Ubuntu
vlc package

Memory corruption in RealMedia parsing

Bug #690173 reported by Dan Rosenberg on 2010-12-14

266

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
VLC media player	Fix Released	Critical	Rémi Denis-Courmont	VLC media player 1.1.6
vlc (Ubuntu)	Fix Released	Undecided	Unassigned
Lucid	Fix Released	Undecided	Unassigned
Maverick	Fix Released	Undecided	Unassigned

Bug Description

Binary package hint: vlc

I've attached a fuzzed RealMedia file that crashes VLC. The crash appears to be caused by invoking a function pointer from an uninitialized object. By pre-initializing the heap memory corresponding to this object, it may be possible to control program flow and subsequently execute arbitrary code. The program crashes on line 551 of modules/demux/real.c:

if( tk->p_frame )
block_Release( tk->p_frame );

where block_Release invokes a function pointer of the uninitialized p_frame. I've confirmed this issue in Lucid (VLC 1.0.6) and upstream (1.1.5).

Tags:

Related branches

lp:debian/vlc

lp:ubuntu/lucid-security/vlc

lp:ubuntu/maverick-security/vlc

lp:debian/experimental/vlc

CVE References

2010-3907

Revision history for this message

Dan Rosenberg (dan-j-rosenberg) wrote on 2010-12-14:

Crashes VLC due to invalid function pointer Edit (674.6 KiB, audio/x-pn-realaudio)

Revision history for this message

Kees Cook (kees) wrote on 2010-12-14:

Please use CVE-2010-3907 for this issue.

Changed in vlc (Ubuntu):
status:	New → Confirmed

Rémi Denis-Courmont (rdenis) on 2010-12-15

Changed in vlc:
milestone:	none → 1.1.6
status:	New → In Progress
importance:	Undecided → Critical
assignee:	nobody → Rémi Denis-Courmont (rdenis)

Revision history for this message

Rémi Denis-Courmont (rdenis) wrote on 2010-12-15:

Patch Edit (2.7 KiB, text/plain)

Revision history for this message

Benjamin Drung (bdrung) wrote on 2010-12-30:

vlc_1.1.4-1ubuntu1.2.debdiff Edit (4.4 KiB, text/plain)

Here are the debdiffs for maverick-security (vlc_1.1.4-1ubuntu1.2) and lucid-security (vlc_1.0.6-1ubuntu1.3). Both build on amd64. The security issue will be closed in natty with the next upstream release (1.1.6).

Revision history for this message

Benjamin Drung (bdrung) wrote on 2010-12-30:

vlc_1.0.6-1ubuntu1.3.debdiff Edit (3.3 KiB, text/plain)

Revision history for this message

Artur Rona (ari-tczew) wrote on 2010-12-31:

MOTU-SWAT ACK for both debdiffs.
Thank you for your contribution in security areas!

Changed in vlc (Ubuntu Maverick):
status:	New → Confirmed
Changed in vlc (Ubuntu Lucid):
status:	New → Confirmed
visibility:	private → public

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-01-06:

This bug was fixed in the package vlc - 1.1.4-1ubuntu1.2

---------------
vlc (1.1.4-1ubuntu1.2) maverick-security; urgency=low

  * SECURITY UPDATE: Buffer overflow in Real demuxer (LP: #690173)
    - modules/demux/real.c: Fix heap buffer overflow, thanks to Rémi
      Denis-Courmont
    - CVE-2010-3907
    - VideoLAN-SA-1007
-- Benjamin Drung <email address hidden> Thu, 30 Dec 2010 00:46:50 +0100

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-01-06:

This bug was fixed in the package vlc - 1.0.6-1ubuntu1.3

---------------
vlc (1.0.6-1ubuntu1.3) lucid-security; urgency=low

Changed in vlc (Ubuntu Lucid):
status:	Confirmed → Fix Released
Changed in vlc (Ubuntu Maverick):
status:	Confirmed → Fix Released

Brian Murray (brian-murray) on 2011-01-08

tags:

added: patch

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-01-25:

This bug was fixed in the package vlc - 1.1.6-1ubuntu1

---------------
vlc (1.1.6-1ubuntu1) natty; urgency=low

* Merge from Debian experimental, remaining changes:
- build and install the libx264 plugin

vlc (1.1.6-1) experimental; urgency=low

[ Reinhard Tartler ]
* Tighten some build dependencies (Closes: #605638)

  [ Benjamin Drung ]
  * New upstream release.
    - Fix heap buffer overflow in Real demuxer (CVE-2010-3907) (LP: #690173)
    - Fix blue face issue with X11 ouput (LP: #665298)
    - Fix crash with SIGSEGV in QMetaObject::activate() (LP: #448082)
    - Fix heap overflow in CDG decoder and XML heap corruption (LP: #707154)
  * Drop backported patches.
  * Tighten more build dependencies after reviewing configure.ac.
  * Update my email address.
  * Add lirc build failure fix patch.
  * Build depends on libgtk2.0-dev for notify module.
-- Benjamin Drung <email address hidden> Tue, 25 Jan 2011 01:22:56 +0100