Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 18 Nov 2016 17:59:40 -0500
From: <cve-assign@...re.org>
To: <meissner@...e.de>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: gstreamer plugins

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Bufferoverflow in VMNC decoder in gstreamer plugins
> https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html
> https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe
> https://bugzilla.gnome.org/show_bug.cgi?id=774533

>> The vmnc decoder in the gstreamer code base contains a fairly obvious
>> and simple width * height * depth integer overflow in the allocation
>> of the render buffer. From gst-plugins-bad1.0/gst/vmnc/vmncdec.c
>> 
>> vmnc_handle_wmvi_rectangle

Use CVE-2016-9445 for the integer overflow.


>> The render canvas, as allocated in the code snippet quoted way above,
>> is not black filled or otherwise initialized. The call to g_malloc()
>> is just a thin wrapper around malloc(), which does not initialize any
>> returned heap area. Therefore, there's an easy information leak in
>> thumbnailing a simple 1 frame vmnc movie that does not draw to the
>> allocated render canvas at all. This could be a problem for anyone
>> using gstreamer in a server environment to provide thumbnailing
>> services.

Use CVE-2016-9446 for the lack of initialization.


> Missing bounds check in NSF decoder in gstreamer plugins
> http://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-compromising-linux-desktop.html

>> The vulnerability is in libgstnsf.so, an audio decoder present in the gstreamer-0.10 distribution.

>> 1: Lack of checking ROM size when mapping into 6502 memory and bank switching

>> an out of bounds read

>> [or] read and write control over the host emulator heap [when combined with]
>> 2: Ability to load or bank switch ROM to writable memory locations

Use CVE-2016-9447 for the entire libgstnsf.so report. The "2" issue is
not independently relevant.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYL4d2AAoJEHb/MwWLVhi2MSsP/0H0am8yTwfPZ5wbztUSwgjZ
vyCTMEZaqx1s4sOKn5JJt5XNb4YEjVNCU7W5yrSGsdeO4kxxIerCvPTVQd6Y252Q
GLD9v6EPFT7CxK7fTTLjzBs6y30iEdbsZyPzHAqWqLma2epM4k9ubrMRuipUnPEW
TlEh7Qo0NigqWJSYdtBOLpBCAWfbDjxLVz8qbPs1C5aQ0tqJ/ZG8ArzVs3X1lVZg
BqdXGNcLk7kaJRRGXDDBL8uoFViR+QXidfJIJMHALc7sPu1TJ9mSPuxIQZ0OEODj
5Vygr5i1QA8RkWq67oI8JXVxPHDeBJVfC/p9p6Edg1bB7GH4kQDwwsneXA1kl0pu
f350Ukjkihqg22S+mMSVwKljlthX5bCjLs1kIwzO956KMGdxUb28PeRJQrrkkxmV
4aNYm0+VYM3Z6OVQOL5KWoftg+d/ivdIlQUrZbbnXrHYgH7nZQZABOx+K16rABui
fBr+3FSCs0l21NndFfWLAijCtaNO/AAzuXlVandCnI6tsY1Zlgt+YvqIr242aoQx
ogmK8/Tmtv3eO4YN7LoMTm7QHTP8C+23EA07bblDelaodk1UNY8dPMDoRcBnh3Pp
PwD55mZnyR/wpdclfc+iQWvOiMWhSbvuifxrpQF6BmjgExeQQX0dPsfloLXSLgy9
C4I8UNpl/tvSEY8uszPu
=fjKF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.