Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Jan 2009 12:15:22 +0100
From: Jan Lieskovsky <>
To: "Steven M. Christey" <>
Subject: CVE Request -- (sort of urgent)
	gstreamer-plugins-good (repost) (more details about affected versions --
	final version)

Hello Steve,

  by mistake sent my previous post too early :(. so fixing it.

  Wanted to provide more details about the affected versions
for the gstreamer-plugins-good issues yet:

Original advisory:

The patch:


Three problems:
[A] heap buffer overflow vulnerability in QuickTime 'ctts' Atom parsing (vuln #1)
[B] the array index out of bounds vulnerability QuickTime 'stss' Atom parsing (vuln #2)
[C] heap buffer overflow vulnerability QuickTime 'stts' Atom parsing (vuln #3)


i, Vulnerability [A] and [B] affects gstreamer-plugins-good versions (CVE id#1):
  gst-plugins-good-0.10.9 <= x < gst-plugins-good-0.10.12 (latest upstream)

CVE desc proposal: "A heap based buffer overflow in QuickTime 'ctts' Atom
parsing and array index out of bounds vulnerability in QuickTimes Sync
Sample Atom was found in gstreamer-plugins-good versions from 0.10.9
through to 0.10.11..."


ii, Vulnerability [C] affects gstreamer-plugins and gstreamer-plugins-good versions (CVE id#2)
  gst-plugins-good-0.10.9 <= x < gst-plugins-good-0.10.12 (latest upstream)

CVE desc proposal: "A heap based buffer overflow in QuickTime Sync Sample
Atom parsing has been found in gstreamer-plugins-good version from 0.10.9
through to 0.10.11 and in gstreamer-plugins version of 0.8.5.." 


iii, Tomas Hoger discovered the similar vulnerability like the [B] one is present
also in upstream code of gstreamer-plugins in version (CVE id#3)

CVE desc proposal "An array index out ouf bounds vulnerability has been found
in gstreamer-plugins version of 0.6.0 ..."

To be more exact on lines from 537 to 565 in gst-plugins-0.6.0/gst/qtdemux/qtdemux.c
(the relevant function is "gst_qtp_trak_handler"):

    556         for(i=0;i<GUINT32_FROM_BE(stsc[stsc_idx].samples_per_chunk);i++,sample++) {
    557           guint32 size = GUINT32_FROM_BE(stsz[sample]);
    558           track_to_be->samples[sample].offset = offset;
    559           track_to_be->samples[sample].size = size;
    560           track_to_be->samples[sample].timestamp =
    561           track_to_be->samples[sample].track = track_to_be;
    563           offset += size;
    564         }
    565       }

There is also missing check if "sample" is still lower than "nsamples"
and if write attempt to e.g. track_to_be->samples[sample].size = size;
wouldn't overflow.


More explanation about all the mystical QuicTime Atom names ('stts') can
be found for example here: (part Sample Table Atoms on page# 74).

Could you please allocate the 3 CVE ids for the above three cases?

Let me know, if I could be of any other help.

Thanks && regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ