正文

VLC Media Player modules/access/rtsp/real_sdpplin.c文件堆溢出漏洞

admin
admin V管理员 /0 评论 /8 阅读
0104
此篇文章发布距今已超过1230天,您需要注意文章的内容或图片是否可用!

漏洞信息详情

VLC Media Player modules/access/rtsp/real_sdpplin.c文件堆溢出漏洞

  • CNNVD编号:CNNVD-200801-238
    • <!--
  • 危害等级: 高危-->
  • 危害等级: 高危
  • CVE编号: CVE-2008-0295
  • 漏洞类型: 缓冲区溢出
  • 发布时间: 2008-01-16
  • 威胁类型: 远程
  • 更新时间: 2008-09-05
  • 厂        商: videolan
  • 漏洞来源: Luigi Auriemma al...

漏洞简介

VideoLAN VLC media player是法国VideoLAN组织开发的一款免费、开源的跨平台多媒体播放器(也是一个多媒体框架)。该产品支持播放多种介质(文件、光盘等)、多种音视频格式(WMV, MP3等)等。

VLC在处理畸形格式的数据时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。

VLC所使用的旧版Xine库在modules/access/rtsp/real_sdpplin.c文件中存在堆溢出漏洞:

sdpplin_t *sdpplin_parse(char *data) {

sdpplin_t *desc = malloc(sizeof(sdpplin_t));

sdpplin_stream_t *stream;

char *buf=malloc(3200);

char *decoded=malloc(3200);

...

while (data && *data) {

handled=0;

if (filter(data, \"m=\", &buf)) {

...

static int filter(const char *in, const char *filter, char **out) {

int flen=strlen(filter);

int len;

if (!in) return 0;

len = (strchr(in,\'\'\n\'\')) ? strchr(in,\'\'\n\'\')-in : strlen(in);

if (!strncmp(in,filter,flen)) {

if(in[flen]==\'\'\"\'\') flen++;

if(in[len-1]==13) len--;

if(in[len-1]==\'\'\"\'\') len--;

memcpy(*out, in+flen, len-flen+1);

(*out)[len-flen]=0;

return len-flen;

}

return 0;

}

在读取RTSP会话的SDP参数时buf和decoded缓冲区会被溢出。

此外Windows版本的播放器的libaccess_realrtsp插件在处理RTSP数据时也存在堆溢出漏洞。如果在连接时发送了大量字节的话,就可以触发这个溢出。

sdpplin_t *sdpplin_parse(char *data) {

sdpplin_t *desc = malloc(sizeof(sdpplin_t));

sdpplin_stream_t *stream;

char *buf=malloc(3200);

char *decoded=malloc(3200);

...

while (data && *data) {

handled=0;

if (filter(data, \"m=\", &buf)) {

...

static int filter(const char *in, const char *filter, char **out) {

int flen=strlen(filter);

int len;

if (!in) return 0;

len = (strchr(in,\'\'\n\'\')) ? strchr(in,\'\'\n\'\')-in : strlen(in);

if (!strncmp(in,filter,flen)) {

if(in[flen]==\'\'\"\'\') flen++;

if(in[len-1]==13) len--;

if(in[len-1]==\'\'\"\'\') len--;

memcpy(*out, in+flen, len-flen+1);

(*out)[len-flen]=0;

return len-flen;

}

return 0;

}

在读取RTSP会话的SDP参数时buf和decoded缓冲区会被溢出。

此外Windows版本的播放器的libaccess_realrtsp插件在处理RTSP数据时也存在堆溢出漏洞。如果在连接时发送了大量字节的话,就额可以触发这个溢出。除的邮件。

漏洞公告

目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:

VideoLAN VLC media player 0.8.6

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_alpha.deb

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_alpha.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_amd64.deb

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_amd64.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_arm.deb

arm architecture (ARM)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_arm.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_hppa.deb

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_hppa.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_i386.deb

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_i386.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_ia64.deb

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_ia64.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_mips.deb

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_mips.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_mipsel.deb

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_mipsel.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_powerpc.deb

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_powerpc.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_s390.deb

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_s390.deb

Debian libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_sparc.deb

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-s vn20061012.debian-5.1+etch2_sparc.deb

Debian libvlc0_0.8.6-svn20061012.debian-5.1+etch2_alpha.deb

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20 061012.debian-5.1+etch2_alpha.deb

Debian libvlc0_0.8.6-svn20061012.debian-5.1+etch2_amd64.deb

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20 061012.debian-5.1+etch2_amd64.deb

Debian libvlc0_0.8.6-svn20061012.debian-5.1+etch2_arm.deb

arm architecture (ARM)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20 061012.debian-5.1+etch2_arm.deb

Debian libvlc0_0.8.6-svn20061012.debian-5.1+etch2_hppa.deb

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20 061012.debian-5.1+etch2_hppa.deb

Debian libvlc0_0.8.6-svn20061012.debian-5.1+etch2_i386.deb

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20 061012.debian-5.1+etch2_i386.deb

Debian libvlc0_0.8.6-svn20061012.debian-5.1+etch2_ia64.deb

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20 061012.debian-5.1+etch2_ia64.deb

Debian libvlc0_0.8.6-svn20061012.debian-5.1+etch2_mips.deb

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20 061012.debian-5.1+etch2_mips.deb

Debian libvlc0_0.8.6-svn20061012.debian-5.1+etch2_mipsel.deb

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20 061012.debian-5.1+etch2_mipsel.deb

Debian libvlc0_0.8.6-svn20061012.debian-5.1+etch2_powerpc.deb

powerpc architecture (PowerPC)

http://security.debian.org/pool/up

参考网址

来源: BID

名称: 27221

链接:http://www.securityfocus.com/bid/27221

来源: VUPEN

名称: ADV-2008-0105

链接:http://www.frsirt.com/english/advisories/2008/0105

来源: SECUNIA

名称: 28383

链接:http://secunia.com/advisories/28383

来源: MISC

链接:http://aluigi.altervista.org/adv/vlcxhof-adv.txt

来源: GENTOO

名称: GLSA-200803-13

链接:http://www.gentoo.org/security/en/glsa/glsa-200803-13.xml

来源: DEBIAN

名称: DSA-1543

链接:http://www.debian.org/security/2008/dsa-1543

来源: SECUNIA

名称: 29766

链接:http://secunia.com/advisories/29766

来源: SECUNIA

名称: 29284

链接:http://secunia.com/advisories/29284

受影响实体

  • Videolan Vlc_media_player:0.8.6d  
    <!--
    2000-1-1
    -->

补丁

    暂无