Closed
Bug 529197
Opened 16 years ago
Closed 16 years ago
Update libtheora to SVN r16702 to fix a possibly exploitable bug
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta4-fixed |
People
(Reporter: kinetik, Assigned: kinetik)
Details
Attachments
(1 file)
|
6.54 KB,
patch
|
cajbir
:
review+
|
Details | Diff | Splinter Review |
From #theora:
15:48 < kinetik> 1.1 will be in 3.6
15:48 < derf> kinetik: I highly recommend you apply the patch in r16702, then.
15:50 < derf> I didn't actually do the analysis to see if that bug lead to an exploitable vulnerability.
15:50 < derf> But I figure better safe than sorry.
15:53 < kinetik> does a similar problem exist on the 1.0 code?
15:53 < derf> kinetik: No. That code was all-new in 1.1.
15:54 < derf> It was part of the changes needed to actually check malloc() returns.
|
Assignee | |
Comment 1•16 years ago
|
||
This should probably block 1.9.2. 1.9.1 is not affected as we've still got Theora 1.0 there. I'll get a patch up ASAP.
Assignee: nobody → kinetik
Flags: blocking1.9.2?
Flags: blocking1.9.2? → blocking1.9.2+
|
|
Assignee | |
Comment 2•16 years ago
|
||
Attachment #412758 -
Flags: review?(chris.double)
|
||
Comment 3•16 years ago
|
||
Comment on attachment 412758 [details] [diff] [review]
patch v0
Does README_MOZILLA need to be updated to state the svn revision?
Attachment #412758 -
Flags: review?(chris.double) → review+
|
|
Assignee | |
Comment 4•16 years ago
|
||
|
|
||
Comment 5•16 years ago
|
||
Doh, so it was!
|
||
Comment 6•16 years ago
|
||
I've done the analysis now, and I don't believe the bug is exploitable with the code as shipped (i.e., with OC_HUFF_SLUSH #define'd to 1). But again, better safe than sorry.
|
||
Comment 7•16 years ago
|
||
(In reply to comment #6)
> I've done the analysis now, and I don't believe the bug is exploitable with the
> code as shipped (i.e., with OC_HUFF_SLUSH #define'd to 1). But again, better
> safe than sorry.
Do you know of anybody or any distro that has changes that would make this exploitable (I assume OC_HUFF_SLUSH == 0 would be bad)? I can bring this up on vendor-sec if you think it's possible that some distro would actually be vulnerable to this.
|
|
||
Comment 8•16 years ago
|
||
Setting OC_HUFF_SLUSH to 0 should have caused a segfault on almost every Theora file in existence. I'm pretty sure if a distro had done that, they would have noticed.
Whiteboard: [needs landing]
|
|
Assignee | |
Comment 9•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [needs landing] → [needs 192 landing]
|
|
Assignee | |
Comment 10•16 years ago
|
||
status1.9.2:
--- → final-fixed
Whiteboard: [needs 192 landing]
|
||
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•