oss-sec mailing list archives

Re: xine-lib and ocert-2008-008

From: Nico Golde <oss-security+ml () ngolde de>
Date: Wed, 3 Dec 2008 20:03:07 +0100

Hi,
* Steven M. Christey <coley () linus mitre org> [2008-11-26 09:27]:
[...]

======================================================
Name: CVE-2008-5248
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5248
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869

xine-lib before 1.1.15 allows remote attackers to cause a denial of
service (crash) via "MP3 files with metadata consisting only of
separators."


http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=60ab5d2bdd82

This is the corresponding upstream patch.
139   i = len - 1;
140
141   while ((i >= 0) && ((unsigned char)str[i] <= 32)) {
142     str[i] = 0;
143     i--;
144   }

If len is size_t this is the problematic code if i len is 0 this will result in
a 0 bytes written all over the memory because of integer promotion.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description:

Current thread:

xine-lib and ocert-2008-008 Thomas Viehmann (Nov 22)
- Re: xine-lib and ocert-2008-008 Matthias Hopf (Nov 24)
  - Re: Bug#498243: xine-lib and ocert-2008-008 Darren Salt (Nov 26)
- Re: xine-lib and ocert-2008-008 Steven M. Christey (Nov 25)
  - Re: xine-lib and ocert-2008-008 Andrea Barisani (Nov 26)
  - Re: xine-lib and ocert-2008-008 Nico Golde (Nov 28)
  - Re: xine-lib and ocert-2008-008 Nico Golde (Nov 28)
  - Re: xine-lib and ocert-2008-008 Nico Golde (Dec 03)
  - Re: xine-lib and ocert-2008-008 Nico Golde (Dec 03)
  - Re: xine-lib and ocert-2008-008 Nico Golde (Dec 03)