Bug 1397993

Summary: vmnc decoder overflow exploitable
Product: [Fedora] Fedora Reporter: Alick Zhao <alick9188>
Component: gstreamer-plugins-bad-freeAssignee: Benjamin Otte <otte>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 24CC: bnocera, fabian.deutsch, otte, wtaymans
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-08 11:22:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Alick Zhao 2016-11-23 18:32:32 UTC 
Description of problem:

The vmnc decoder does not check for heap overflow for input video size,
which is vulnerable to attacks [1].

Upstream has a fix [2], which is available in release 1.10.1 .

Version-Release number of selected component (if applicable):

gstreamer1-plugins-bad-free

How reproducible:

Reliably.

Steps to Reproduce:

Refer to [1].

Actual results:

Tracker/Nautilus crashes.

Expected results:

No crash.

Additional info:

[1] https://scarybeastsecurity.blogspot.com/2016/11/0day-poc-risky-design-decisions-in.html
[2] https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe
[3] https://bugzilla.gnome.org/show_bug.cgi?id=774533