漏洞信息详情

VLC媒体播放器多个栈溢出漏洞

• CNNVD编号：CNNVD-200811-143
• 危害等级： 中危
  
• CVE编号： CVE-2008-5032
• 漏洞类型： 缓冲区溢出
• 发布时间： 2008-11-10
• 威胁类型： 远程
• 更新时间： 2009-03-18
• 厂        商： videolan
• 漏洞来源： Tobias Klein

漏洞简介

VideoLAN VLC media player是法国VideoLAN组织开发的一款免费、开源的跨平台多媒体播放器（也是一个多媒体框架）。该产品支持播放多种介质（文件、光盘等）、多种音视频格式（WMV, MP3等）等。

VLC媒体播放器在解析畸形的cue文件时存在栈溢出漏洞，以下是modules＼access＼vcd＼cdrom.c文件中的有漏洞代码段：

[...]

913 /* Try to parse the i_tracks and p_sectors info so we can just forget

914 * about the cuefile */

915 if( i_ret == 0 )

916 {

917 [1] int p_sectors[100];

918 int i_tracks = 0;

919 int i_num;

920 char psz_dummy[10];

921

922 [2] while( fgets( line, 1024, cuefile ) )

923 {

924 /* look for a TRACK line */

925 if( !sscanf( line, \"\\%9s\", psz_dummy ) ||

926 strcmp(psz_dummy, \"TRACK\") )

927 continue;

928

929 /* look for an INDEX line */

930 [3] while( fgets( line, 1024, cuefile ) )

931 {

932 int i_min, i_sec, i_frame;

933

934 [4] if( (sscanf( line, \"\\%9s \\%2u \\%2u：\\%2u：\\%2u\", psz_dummy, ＆i_num,

935 ＆i_min, ＆i_sec, ＆i_frame ) != 5) || (i_num != 1) )

936 continue;

937

938 [5] i_tracks++;

939 [6] p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame);

940 msg_Dbg( p_this, \"vcd track \\%i CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begins at sector：\\%i\",

941 i_tracks - 1, p_sectors[i_tracks - 1] );

942 break;

943 }

944 }

[...]

[1] 这个栈缓冲区可能被溢出

[2] + [3] 将cue文件中用户控制的数据存储到了line

[4] 解析用户控制的数据并拷贝到i_min、i_sec和i_frame

[5] i_tracks计数器递增

[6] 来自i_min、i_sec和i_frame的用户控制数据拷贝到了栈缓冲区p_sectors并将i_tracks用作数组索引。由于i_tracks没有上限，可以通过在cue文件中指定大量音轨溢出p_sectors栈缓冲区。

此外VLC媒体播放器在解析畸形的rt字幕文件时存在另一个栈溢出。以下是modules＼demux＼subtitle.c文件中的有漏洞代码段：

[...]

1843 static int ParseRealText( demux_t *p_demux, subtitle_t *p_subtitle,

int i_idx )1844 {

1845 VLC_UNUSED( i_idx );

1846 demux_sys_t *p_sys = p_demux-＞p_sys;

1847 text_t *txt = ＆p_sys-＞txt;

1848 char *psz_text = NULL;

1849 [1] char psz_end[12]= \"\", psz_CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin[12] = \"\";

1850

1851 for( ;; )

1852 {

1853 int h1 = 0, m1 = 0, s1 = 0, f1 = 0;

1854 int h2 = 0, m2 = 0, s2 = 0, f2 = 0;

1855 const char *s = TextGetLine( txt );

1856 free( psz_text );

1857

1858 if( !s )

1859 return VLC_EGENERIC;

1860

1861 psz_text = malloc( strlen( s ) + 1 );

1862 if( !psz_text )

1863 return VLC_ENOMEM;

1864

1865 /* Find the good CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begining. This removes extra spaces at the

1866 CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>beginning of the line.*/

1867 char *psz_temp = strcasestr( s, \"＜time\");

1868 if( psz_temp != NULL )

1869 {

1870 /* Line has CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin and end */

1871 [2] if( ( sscanf( psz_temp,

1872 \"＜\\%*[t|T]ime \\%*[b|B]egin=＼\"\\%[^＼\"]＼\"

\\%*[e|E]nd=＼\"\\%[^＼\"]\\%*[^＞]\\%[^＼n＼r]\",

1873 psz_CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin, psz_end, psz_text) != 3 ) ＆＆

1874 /* Line has CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin and no end */

1875 [3] ( sscanf( psz_temp,

1876 \"＜\\%*[t|T]ime

\\%*[b|B]egin=＼\"\\%[^＼\"]＼\"\\%*[^＞]\\%[^＼n＼r]\",

1877 psz_CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin, psz_text ) != 2) )

1878 /* Line is not recognized */

1879 {

1880 continue;

1881 }

[...]

[1] 栈缓冲区psz_end和psz_CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin可能被溢出

[2] sscanf()函数从psz_temp所指向的用户控制字符串读取输入，未经任何边界检查便将用户控制的数据被存储到了psz_end和psz_CMS.zone.ci/e/tags/htag.php?tag=begin target=_blank class=infotextkey>begin。

[3] 同[2]

char *s,*mailbox,tmp[MAILTMPLEN],path[MAILTMPLEN];

STRING st;

struct stat sbuf;

/* have a mailbox specifier? */

if (mailbox = strchr (user,\'\'+\'\')) {

*mailbox++ = \'\'＼0\'\'; /* yes, tie off user name */

if (!*mailbox || !strcmp (\"INBOX\",ucase (strcpy (tmp,mailbox))))

mailbox = NIL; /* user+ and user+INBOX same as user */

}

(..)

user+folder命令行参数分别通过s和user字符指针到达deliver()和getusername()。folder部分与user部分分离并拷贝到tmp缓冲区。由于该缓冲区位于栈上，超长的文件夹名称就可以导致覆盖栈上数据。

漏洞公告

目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接：

VideoLAN

--------

http://www.videolan.org/

临时解决方法：

* 从VLC插件安装目录中手动删除VCD和Subtitles插件(libvcd_plugin.*和libsubtitle_plugin.*)。

参考网址

来源: XF

名称: vlcmediaplayer-cue-bo(46375)

链接:http://xforce.iss.net/xforce/xfdb/46375

来源:www.videolan.org

链接:http://www.videolan.org/security/sa0810.HTML

来源: MISC

链接:http://www.trapkit.de/advisories/TKADV2008-012.txt

来源: BID

名称: 32125

链接:http://www.securityfocus.com/bid/32125

来源: BUGTRAQ

名称: 20081106 [TKADV2008-012] VLC media player cue Processing Stack Overflow Vulnerability

链接:http://www.securityfocus.com/archive/1/archive/1/498112/100/0/threaded

来源: MLIST

名称: [oss-security] 20081110 Re: CVE id request: vlc

链接:http://www.openwall.com/lists/oss-security/2008/11/10/13

来源: MLIST

名称: [oss-security] 20081105 CVE id request: vlc

链接:http://www.openwall.com/lists/oss-security/2008/11/05/5

来源: MLIST

名称: [oss-security] 20081105 VideoLAN security advisory 0810

链接:http://www.openwall.com/lists/oss-security/2008/11/05/4

来源: GENTOO

名称: GLSA-200812-24

链接:http://security.gentoo.org/glsa/glsa-200812-24.xml

来源: SECUNIA

名称: 33315

链接:http://secunia.com/advisories/33315

来源: SECUNIA

名称: 32569

链接:http://secunia.com/advisories/32569

来源: git.videolan.org

链接:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=5f63f1562d43f32331006c2c1a61742de031b84d

受影响实体

• Videolan Vlc_media_player:0.9.1  
• Videolan Vlc_media_player:0.9.5  
• Videolan Vlc_media_player:0.9.4  
• Videolan Vlc_media_player:0.9.3  
• Videolan Vlc_media_player:0.5.0  

补丁

暂无