oss-sec mailing list archives
Re: xine-lib and ocert-2008-008
From: Andrea Barisani <lcars () ocert org>
Date: Wed, 26 Nov 2008 09:51:35 +0000
On Tue, Nov 25, 2008 at 07:46:19PM -0500, Steven M. Christey wrote:
On Sat, 22 Nov 2008, Thomas Viehmann wrote:I am not quite sure whether I can agree with Will Drewry's analysis[1] accompanying ocert advisory 2008-008[1]. Looking at item 1A, which Will says is fixed in 1.1.5, attached .mov seems to fit the case description and will still corrupt the memory when viewed e.g. in gxine.This has finally prompted me to process CVE's for the issues originally disclosed by Will back in August. Our analysts didn't have a very pleasant time with the volume and complexity, I'm sure. Sorry it took so long.
Steve, thanks for this assignment, I updated our advisory with the references. We'll try to take a look at the new test case sometimes next week. Cheers
CVE-2008-5234 includes two separate bugs, one of which is the item 1A you mention (parse_moov_atom in demux_qt.c). If CVE-2008-5234 actually wasn't fixed in 1.1.15, we might need a new CVE to handle the variant. There are also some cases where an xine bug announcement includes some bugs that weren't covered by Will's analysis; those won't have an OCERT reference. CVE-2008-5236 and CVE-2008-5237, and possibly others, don't have a "CONFIRM" reference in them - which implies that, based on CVE analysis, the upstream vendor didn't provide enough clear evidence of a fix. My brain is too fried to process the followup comment that listed individual patches. - Steve
-- Andrea Barisani | Founder & Project Coordinator oCERT | Open Source Computer Emergency Response Team <lcars () ocert org> http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"
Current thread:
- xine-lib and ocert-2008-008 Thomas Viehmann (Nov 22)
- Re: xine-lib and ocert-2008-008 Matthias Hopf (Nov 24)
- Re: Bug#498243: xine-lib and ocert-2008-008 Darren Salt (Nov 26)
- Re: xine-lib and ocert-2008-008 Steven M. Christey (Nov 25)
- Re: xine-lib and ocert-2008-008 Andrea Barisani (Nov 26)
- Re: xine-lib and ocert-2008-008 Nico Golde (Nov 28)
- Re: xine-lib and ocert-2008-008 Nico Golde (Nov 28)
- Re: xine-lib and ocert-2008-008 Nico Golde (Dec 03)
- Re: xine-lib and ocert-2008-008 Nico Golde (Dec 03)
- Re: xine-lib and ocert-2008-008 Nico Golde (Dec 03)
- Re: xine-lib and ocert-2008-008 Matthias Hopf (Nov 24)