Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

Hugo Lefeuvre-3
Source: liblivemedia
Version: 2018.11.26-1
Severity: normal
Tags: security upstream

Hi,

The following vulnerability was published for liblivemedia.

CVE-2019-9215[0]: malformed headers lead to invalid memory access in
the parseAuthorizationHeader function.

I see this vulnerability was fixed in experimental via new upstream
release 2019.02.27-1. This is a fairly severe issue so we should
probably backport the patch to Buster as well.

regards,
Hugo

[0] https://security-tracker.debian.org/tracker/CVE-2019-9215

--
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

Hugo Lefeuvre-3
Hi,

> Unless a CVE affects the client part of the library, I don't think it's
> worth it. The client part is the only part used by reverse dependencies.

What do you mean exactly with client part? The affected code is located
in liveMedia/RTSPServer.cpp.

regards,
Hugo

--
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

Sebastian Ramacher-3
Hi

On 2019-03-15 15:43:15, Hugo Lefeuvre wrote:
> Hi,
>
> > Unless a CVE affects the client part of the library, I don't think it's
> > worth it. The client part is the only part used by reverse dependencies.
>
> What do you mean exactly with client part? The affected code is located
> in liveMedia/RTSPServer.cpp.

liblivemedia provides an implementation of the server and client side of
RTSP. So, unless a CVE affects the code path used by the RTSP client (as
for example used by vlc), I won't spend any time on it.

Before you start cherry-picking the patches from experimental, I'd
suggest to get in contact with the release team to do a proper
transition to the new upstream version (maybe even to the 2019.03.xx
release that's not yet packaged). Those new release effectively only
consists of the fixes for the recent CVEs. (Yes, I know that the freeze
already started.)

Cheers
--
Sebastian Ramacher

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

Hugo Lefeuvre-3
> liblivemedia provides an implementation of the server and client side of
> RTSP. So, unless a CVE affects the code path used by the RTSP client (as
> for example used by vlc), I won't spend any time on it.

Ok, I thought live555 was also known as one of the main free rtsp
server implementations. Is this actually wrong ?

> Before you start cherry-picking the patches from experimental, I'd
> suggest to get in contact with the release team to do a proper
> transition to the new upstream version (maybe even to the 2019.03.xx
> release that's not yet packaged). Those new release effectively only
> consists of the fixes for the recent CVEs. (Yes, I know that the freeze
> already started.)

Agree. I will look into it if I manage to find time for this.

thanks

regards,
Hugo

--
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader

Sebastian Ramacher-3
On 2019-03-15 16:26:25, Hugo Lefeuvre wrote:
> > liblivemedia provides an implementation of the server and client side of
> > RTSP. So, unless a CVE affects the code path used by the RTSP client (as
> > for example used by vlc), I won't spend any time on it.
>
> Ok, I thought live555 was also known as one of the main free rtsp
> server implementations. Is this actually wrong ?

I don't know, but at least ffmpeg and vlc use alternative RTSP server
implementations.

Cheers

>
> > Before you start cherry-picking the patches from experimental, I'd
> > suggest to get in contact with the release team to do a proper
> > transition to the new upstream version (maybe even to the 2019.03.xx
> > release that's not yet packaged). Those new release effectively only
> > consists of the fixes for the recent CVEs. (Yes, I know that the freeze
> > already started.)
>
> Agree. I will look into it if I manage to find time for this.
>
> thanks
>
> regards,
> Hugo
>
> --
>                 Hugo Lefeuvre (hle)    |    www.owl.eu.com
> RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
> ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


--
Sebastian Ramacher

signature.asc (849 bytes) Download Attachment