ports/130573: [patch] [vuxml] multimedia/mplayer: fix and document CVE-2008-3162
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Thu Jan 15 08:20:03 UTC 2009
>Number: 130573
>Category: ports
>Synopsis: [patch] [vuxml] multimedia/mplayer: fix and document CVE-2008-3162
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jan 15 08:20:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-STABLE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD void.codelabs.ru 7.1-STABLE FreeBSD 7.1-STABLE #1: Tue Jan 13 18:06:32 MSK 2009 root at void.codelabs.ru:/usr/src/sys/amd64/compile/VOID amd64
>Description:
There is CVE-2008-3162 [1] and FreeBSD port is still based on the
1.0rc2 sources that aren't received this fix. The fix is in the
Subversion repository for MPlayer, [2].
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3162
[2] http://svn.mplayerhq.hu/ffmpeg?view=rev&revision=13993
>How-To-Repeat:
Look at above URLs and to the current MPlayer port sources after 'make
patch'.
>Fix:
The following patch fixes the issue. It uses plain upstream patch: I
had verified that the port builds and works for mpeg/avi files. I don't
have any STR files at hand, so I am not able to test them, sorry.
--- fix-CVE-2008-3162.diff begins here ---
>From 33b39401242cd68fed36fcf3a88b8d41f42fb4cd Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Thu, 15 Jan 2009 11:02:47 +0300
See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3162
See also: https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311
See also: http://secunia.com/advisories/30994
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
multimedia/mplayer/Makefile | 2 +-
multimedia/mplayer/files/patch-CVE-2008-3162 | 56 ++++++++++++++++++++++++++
2 files changed, 57 insertions(+), 1 deletions(-)
create mode 100644 multimedia/mplayer/files/patch-CVE-2008-3162
diff --git a/multimedia/mplayer/Makefile b/multimedia/mplayer/Makefile
index 0f79b24..5d153ba 100644
--- a/multimedia/mplayer/Makefile
+++ b/multimedia/mplayer/Makefile
@@ -7,7 +7,7 @@
PORTNAME= mplayer
PORTVERSION= ${MPLAYER_PORT_VERSION}
-PORTREVISION= 9
+PORTREVISION= 10
COMMENT= High performance media player supporting many formats
diff --git a/multimedia/mplayer/files/patch-CVE-2008-3162 b/multimedia/mplayer/files/patch-CVE-2008-3162
new file mode 100644
index 0000000..bc66a3a
--- /dev/null
+++ b/multimedia/mplayer/files/patch-CVE-2008-3162
@@ -0,0 +1,56 @@
+Obtained from upstream: http://svn.mplayerhq.hu/ffmpeg/trunk/libavformat/psxstr.c?view=patch&r1=13993&r2=13992&pathrev=13993
+See also: http://svn.mplayerhq.hu/ffmpeg?diff_format=h&view=rev&revision=13993
+See also: https://roundup.mplayerhq.hu/roundup/ffmpeg/issue311
+
+--- libavformat/psxstr.c 2008/06/26 20:50:15 13992
++++ libavformat/psxstr.c 2008/06/26 22:22:10 13993
+@@ -274,12 +274,23 @@
+ int current_sector = AV_RL16(§or[0x1C]);
+ int sector_count = AV_RL16(§or[0x1E]);
+ int frame_size = AV_RL32(§or[0x24]);
+- int bytes_to_copy;
++
++ if(!( frame_size>=0
++ && current_sector < sector_count
++ && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){
++ av_log(s, AV_LOG_ERROR, "Invalid parameters %d %d %d\n", current_sector, sector_count, frame_size);
++ return AVERROR_INVALIDDATA;
++ }
++
+ // printf("%d %d %d\n",current_sector,sector_count,frame_size);
+ /* if this is the first sector of the frame, allocate a pkt */
+ pkt = &str->tmp_pkt;
+- if (current_sector == 0) {
+- if (av_new_packet(pkt, frame_size))
++
++ if(pkt->size != sector_count*VIDEO_DATA_CHUNK_SIZE){
++ if(pkt->data)
++ av_log(s, AV_LOG_ERROR, "missmatching sector_count\n");
++ av_free_packet(pkt);
++ if (av_new_packet(pkt, sector_count*VIDEO_DATA_CHUNK_SIZE))
+ return AVERROR(EIO);
+
+ pkt->pos= url_ftell(pb) - RAW_CD_SECTOR_SIZE;
+@@ -293,15 +304,15 @@
+ str->pts += (90000 / 15);
+ }
+
+- /* load all the constituent chunks in the video packet */
+- bytes_to_copy = frame_size - current_sector*VIDEO_DATA_CHUNK_SIZE;
+- if (bytes_to_copy>0) {
+- if (bytes_to_copy>VIDEO_DATA_CHUNK_SIZE) bytes_to_copy=VIDEO_DATA_CHUNK_SIZE;
+- memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
+- sector + VIDEO_DATA_HEADER_SIZE, bytes_to_copy);
+- }
++ memcpy(pkt->data + current_sector*VIDEO_DATA_CHUNK_SIZE,
++ sector + VIDEO_DATA_HEADER_SIZE,
++ VIDEO_DATA_CHUNK_SIZE);
++
+ if (current_sector == sector_count-1) {
++ pkt->size= frame_size;
+ *ret_pkt = *pkt;
++ pkt->data= NULL;
++ pkt->size= -1;
+ return 0;
+ }
+
--
1.6.0.6
--- fix-CVE-2008-3162.diff ends here ---
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="f4ac906b-e2d8-11dd-8bb6-0022156e8794">
<topic>mplayer -- vulnerability in STR files processor</topic>
<affects>
<package>
<name>mplayer</name>
<range><lt>0.99.11_10</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote
cite="http://secunia.com/advisories/30994">
<p>A vulnerability has been reported in FFmpeg, which
potentially can be exploited by malicious people to compromise
a user's system.</p>
<p>The vulnerability is caused due to a boundary error within
the "str_read_packet()" function in libavformat/psxstr.c. This
can be exploited to cause a heap-based buffer overflow via a
specially crafted STR file.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-3162</cvename>
<bid>30157</bid>
<url>http://secunia.com/advisories/30994</url>
</references>
<dates>
<discovery>2008-07-14</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list