| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 08 Dec 2016 19:22:33 -0500 From: Joshua <joshua2014@...tonmail.ch> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] Gstreamer ID3v2 v1.0 - Out of Bounds Read Gstreamer ID3v2 v1.0 - Out of Bounds Read A maliciously crafted ID3v2-tagged file enables an out-of-bounds memory read against Gstreamer 1.0. The Gstreamer ID3v2 implementation uses arbitrarily supplied data to generate buffers for the ID3v2 object and frames. By providing a maliciously crafted file with a null length in the ID3v2 header and an arbitrarily set length in the succeeding frame it is possible to generate an out of bounds read. An attacker may leverage this vulnerability to cause at minimum a denial of service attack. This vulnerability previously affects GNU/Linux-based Firefox versions 43 and below. Since Firefox is no longer built against Gstreamer the vulnerability is no longer relevant. Relevant Data Structure: ID3v2 Header Size (Offset 0x6): 4 bytes ID3v2 Frame Size (Offset 0xE): 4 bytes Reproduction: Command Impact GST_DEBUG="*:6" totem crash.mp3 crashes GST_DEBUG="*:6" totem no-crash.mp3 this file overflows but does not cause a crash in non-ASAN builds More info and sample files: https://github.com/joshuayabut/gstreamerID3v2/tree/master - MOVRCX X64 EDITION Sent from [ProtonMail](https://protonmail.ch), encrypted email based in Switzerland. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists