my 2004Q4 via cvs today and when I tried to make a package
> from multimedia/xine-lib I get the error:
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> =3D=3D=3D> Checking for vulnerabilities in xine-lib-1rc6anb2
> *** WARNING - remote-code-execution vulnerability in xine-lib-1rc6anb2 - =
see http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-1187 for more =
information ***
> *** WARNING - remote-code-execution vulnerability in xine-lib-1rc6anb2 - =
see http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-1188 for more =
information ***
> or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essenti=
al
> *** Error code 1
>=20
> Stop.
> make: stopped in /usr/pkgsrc/multimedia/xine-lib
> *** Error code 1
>=20
> Stop.
> make: stopped in /usr/pkgsrc/multimedia/xine-lib
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> I have audit-packages installed with pkg-vulnerabilities updated today.
>=20
> What I should do?
update your pkg-vulnerabilities again and apply the attached patch or
wait for the ticket #317 to be pulled up to the 2004Q4 branch later
today. http://releng.netbsd.org/cgi-bin/req-pkgsrc.cgi?show=3D317
regards,
--=20
-- Lubomir Sedlacik <salo@{NetBSD,Xtrmntr,silcnet}.org> --
--qM0hR3HHz0xGm96J
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="xine-lib.diff"
Content-Transfer-Encoding: quoted-printable
Index: Makefile
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/pkgsrc/multimedia/xine-lib/Makefile,v
retrieving revision 1.14.2.1
diff -u -r1.14.2.1 Makefile
--- Makefile 7 Jan 2005 01:22:20 -0000 1.14.2.1
+++ Makefile 27 Feb 2005 20:20:43 -0000
@@ -3,7 +3,7 @@
=20
.include "Makefile.common"
=20
-PKGREVISION=3D 2
+PKGREVISION=3D 3
=20
.if ${MACHINE_ARCH} =3D=3D "i386"
DEPENDS+=3D win32-codecs>=3D011227:../../multimedia/win32-codecs
Index: distinfo
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/pkgsrc/multimedia/xine-lib/distinfo,v
retrieving revision 1.9.2.1
diff -u -r1.9.2.1 distinfo
--- distinfo 7 Jan 2005 01:22:20 -0000 1.9.2.1
+++ distinfo 27 Feb 2005 20:20:43 -0000
@@ -22,3 +22,5 @@
SHA1 (patch-av) =3D 56f462e6091a72e87544ece689557d60fbb749aa
SHA1 (patch-ba) =3D a527975fe9675358090bddc1361b707aa122f89b
SHA1 (patch-bb) =3D fcfdf5dae066837cb35e51a5d114c366a5b3a7b2
+SHA1 (patch-bc) =3D c07129e89ed5b958c9361b864e227cc7569e4a33
+SHA1 (patch-bd) =3D 2af09a00178b2cc499f98a454667e9dbfcc8e072
Index: patches/patch-bc
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: patches/patch-bc
diff -N patches/patch-bc
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-bc 27 Feb 2005 20:20:43 -0000
@@ -0,0 +1,102 @@
+$NetBSD$
+
+--- src/input/pnm.c 2003/12/12 22:53:15 1.20
++++ src/input/pnm.c 2004/12/15 12:53:36 1.21
+@@ -205,16 +205,21 @@
+ char *data, int *need_response) {
+=20
+ unsigned int chunk_size;
+- int n;
++ unsigned int n;
+ char *ptr;
+-=20
++
++ if( max < PREAMBLE_SIZE )
++ return -1;
++ =20
+ /* get first PREAMBLE_SIZE bytes and ignore checksum */
+ _x_io_tcp_read (p->stream, p->s, data, CHECKSUM_SIZE);
+ if (data[0] =3D=3D 0x72)
+ _x_io_tcp_read (p->stream, p->s, data, PREAMBLE_SIZE);
+ else
+ _x_io_tcp_read (p->stream, p->s, data+CHECKSUM_SIZE, PREAMBLE_SIZE-CH=
ECKSUM_SIZE);
+- =20
++
++ max -=3D PREAMBLE_SIZE;
++ =20
+ *chunk_type =3D be2me_32(*((uint32_t *)data));
+ chunk_size =3D be2me_32(*((uint32_t *)(data+4)));
+=20
+@@ -222,7 +227,11 @@
+ case PNA_TAG:
+ *need_response=3D0;
+ ptr=3Ddata+PREAMBLE_SIZE;
++
++ if( max < 1 )
++ return -1;
+ _x_io_tcp_read (p->stream, p->s, ptr++, 1);
++ max -=3D 1;
+=20
+ while(1) {
+ /* The pna chunk is devided into subchunks.
+@@ -235,17 +244,29 @@
+ * if first byte is 'F', we got an error
+ */
+=20
++ if( max < 2 )
++ return -1;
+ _x_io_tcp_read (p->stream, p->s, ptr, 2);
++ max -=3D 2;
++ =20
+ if (*ptr =3D=3D 'X') /* checking for server message */
+ {
+ xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "input_pnm: got a messa=
ge from server:\n");
++ if( max < 1 )
++ return -1;
+ _x_io_tcp_read (p->stream, p->s, ptr+2, 1);
++ max -=3D 1;
+=20
+ /* two bytes of message length*/
+ n=3Dbe2me_16(*(uint16_t*)(ptr+1));
+=20
+ /* message itself */
++ if( max < n )
++ return -1;
+ _x_io_tcp_read (p->stream, p->s, ptr+3, n);
++ max -=3D n;
++ if( max < 1 )
++ return -1;
+ ptr[3+n]=3D0;
+ xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "%s\n", ptr+3);
+ return -1;
+@@ -265,10 +286,15 @@
+ }
+ if (*ptr !=3D 0x4f) break;
+ n=3Dptr[1];
+- _x_io_tcp_read (p->stream, p->s, ptr+2, n);
++ if( max < n )
++ return -1;
++ _x_io_tcp_read (p->stream, p->s, ptr+2, n);
+ ptr+=3D(n+2);
++ max-=3Dn;
+ }
+ /* the checksum of the next chunk is ignored here */
++ if( max < 1 )
++ return -1;
+ _x_io_tcp_read (p->stream, p->s, ptr+2, 1);
+ ptr+=3D3;
+ chunk_size=3Dptr-data;
+@@ -278,11 +304,11 @@
+ case PROP_TAG:
+ case MDPR_TAG:
+ case CONT_TAG:
+- if (chunk_size > max) {
++ if (chunk_size > max || chunk_size < PREAMBLE_SIZE) {
+ xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "error: max chunk =
size exeeded (max was 0x%04x)\n", max);
++#ifdef LOG
+ /* reading some bytes for debugging */
+ n=3D_x_io_tcp_read (p->stream, p->s, &data[PREAMBLE_SIZE], 0x100 =
- PREAMBLE_SIZE);
+-#ifdef LOG
+ xine_hexdump(data,n+PREAMBLE_SIZE);
+ #endif
+ return -1;
Index: patches/patch-bd
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: patches/patch-bd
diff -N patches/patch-bd
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-bd 27 Feb 2005 20:20:43 -0000
@@ -0,0 +1,27 @@
+$NetBSD$
+
+--- src/input/libreal/real.c 2004/09/08 15:09:30 1.19
++++ src/input/libreal/real.c 2004/12/15 12:53:46 1.20
+@@ -604,6 +604,8 @@
+ return (n <=3D 0) ? 0 : n+12;
+ }
+=20
++//! maximum size of the rtsp description, must be < INT_MAX
++#define MAX_DESC_BUF (20 * 1024 * 1024)
+ rmff_header_t *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t =
bandwidth) {
+=20
+ char *description=3DNULL;
+@@ -652,6 +654,13 @@
+ else
+ size=3Datoi(rtsp_search_answers(rtsp_session,"Content-length"));
+=20
++ if (size > MAX_DESC_BUF) {
++ printf("real: Content-length for description too big (> %uMB)!\n",
++ MAX_DESC_BUF/(1024*1024) );
++ xine_buffer_free(buf);
++ return NULL;
++ }
++
+ if (!rtsp_search_answers(rtsp_session,"ETag"))
+ lprintf("real: got no ETag!\n");
+ else
--qM0hR3HHz0xGm96J--
--ahWNmK+0tXt5sn0+
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)
iD8DBQFCIjDAiwjDDlS8cmMRAn/vAKCArWWhNDGVYSOAKUttdCKTZZ3fWACgjIJr
PYIMLvNEzqADXSoXQFn5Vm8=
=6tjB
-----END PGP SIGNATURE-----
--ahWNmK+0tXt5sn0+--