漏洞信息详情
VLC媒体播放器多个栈溢出漏洞
- CNNVD编号:CNNVD-200811-143
- 危害等级: 中危
- CVE编号: CVE-2008-5032
- 漏洞类型: 缓冲区溢出
- 发布时间: 2008-11-10
- 威胁类型: 远程
- 更新时间: 2009-03-18
- 厂 商: videolan
- 漏洞来源: Tobias Klein
漏洞简介
VideoLAN VLC media player是法国VideoLAN组织开发的一款免费、开源的跨平台多媒体播放器(也是一个多媒体框架)。该产品支持播放多种介质(文件、光盘等)、多种音视频格式(WMV, MP3等)等。
VLC媒体播放器在解析畸形的cue文件时存在栈溢出漏洞,以下是modules\access\vcd\cdrom.c文件中的有漏洞代码段:
[...]
913 /* Try to parse the i_tracks and p_sectors info so we can just forget
914 * about the cuefile */
915 if( i_ret == 0 )
916 {
917 [1] int p_sectors[100];
918 int i_tracks = 0;
919 int i_num;
920 char psz_dummy[10];
921
922 [2] while( fgets( line, 1024, cuefile ) )
923 {
924 /* look for a TRACK line */
925 if( !sscanf( line, \"\\%9s\", psz_dummy ) ||
926 strcmp(psz_dummy, \"TRACK\") )
927 continue;
928
929 /* look for an INDEX line */
930 [3] while( fgets( line, 1024, cuefile ) )
931 {
932 int i_min, i_sec, i_frame;
933
934 [4] if( (sscanf( line, \"\\%9s \\%2u \\%2u:\\%2u:\\%2u\", psz_dummy, &i_num,
935 &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) )
936 continue;
937
938 [5] i_tracks++;
939 [6] p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame);
940 msg_Dbg( p_this, \"vcd track \\%i CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begins at sector:\\%i\",
941 i_tracks - 1, p_sectors[i_tracks - 1] );
942 break;
943 }
944 }
[...]
[1] 这个栈缓冲区可能被溢出
[2] + [3] 将cue文件中用户控制的数据存储到了line
[4] 解析用户控制的数据并拷贝到i_min、i_sec和i_frame
[5] i_tracks计数器递增
[6] 来自i_min、i_sec和i_frame的用户控制数据拷贝到了栈缓冲区p_sectors并将i_tracks用作数组索引。由于i_tracks没有上限,可以通过在cue文件中指定大量音轨溢出p_sectors栈缓冲区。
此外VLC媒体播放器在解析畸形的rt字幕文件时存在另一个栈溢出。以下是modules\demux\subtitle.c文件中的有漏洞代码段:
[...]
1843 static int ParseRealText( demux_t *p_demux, subtitle_t *p_subtitle,
int i_idx )1844 {
1845 VLC_UNUSED( i_idx );
1846 demux_sys_t *p_sys = p_demux->p_sys;
1847 text_t *txt = &p_sys->txt;
1848 char *psz_text = NULL;
1849 [1] char psz_end[12]= \"\", psz_CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin[12] = \"\";
1850
1851 for( ;; )
1852 {
1853 int h1 = 0, m1 = 0, s1 = 0, f1 = 0;
1854 int h2 = 0, m2 = 0, s2 = 0, f2 = 0;
1855 const char *s = TextGetLine( txt );
1856 free( psz_text );
1857
1858 if( !s )
1859 return VLC_EGENERIC;
1860
1861 psz_text = malloc( strlen( s ) + 1 );
1862 if( !psz_text )
1863 return VLC_ENOMEM;
1864
1865 /* Find the good CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begining. This removes extra spaces at the
1866 CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>beginning of the line.*/
1867 char *psz_temp = strcasestr( s, \"<time\");
1868 if( psz_temp != NULL )
1869 {
1870 /* Line has CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin and end */
1871 [2] if( ( sscanf( psz_temp,
1872 \"<\\%*[t|T]ime \\%*[b|B]egin=\\"\\%[^\\"]\\"
\\%*[e|E]nd=\\"\\%[^\\"]\\%*[^>]\\%[^\n\r]\",
1873 psz_CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin, psz_end, psz_text) != 3 ) &&
1874 /* Line has CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin and no end */
1875 [3] ( sscanf( psz_temp,
1876 \"<\\%*[t|T]ime
\\%*[b|B]egin=\\"\\%[^\\"]\\"\\%*[^>]\\%[^\n\r]\",
1877 psz_CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin, psz_text ) != 2) )
1878 /* Line is not recognized */
1879 {
1880 continue;
1881 }
[...]
[1] 栈缓冲区psz_end和psz_CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin可能被溢出
[2] sscanf()函数从psz_temp所指向的用户控制字符串读取输入,未经任何边界检查便将用户控制的数据被存储到了psz_end和psz_CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin。
[3] 同[2]
char *s,*mailbox,tmp[MAILTMPLEN],path[MAILTMPLEN];
STRING st;
struct stat sbuf;
/* have a mailbox specifier? */
if (mailbox = strchr (user,\'\'+\'\')) {
*mailbox++ = \'\'\0\'\'; /* yes, tie off user name */
if (!*mailbox || !strcmp (\"INBOX\",ucase (strcpy (tmp,mailbox))))
mailbox = NIL; /* user+ and user+INBOX same as user */
}
(..)
user+folder命令行参数分别通过s和user字符指针到达deliver()和getusername()。folder部分与user部分分离并拷贝到tmp缓冲区。由于该缓冲区位于栈上,超长的文件夹名称就可以导致覆盖栈上数据。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
VideoLAN
--------
http://www.videolan.org/
临时解决方法:
* 从VLC插件安装目录中手动删除VCD和Subtitles插件(libvcd_plugin.*和libsubtitle_plugin.*)。
参考网址
来源: XF
名称: vlcmediaplayer-cue-bo(46375)
链接:http://xforce.iss.net/xforce/xfdb/46375
来源:www.videolan.org
链接:http://www.videolan.org/security/sa0810.HTML
来源: MISC
链接:http://www.trapkit.de/advisories/TKADV2008-012.txt
来源: BID
名称: 32125
链接:http://www.securityfocus.com/bid/32125
来源: BUGTRAQ
名称: 20081106 [TKADV2008-012] VLC media player cue Processing Stack Overflow Vulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/498112/100/0/threaded
来源: MLIST
名称: [oss-security] 20081110 Re: CVE id request: vlc
链接:http://www.openwall.com/lists/oss-security/2008/11/10/13
来源: MLIST
名称: [oss-security] 20081105 CVE id request: vlc
链接:http://www.openwall.com/lists/oss-security/2008/11/05/5
来源: MLIST
名称: [oss-security] 20081105 VideoLAN security advisory 0810
链接:http://www.openwall.com/lists/oss-security/2008/11/05/4
来源: GENTOO
名称: GLSA-200812-24
链接:http://security.gentoo.org/glsa/glsa-200812-24.xml
来源: SECUNIA
名称: 33315
链接:http://secunia.com/advisories/33315
来源: SECUNIA
名称: 32569
链接:http://secunia.com/advisories/32569
来源: git.videolan.org
链接:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=5f63f1562d43f32331006c2c1a61742de031b84d
受影响实体
- Videolan Vlc_media_player:0.9.1
- Videolan Vlc_media_player:0.9.5
- Videolan Vlc_media_player:0.9.4
- Videolan Vlc_media_player:0.9.3
- Videolan Vlc_media_player:0.5.0
补丁
暂无
评论