Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20081126095135.GD14536@fuse.inversepath.com>
Date: Wed, 26 Nov 2008 09:51:35 +0000
From: Andrea Barisani <lcars@...rt.org>
To: oss-security@...ts.openwall.com
Cc: 498243@...s.debian.org, xine-user@...ts.sourceforge.net, redpig@...rt.org
Subject: Re: xine-lib and ocert-2008-008

On Tue, Nov 25, 2008 at 07:46:19PM -0500, Steven M. Christey wrote:
> 
> On Sat, 22 Nov 2008, Thomas Viehmann wrote:
> 
> > I am not quite sure whether I can agree with Will Drewry's analysis[1]
> > accompanying ocert advisory 2008-008[1]. Looking at item 1A, which Will
> > says is fixed in 1.1.5, attached .mov seems to fit the case description
> > and will still corrupt the memory when viewed e.g. in gxine.
> 
> This has finally prompted me to process CVE's for the issues originally
> disclosed by Will back in August.  Our analysts didn't have a very
> pleasant time with the volume and complexity, I'm sure.  Sorry it took so
> long.
>

Steve, thanks for this assignment, I updated our advisory with the
references.  We'll try to take a look at the new test case sometimes next
week.

Cheers

> CVE-2008-5234 includes two separate bugs, one of which is the item 1A you
> mention (parse_moov_atom in demux_qt.c). If CVE-2008-5234 actually wasn't
> fixed in 1.1.15, we might need a new CVE to handle the variant.
> 
> There are also some cases where an xine bug announcement includes some
> bugs that weren't covered by Will's analysis; those won't have an OCERT
> reference.
> 
> CVE-2008-5236 and CVE-2008-5237, and possibly others, don't have a
> "CONFIRM" reference in them - which implies that, based on CVE analysis,
> the upstream vendor didn't provide enough clear evidence of a fix.
> 
> My brain is too fried to process the followup comment that listed
> individual patches.
> 
> - Steve
> 

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars@...rt.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.