Don A. Bailey of securitymouse.com reports: Vulnerability Description ------------------------- An integer overflow can occur when processing any variant of a "literal run" in the av_lzo1x_decode function. Each of these three locations is subject to an integer overflow when processing zero bytes. Due to flaws in multiple functions within the libav code base, various checks can be bypassed that allow for corruption of precise locations in memory. This issue is LAZARUS.4
Please note that gstreamer-plugins-good contains an embedded copy of lzo.c from ffmpeg: commit c4912dac78c8d47e9c980ff74ceea667434ff764 Author: Sebastian Dröge <slomo> Date: Sat Aug 2 18:18:05 2008 +0000 Decode the codec private data and following ContentEncoding if necessary. Original commit message from CVS: * configure.ac: * gst/matroska/Makefile.am: * gst/matroska/lzo.c: (get_byte), (get_len), (copy), (copy_backptr), (lzo1x_decode), (main): * gst/matroska/lzo.h: * gst/matroska/matroska-demux.c: (gst_matroska_demux_read_track_encoding), (gst_matroska_decompress_data), (gst_matroska_decode_data), (gst_matroska_decode_buffer), (gst_matroska_decode_content_encodings), (gst_matroska_demux_read_track_encodings), (gst_matroska_demux_add_stream), (gst_matroska_demux_parse_blockgroup_or_simpleblock): * gst/matroska/matroska-ids.h: Decode the codec private data and following ContentEncoding if necessary. Support bzip2, lzo and header stripped compression. For lzo use the ffmpeg lzo implementation as liblzo is GPL licensed. Fix zlib decompression.
This issue is public: http://seclists.org/oss-sec/2014/q2/668
Created gstreamer-plugins-good tracking bugs for this issue: Affects: fedora-all [bug 1113866]
This issue only affects 32-bit systems and also can only happen if you use uncommonly huge buffer sizes where you have to decompress more than 16 MiB (> 2^24 bytes) untrusted compressed bytes within a single function call. The following packages in Red Hat Enterprise Linux embed lzo, but none of them use such large buffer sizes and therefore are not affected by this flaw: rhel-5/qffmpeg rhel-5/gstreamer-plugins-good rhel-6/gstreamer-plugins-good rhel-7/gstreamer-plugins-good rhel-7/gstreamer1-plugins-good
Statement: Not vulnerable. This issue does not affect the version of qffmpeg as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of gstreamer-plugins-good as shipped with Red Hat Enterprise Linux 5, 6 and 7. This issue does not affect the version of gstreamer1-plugins-good as shipped with Red Hat Enterprise Linux 7.
This issue does not affect the version of gstreamer-plugins-good, gstreamer1-plugins-good and mingw-gstreamer-plugins-good as shipped with Fedora 19 and 20.
Upstream commit: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6af26c55c1ea30f85a7d9edbc373f53be1743ee Additional asserts to detect overflows: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=cf2b7c01f81c1fb3283a1390c0ca9a2f81f4f4a8 The above commits in the github mirror of FFmpeg repository: https://github.com/FFmpeg/FFmpeg/commit/d6af26c55c1ea30f85a7d9edbc373f53be1743ee https://github.com/FFmpeg/FFmpeg/commit/cf2b7c01f81c1fb3283a1390c0ca9a2f81f4f4a8
Blog post and security report from the original reporter: http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html https://www.securitymouse.com/lms-2014-06-16-4