*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Jamie Strandboge (jdstrand):
Binary package hint: vlc http://www.trapkit.de/advisories/TKADV2008-011.txt Includes: hardy, Intrepid, jaunty Advisory: VLC media player RealText Processing Stack Overflow Vulnerability Advisory ID: TKADV2008-011 Revision: 1.0 Release Date: 2008/11/05 Last Modified: 2008/11/05 Date Reported: 2008/11/03 Author: Tobias Klein (tk at trapkit.de) Affected Software: VLC media player < 0.9.6 Remotely Exploitable: Yes Locally Exploitable: No Vendor URL: http://www.videolan.org/ Vendor Status: Vendor has released an updated version Patch development time: 2 days ====================== Vulnerability details: ====================== The VLC media player contains a stack overflow vulnerability while parsing malformed RealText (rt) subtitle files. The vulnerability can be trivially exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player. VLC handles subtitles automatically. It just checks the presence of a subtitle file with the same name of the loaded video. If such a subtitle file is found, VLC loads and parses the file. ================== Technical Details: ================== Source code file: modules\demux\subtitle.c [...] 1843 static int ParseRealText( demux_t *p_demux, subtitle_t *p_subtitle, int i_idx ) 1844 { 1845 VLC_UNUSED( i_idx ); 1846 demux_sys_t *p_sys = p_demux->p_sys; 1847 text_t *txt = &p_sys->txt; 1848 char *psz_text = NULL; 1849 [1] char psz_end[12]= "", psz_begin[12] = ""; 1850 1851 for( ;; ) 1852 { 1853 int h1 = 0, m1 = 0, s1 = 0, f1 = 0; 1854 int h2 = 0, m2 = 0, s2 = 0, f2 = 0; 1855 const char *s = TextGetLine( txt ); 1856 free( psz_text ); 1857 1858 if( !s ) 1859 return VLC_EGENERIC; 1860 1861 psz_text = malloc( strlen( s ) + 1 ); 1862 if( !psz_text ) 1863 return VLC_ENOMEM; 1864 1865 /* Find the good begining. This removes extra spaces at the 1866 beginning of the line.*/ 1867 char *psz_temp = strcasestr( s, "<time"); 1868 if( psz_temp != NULL ) 1869 { 1870 /* Line has begin and end */ 1871 [2] if( ( sscanf( psz_temp, 1872 "<%*[t|T]ime %*[b|B]egin=\"%[^\"]\" %*[e|E]nd=\"%[^\"]%*[^>]%[^\n\r]", 1873 psz_begin, psz_end, psz_text) != 3 ) && 1874 /* Line has begin and no end */ 1875 [3] ( sscanf( psz_temp, 1876 "<%*[t|T]ime %*[b|B]egin=\"%[^\"]\"%*[^>]%[^\n\r]", 1877 psz_begin, psz_text ) != 2) ) 1878 /* Line is not recognized */ 1879 { 1880 continue; 1881 } [...] [1] The stack buffers "psz_end" and "psz_begin" can be overflowed [2] The sscanf() function reads its input from a user controlled character string pointed to by "psz_temp". The user controlled data gets stored in the stack buffers "psz_end" and "psz_begin" without any bounds checking. This leads to a straight stack overflow that can be trivially exploited by a (remote) attacker to execute arbitrary code in the context of VLC. [3] see [2] ========= Solution: ========= See "Workarounds" and "Solution" sections of the VideoLAN-SA-0810 [1]. ======== History: ======== 2008/11/03 - Vendor notified 2008/11/04 - Patch developed by VideoLAN team 2008/11/05 - Public disclosure of vulnerability details by the vendor 2008/11/05 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://www.videolan.org/security/sa0810.html [2] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=e3cef65 1125701a2e33a8d75b815b3e39681a447 [3] http://www.trapkit.de/advisories/TKADV2008-011.txt ** Affects: vlc (Ubuntu) Importance: Undecided Status: New -- VLC media player RealText Processing Stack Overflow https://bugs.launchpad.net/bugs/295464 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
