1397993 – vmnc decoder overflow exploitable

Bug 1397993 - vmnc decoder overflow exploitable

Summary: vmnc decoder overflow exploitable

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gstreamer-plugins-bad-free
Sub Component:
Version:	24
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Benjamin Otte
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-23 18:32 UTC by Alick Zhao
Modified:	2017-02-08 11:22 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-02-08 11:22:21 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
GNOME Bugzilla	774533	0	None	None	None	2016-11-23 18:32:31 UTC

Description Alick Zhao 2016-11-23 18:32:32 UTC

Description of problem:

The vmnc decoder does not check for heap overflow for input video size,
which is vulnerable to attacks [1].

Upstream has a fix [2], which is available in release 1.10.1 .

Version-Release number of selected component (if applicable):

gstreamer1-plugins-bad-free

How reproducible:

Reliably.

Steps to Reproduce:

Refer to [1].

Actual results:

Tracker/Nautilus crashes.

Expected results:

No crash.

Additional info:

[1] https://scarybeastsecurity.blogspot.com/2016/11/0day-poc-risky-design-decisions-in.html
[2] https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe
[3] https://bugzilla.gnome.org/show_bug.cgi?id=774533

Note You need to log in before you can comment on or make changes to this bug.