netbsd-users: Re: kdemultimedia pkg and xine-lib security problems

Subject: Re: kdemultimedia pkg and xine-lib security problems
To: Lubomir Sedlacik <salo@Xtrmntr.org>
From: Nuno Teixeira <nu@nunotex.freeshell.org>
List: netbsd-users
Date: 02/27/2005 20:50:37
Hello,

OK, thanks. I will wait for the pull up in 2004Q4.

Just one more question: this means that xine-lib package will appear at
200Q4 packages again?

Yours,

	Nuno Teixeira

On Sun, Feb 27, 2005 at 09:42:40PM +0100, Lubomir Sedlacik wrote:
> On Sun, Feb 27, 2005 at 06:30:35PM +0000, Nuno Teixeira wrote:
> > I've updated my 2004Q4 via cvs today and when I tried to make a package
> > from multimedia/xine-lib I get the error:
> > 
> > =================
> > ===> Checking for vulnerabilities in xine-lib-1rc6anb2
> > *** WARNING - remote-code-execution vulnerability in xine-lib-1rc6anb2 - see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1187 for more information ***
> > *** WARNING - remote-code-execution vulnerability in xine-lib-1rc6anb2 - see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1188 for more information ***
> > or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential
> > *** Error code 1
> > 
> > Stop.
> > make: stopped in /usr/pkgsrc/multimedia/xine-lib
> > *** Error code 1
> > 
> > Stop.
> > make: stopped in /usr/pkgsrc/multimedia/xine-lib
> > =================
> > 
> > I have audit-packages installed with pkg-vulnerabilities updated today.
> > 
> > What I should do?
> 
> update your pkg-vulnerabilities again and apply the attached patch or
> wait for the ticket #317 to be pulled up to the 2004Q4 branch later
> today.  http://releng.netbsd.org/cgi-bin/req-pkgsrc.cgi?show=317
> 
> regards,
> 
> -- 
> -- Lubomir Sedlacik <salo@{NetBSD,Xtrmntr,silcnet}.org>   --

> Index: Makefile
> ===================================================================
> RCS file: /cvsroot/pkgsrc/multimedia/xine-lib/Makefile,v
> retrieving revision 1.14.2.1
> diff -u -r1.14.2.1 Makefile
> --- Makefile	7 Jan 2005 01:22:20 -0000	1.14.2.1
> +++ Makefile	27 Feb 2005 20:20:43 -0000
> @@ -3,7 +3,7 @@
>  
>  .include "Makefile.common"
>  
> -PKGREVISION=		2
> +PKGREVISION=		3
>  
>  .if ${MACHINE_ARCH} == "i386"
>  DEPENDS+=       	win32-codecs>=011227:../../multimedia/win32-codecs
> Index: distinfo
> ===================================================================
> RCS file: /cvsroot/pkgsrc/multimedia/xine-lib/distinfo,v
> retrieving revision 1.9.2.1
> diff -u -r1.9.2.1 distinfo
> --- distinfo	7 Jan 2005 01:22:20 -0000	1.9.2.1
> +++ distinfo	27 Feb 2005 20:20:43 -0000
> @@ -22,3 +22,5 @@
>  SHA1 (patch-av) = 56f462e6091a72e87544ece689557d60fbb749aa
>  SHA1 (patch-ba) = a527975fe9675358090bddc1361b707aa122f89b
>  SHA1 (patch-bb) = fcfdf5dae066837cb35e51a5d114c366a5b3a7b2
> +SHA1 (patch-bc) = c07129e89ed5b958c9361b864e227cc7569e4a33
> +SHA1 (patch-bd) = 2af09a00178b2cc499f98a454667e9dbfcc8e072
> Index: patches/patch-bc
> ===================================================================
> RCS file: patches/patch-bc
> diff -N patches/patch-bc
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ patches/patch-bc	27 Feb 2005 20:20:43 -0000
> @@ -0,0 +1,102 @@
> +$NetBSD$
> +
> +--- src/input/pnm.c	2003/12/12 22:53:15	1.20
> ++++ src/input/pnm.c	2004/12/15 12:53:36	1.21
> +@@ -205,16 +205,21 @@
> +                          char *data, int *need_response) {
> + 
> +   unsigned int chunk_size;
> +-  int n;
> ++  unsigned int n;
> +   char *ptr;
> +- 
> ++
> ++  if( max < PREAMBLE_SIZE )
> ++    return -1;
> ++    
> +   /* get first PREAMBLE_SIZE bytes and ignore checksum */
> +   _x_io_tcp_read (p->stream, p->s, data, CHECKSUM_SIZE);
> +   if (data[0] == 0x72)
> +     _x_io_tcp_read (p->stream, p->s, data, PREAMBLE_SIZE);
> +   else
> +     _x_io_tcp_read (p->stream, p->s, data+CHECKSUM_SIZE, PREAMBLE_SIZE-CHECKSUM_SIZE);
> +-  
> ++
> ++  max -= PREAMBLE_SIZE;
> ++    
> +   *chunk_type = be2me_32(*((uint32_t *)data));
> +   chunk_size = be2me_32(*((uint32_t *)(data+4)));
> + 
> +@@ -222,7 +227,11 @@
> +     case PNA_TAG:
> +       *need_response=0;
> +       ptr=data+PREAMBLE_SIZE;
> ++
> ++      if( max < 1 )
> ++        return -1;
> +       _x_io_tcp_read (p->stream, p->s, ptr++, 1);
> ++      max -= 1;
> + 
> +       while(1) {
> + 	/* The pna chunk is devided into subchunks.
> +@@ -235,17 +244,29 @@
> + 	 * if first byte is 'F', we got an error
> + 	 */
> + 
> ++        if( max < 2 )
> ++          return -1;
> +         _x_io_tcp_read (p->stream, p->s, ptr, 2);
> ++        max -= 2;
> ++        
> + 	if (*ptr == 'X') /* checking for server message */
> + 	{
> + 	  xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "input_pnm: got a message from server:\n");
> ++          if( max < 1 )
> ++            return -1;
> + 	  _x_io_tcp_read (p->stream, p->s, ptr+2, 1);
> ++          max -= 1;
> + 
> + 	  /* two bytes of message length*/
> + 	  n=be2me_16(*(uint16_t*)(ptr+1));
> + 
> + 	  /* message itself */
> ++          if( max < n )
> ++            return -1;
> + 	  _x_io_tcp_read (p->stream, p->s, ptr+3, n);
> ++          max -= n;
> ++          if( max < 1 )
> ++            return -1;
> + 	  ptr[3+n]=0;
> + 	  xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "%s\n", ptr+3);
> + 	  return -1;
> +@@ -265,10 +286,15 @@
> + 	}
> + 	if (*ptr != 0x4f) break;
> + 	n=ptr[1];
> +-	_x_io_tcp_read (p->stream, p->s, ptr+2, n);
> ++        if( max < n )
> ++          return -1;
> ++        _x_io_tcp_read (p->stream, p->s, ptr+2, n);
> + 	ptr+=(n+2);
> ++        max-=n;
> +       }
> +       /* the checksum of the next chunk is ignored here */
> ++      if( max < 1 )
> ++        return -1;
> +       _x_io_tcp_read (p->stream, p->s, ptr+2, 1);
> +       ptr+=3;
> +       chunk_size=ptr-data;
> +@@ -278,11 +304,11 @@
> +     case PROP_TAG:
> +     case MDPR_TAG:
> +     case CONT_TAG:
> +-      if (chunk_size > max) {
> ++      if (chunk_size > max || chunk_size < PREAMBLE_SIZE) {
> +         xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "error: max chunk size exeeded (max was 0x%04x)\n", max);
> ++#ifdef LOG
> + 	/* reading some bytes for debugging */
> +         n=_x_io_tcp_read (p->stream, p->s, &data[PREAMBLE_SIZE], 0x100 - PREAMBLE_SIZE);
> +-#ifdef LOG
> +         xine_hexdump(data,n+PREAMBLE_SIZE);
> + #endif
> +         return -1;
> Index: patches/patch-bd
> ===================================================================
> RCS file: patches/patch-bd
> diff -N patches/patch-bd
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ patches/patch-bd	27 Feb 2005 20:20:43 -0000
> @@ -0,0 +1,27 @@
> +$NetBSD$
> +
> +--- src/input/libreal/real.c	2004/09/08 15:09:30	1.19
> ++++ src/input/libreal/real.c	2004/12/15 12:53:46	1.20
> +@@ -604,6 +604,8 @@
> +   return (n <= 0) ? 0 : n+12;
> + }
> + 
> ++//! maximum size of the rtsp description, must be < INT_MAX
> ++#define MAX_DESC_BUF (20 * 1024 * 1024)
> + rmff_header_t  *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwidth) {
> + 
> +   char *description=NULL;
> +@@ -652,6 +654,13 @@
> +   else
> +     size=atoi(rtsp_search_answers(rtsp_session,"Content-length"));
> + 
> ++  if (size > MAX_DESC_BUF) {
> ++    printf("real: Content-length for description too big (> %uMB)!\n",
> ++           MAX_DESC_BUF/(1024*1024) );
> ++    xine_buffer_free(buf);
> ++    return NULL;
> ++  }
> ++
> +   if (!rtsp_search_answers(rtsp_session,"ETag"))
> +     lprintf("real: got no ETag!\n");
> +   else




-- 
SDF Public Access UNIX System - http://sdf.lonestar.org