Re: xine-lib and ocert-2008-008

[Andrea Barisani <lcars () ocert org>]

On Tue, Nov 25, 2008 at 07:46:19PM -0500, Steven M. Christey wrote:
> On Sat, 22 Nov 2008, Thomas Viehmann wrote:
>
> > I am not quite sure whether I can agree with Will Drewry's analysis[1]
> > accompanying ocert advisory 2008-008[1]. Looking at item 1A, which Will
> > says is fixed in 1.1.5, attached .mov seems to fit the case description
> > and will still corrupt the memory when viewed e.g. in gxine.
>
> This has finally prompted me to process CVE's for the issues originally
> disclosed by Will back in August.  Our analysts didn't have a very
> pleasant time with the volume and complexity, I'm sure.  Sorry it took so
> long.

Steve, thanks for this assignment, I updated our advisory with the
references.  We'll try to take a look at the new test case sometimes next
week.

Cheers

> CVE-2008-5234 includes two separate bugs, one of which is the item 1A you
> mention (parse_moov_atom in demux_qt.c). If CVE-2008-5234 actually wasn't
> fixed in 1.1.15, we might need a new CVE to handle the variant.
>
> There are also some cases where an xine bug announcement includes some
> bugs that weren't covered by Will's analysis; those won't have an OCERT
> reference.
>
> CVE-2008-5236 and CVE-2008-5237, and possibly others, don't have a
> "CONFIRM" reference in them - which implies that, based on CVE analysis,
> the upstream vendor didn't provide enough clear evidence of a fix.
>
> My brain is too fried to process the followup comment that listed
> individual patches.
>
> - Steve

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars () ocert org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"