|
Message-ID: <2359eed20902070845u22d09e7dq793ccef181b3b5d3@mail.gmail.com> Date: Sat, 7 Feb 2009 10:45:11 -0600 From: Will Drewry <redpig@...rt.org> To: oss-security@...ts.openwall.com, ocert-announce@...ts.ocert.org, bugtraq@...urityfocus.com Subject: [oCERT-2009-002] OpenCORE insufficient bounds checking during MP3 decoding #2009-002 OpenCORE insufficient bounds checking during MP3 decoding Description: OpenCORE, an open source multimedia decoding subsystem, suffers from an integer underflow during Huffman decoding resulting in improper bounds checking when writing to a heap allocated buffer. Decoding a specially crafted mp3 file will result in unexpected process termination or, potentially, arbitrary code execution due to heap corruption. Patches have been made available by PacketVideo: http://ocert.org/patches/2009-002/opencore_mp3_dec.patch http://review.source.android.com/Gerrit#change,8815 Affected version: OpenCore <= 2.0 (secondary affected versions) Android without change 8815 Fixed version: OpenCore >= 2.0 with change 8815 Android with change 8815 Credit: Initial vulnerability report and sample crasher provided by Owen Arden <owen@...urityevaluators.com> and Charlie Miller <cmiller@...urityevaluators.com>. Thanks to PacketVideo for the comprehensive analysis and patching. CVE: CVE-2009-0475 Timeline: 2009-01-21: Android Security Team informed of issue 2009-01-23: Android Security Team requested coordination aid from oCERT 2009-01-24: oCERT investigated for other potential affected projects 2009-02-05: vendor supplied patch 2009-02-05: vendor indicated that no other open source projects affected 2009-02-05: did not discover other open source projects affected 2009-02-05: emailed vendor-sec@....de as a cross-check 2009-02-06: supplied vulnerability analysis to upstream vendor 2009-02-06: walked through affected code with upstream vendor 2009-02-06: CVE assignment requested and received 2009-02-07: advisory published References: http://review.source.android.com/Gerrit#change,8815 http://review.source.android.com/Gerrit#change,8604 http://android.git.kernel.org/?p=platform/external/opencore.git;a=summary http://android.git.kernel.org/?p=platform/external/opencore.git;a=blob;f=codecs_v2/audio/mp3/dec/src/pvmp3_huffman_parsing.cpp;h=491c0cc1b05adecb4ed2d53489c82e7fb4f46108;hb=d8b443ddaa386ed85ba31fbd663c40423a8d4ded http://android.git.kernel.org/?p=platform/external/opencore.git;a=blob;f=codecs_v2/audio/mp3/dec/src/pvmp3_mpeg2_stereo_proc.cpp;h=bc4c227fbd60f3f0a90355d7d52c71d46cd4a87c;hb=d8b443ddaa386ed85ba31fbd663c40423a8d4ded Links: http://www.packetvideo.com/products/core/index.html http://android.git.kernel.org http://android.com Permalink: http://www.ocert.org/advisories/ocert-2009-002.html -- Will Drewry <redpig@...rt.org> oCERT Team :: http://ocert.org
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.