Vulnerabilities > CVE-2009-0385
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Integer signedness error in the fourxm_read_header function in libavformat/4xm.c in FFmpeg before revision 16846 allows remote attackers to execute arbitrary code via a malformed 4X movie file with a large current_track value, which triggers a NULL pointer dereference.
Vulnerable Configurations
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2009-3428.NASL description Maintenance release. Fixes two security problems (CVE-2009-0385, CVE-2009-1274) and a few miscellaneous bugs. See the upstream changelog for details: http://sourceforge.net/project/shownotes.php?group_id=9655&release_id= 673233 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36124 published 2009-04-10 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36124 title Fedora 9 : xine-lib-1.1.16.3-1.fc9 (2009-3428) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-3428. # include("compat.inc"); if (description) { script_id(36124); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:29"); script_cve_id("CVE-2009-0385", "CVE-2009-1274"); script_bugtraq_id(33502, 34384); script_xref(name:"FEDORA", value:"2009-3428"); script_name(english:"Fedora 9 : xine-lib-1.1.16.3-1.fc9 (2009-3428)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Maintenance release. Fixes two security problems (CVE-2009-0385, CVE-2009-1274) and a few miscellaneous bugs. See the upstream changelog for details: http://sourceforge.net/project/shownotes.php?group_id=9655&release_id= 673233 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=673233 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6bea3c3c" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=495031" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-April/022156.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f0bd2185" ); script_set_attribute( attribute:"solution", value:"Update the affected xine-lib package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xine-lib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:9"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 9.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC9", reference:"xine-lib-1.1.16.3-1.fc9")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xine-lib"); }NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-319.NASL description Vulnerabilities have been discovered and corrected in xine-lib : Failure on Ogg files manipulation can lead remote attackers to cause a denial of service by using crafted files (CVE-2008-3231). Failure on manipulation of either MNG or Real or MOD files can lead remote attackers to cause a denial of service by using crafted files (CVE: CVE-2008-5233). Heap-based overflow allows remote attackers to execute arbitrary code by using Quicktime media files holding crafted metadata (CVE-2008-5234). Heap-based overflow allows remote attackers to execute arbitrary code by using either crafted Matroska or Real media files (CVE-2008-5236). Failure on manipulation of either MNG or Quicktime files can lead remote attackers to cause a denial of service by using crafted files (CVE-2008-5237). Multiple heap-based overflow on input plugins (http, net, smb, dvd, dvb, rtsp, rtp, pvr, pnm, file, gnome_vfs, mms) allow attackers to execute arbitrary code by handling that input channels. Further this problem can even lead attackers to cause denial of service (CVE-2008-5239). Heap-based overflow allows attackers to execute arbitrary code by using crafted Matroska media files (MATROSKA_ID_TR_CODECPRIVATE track entry element). Further a failure on handling of Real media files (CONT_TAG header) can lead to a denial of service attack (CVE-2008-5240). Integer underflow allows remote attackers to cause denial of service by using Quicktime media files (CVE-2008-5241). Failure on manipulation of Real media files can lead remote attackers to cause a denial of service by indexing an allocated buffer with a certain input value in a crafted file (CVE-2008-5243). Vulnerabilities of unknown impact - possibly buffer overflow - caused by a condition of video frame preallocation before ascertaining the required length in V4L video input plugin (CVE-2008-5245). Heap-based overflow allows remote attackers to execute arbitrary code by using crafted media files. This vulnerability is in the manipulation of ID3 audio file data tagging mainly used in MP3 file formats (CVE-2008-5246). Integer overflow in the qt_error parse_trak_atom function in demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote attackers to execute arbitrary code via a Quicktime movie file with a large count value in an STTS atom, which triggers a heap-based buffer overflow (CVE-2009-1274) Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib 1.1.16.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a 4X movie file with a large current_track value, a similar issue to CVE-2009-0385 (CVE-2009-0698) Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update fixes these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 43022 published 2009-12-07 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43022 title Mandriva Linux Security Advisory : xine-lib (MDVSA-2009:319) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-297.NASL description Vulnerabilities have been discovered and corrected in ffmpeg : - The ffmpeg lavf demuxer allows user-assisted attackers to cause a denial of service (application crash) via a crafted GIF file (CVE-2008-3230) - FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers to cause a denial of service (memory consumption) via unknown vectors, aka a Tcp/udp memory leak. (CVE-2008-4869) - Integer signedness error in the fourxm_read_header function in libavformat/4xm.c in FFmpeg before revision 16846 allows remote attackers to execute arbitrary code via a malformed 4X movie file with a large current_track value, which triggers a NULL pointer dereference (CVE-2009-0385) The updated packages fix this issue. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers last seen 2020-06-01 modified 2020-06-02 plugin id 42809 published 2009-11-16 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42809 title Mandriva Linux Security Advisory : ffmpeg (MDVSA-2009:297-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1782.NASL description Several vulnerabilities have been discovered in mplayer, a movie player for Unix-like systems. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-0385 It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. - CVE-2008-4866 It was discovered that multiple buffer overflows could lead to the execution of arbitrary code. - CVE-2008-5616 It was discovered that watching a malformed TwinVQ file could lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 38641 published 2009-04-30 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38641 title Debian DSA-1782-1 : mplayer - several vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2009-3433.NASL description Maintenance release. Fixes two security problems (CVE-2009-0385, CVE-2009-1274) and a few miscellaneous bugs. See the upstream changelog for details: http://sourceforge.net/project/shownotes.php?group_id=9655&release_id= 673233 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37865 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37865 title Fedora 10 : xine-lib-1.1.16.3-1.fc10 (2009-3433) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_48E14D8642F111DEAD22000E35248AD7.NASL description xine developers report : - Fix another possible int overflow in the 4XM demuxer. (ref. TKADV2009-004, CVE-2009-0385) - Fix an integer overflow in the Quicktime demuxer. last seen 2020-06-01 modified 2020-06-02 plugin id 38801 published 2009-05-18 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38801 title FreeBSD : libxine -- multiple vulnerabilities (48e14d86-42f1-11de-ad22-000e35248ad7) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2009-098-03.NASL description New xine-lib packages are available for Slackware 12.0, 12.1, 12.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36106 published 2009-04-08 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36106 title Slackware 12.0 / 12.1 / 12.2 / current : xine-lib (SSA:2009-098-03) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-299.NASL description Vulnerabilities have been discovered and corrected in xine-lib : - Integer overflow in the qt_error parse_trak_atom function in demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote attackers to execute arbitrary code via a Quicktime movie file with a large count value in an STTS atom, which triggers a heap-based buffer overflow (CVE-2009-1274) - Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib 1.1.16.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a 4X movie file with a large current_track value, a similar issue to CVE-2009-0385 (CVE-2009-0698) This update fixes these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 42810 published 2009-11-16 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42810 title Mandriva Linux Security Advisory : xine-lib (MDVSA-2009:299) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200903-33.NASL description The remote host is affected by the vulnerability described in GLSA-200903-33 (FFmpeg: Multiple vulnerabilities) Multiple vulnerabilities were found in FFmpeg: astrange reported a stack-based buffer overflow in the str_read_packet() in libavformat/psxstr.c when processing .str files (CVE-2008-3162). Multiple buffer overflows in libavformat/utils.c (CVE-2008-4866). A buffer overflow in libavcodec/dca.c (CVE-2008-4867). An unspecified vulnerability in the avcodec_close() function in libavcodec/utils.c (CVE-2008-4868). Unspecified memory leaks (CVE-2008-4869). Tobias Klein repoerted a NULL pointer dereference due to an integer signedness error in the fourxm_read_header() function in libavformat/4xm.c (CVE-2009-0385). Impact : A remote attacker could entice a user to open a specially crafted media file, possibly leading to the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 35969 published 2009-03-20 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35969 title GLSA-200903-33 : FFmpeg: Multiple vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6733E1BF125F11DEA9640030843D3802.NASL description Secunia reports : Tobias Klein has reported a vulnerability in FFmpeg, which potentially can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a signedness error within the last seen 2020-06-01 modified 2020-06-02 plugin id 35938 published 2009-03-17 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35938 title FreeBSD : ffmpeg -- 4xm processing memory corruption vulnerability (6733e1bf-125f-11de-a964-0030843d3802) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-734-1.NASL description It was discovered that FFmpeg did not correctly handle certain malformed Ogg Media (OGM) files. If a user were tricked into opening a crafted Ogg Media file, an attacker could cause the application using FFmpeg to crash, leading to a denial of service. (CVE-2008-4610) It was discovered that FFmpeg did not correctly handle certain parameters when creating DTS streams. If a user were tricked into processing certain commands, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 8.10. (CVE-2008-4866) It was discovered that FFmpeg did not correctly handle certain malformed DTS Coherent Acoustics (DCA) files. If a user were tricked into opening a crafted DCA file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-4867) It was discovered that FFmpeg did not correctly handle certain malformed 4X movie (4xm) files. If a user were tricked into opening a crafted 4xm file, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0385). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 38037 published 2009-04-23 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38037 title Ubuntu 7.10 / 8.04 LTS / 8.10 : ffmpeg, ffmpeg-debian vulnerabilities (USN-734-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1781.NASL description Several vulnerabilities have been discovered in ffmpeg, a multimedia player, server and encoder. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-0385 It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. - CVE-2008-3162 It was discovered that using a crafted STR file can lead to the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 38640 published 2009-04-30 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38640 title Debian DSA-1781-1 : ffmpeg-debian - several vulnerabilities
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 33502 CVE(CAN) ID: CVE-2009-0385 FFmpeg是一套对音频和视频进行解码录制转换的完整方案。 Fmpeg在解析畸形的4X电影文件时存在类型转换漏洞,以下是libavformat/4xm.c文件中的有漏洞代码段: [..] 93 static int fourxm_read_header(AVFormatContext *s, 94 AVFormatParameters *ap) 95 { .. 103 [8] int current_track = -1; .. 106 [9] fourxm->track_count = 0; 107 [10] fourxm->tracks = NULL; .. 160 } else if (fourcc_tag == strk_TAG) { 161 /* check that there is enough data */ 162 if (size != strk_SIZE) { 163 av_free(header); 164 return AVERROR_INVALIDDATA; 165 } 166 [1] current_track = AV_RL32(&header[i + 8]); 167 [2] if (current_track + 1 > fourxm->track_count) { 168 fourxm->track_count = current_track + 1; 169 if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack)) 170 return -1; 171 [3] fourxm->tracks = av_realloc(fourxm->tracks, 172 fourxm->track_count * sizeof(AudioTrack)); 173 if (!fourxm->tracks) { 174 av_free(header); 175 return AVERROR(ENOMEM); 176 } 177 } 178 [4] fourxm->tracks[current_track].adpcm = AV_RL32(&header[i + 12]); 179 [5] fourxm->tracks[current_track].channels = AV_RL32(&header[i + 36]); 180 [6] fourxm->tracks[current_track].sample_rate = AV_RL32(&header[i+40]); 181 [7] fourxm->tracks[current_track].bits = AV_RL32(&header[i + 44]); [..] [1] 使用来自媒体文件的用户提供数据填充有符型int变量current_track(见[8]) [2] 这个语句检查current_track值是否大于fourxm->track_count。用0初始化了fourxm->track_count变量(见[9]),对current_track提供大于等于0x80000000的值就会导致current_track为负数。如果current_track为负数,if语句总会返回false,无法到达[3]处的缓冲区分配。 [4] 由于用NULL初始化了fourxm->tracks(见[10])且无法到达171行,这导致可利用的空指针引用。可以向NULL + current_track内存位置写入4个字节的用户控制数据。由于current_track值也是用户可控的,还可以向很大的内存地址范围写入4字节的任意数据。 [5] 同[4] [6] 同[4] [7] 同[4] FFmpeg < revision 16846 FFmpeg ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://svn.ffmpeg.org/ffmpeg?view=rev&revision=16846 target=_blank rel=external nofollow>http://svn.ffmpeg.org/ffmpeg?view=rev&revision=16846</a> |
| id | SSV:4791 |
| last seen | 2017-11-19 |
| modified | 2009-02-19 |
| published | 2009-02-19 |
| reporter | Root |
| title | FFmpeg 4xm文件解析内存破坏漏洞 |
References
- http://svn.mplayerhq.hu/ffmpeg/trunk/libavformat/4xm.c?r1=16838&r2=16846&pathrev=16846
- http://www.securityfocus.com/bid/33502
- http://svn.mplayerhq.hu/ffmpeg?view=rev&revision=16846
- http://www.trapkit.de/advisories/TKADV2009-004.txt
- http://secunia.com/advisories/33711
- http://osvdb.org/51643
- http://www.ubuntu.com/usn/USN-734-1
- http://secunia.com/advisories/34296
- http://security.gentoo.org/glsa/glsa-200903-33.xml
- http://secunia.com/advisories/34385
- https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00215.html
- http://secunia.com/advisories/34712
- https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00210.html
- http://www.debian.org/security/2009/dsa-1781
- http://secunia.com/advisories/34905
- http://secunia.com/advisories/34845
- http://www.debian.org/security/2009/dsa-1782
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:297
- http://www.vupen.com/english/advisories/2009/0277
- https://exchange.xforce.ibmcloud.com/vulnerabilities/48330
- http://www.securityfocus.com/archive/1/500514/100/0/threaded
- http://git.ffmpeg.org/?p=ffmpeg%3Ba=commitdiff%3Bh=72e715fb798f2cb79fd24a6d2eaeafb7c6eeda17