--- libmms-0.1.orig/src/mms.c +++ libmms-0.1/src/mms.c @@ -144,7 +144,7 @@ int num_stream_ids; int stream_ids[ASF_MAX_NUM_STREAMS]; int stream_types[ASF_MAX_NUM_STREAMS]; - int asf_packet_len; + uint32_t asf_packet_len; uint32_t file_len; char guid[37]; uint32_t bitrates[ASF_MAX_NUM_STREAMS]; @@ -472,7 +472,7 @@ } static void string_utf16(iconv_t url_conv, char *dest, char *src, int len) { - memset(dest, 0, 1000); + memset(dest, 0, 2 * len); if (url_conv == (iconv_t)-1) { int i; @@ -498,7 +498,7 @@ static void string_utf16(int unused, char *dest, char *src, int len) { int i; - memset (dest, 0, 1000); + memset (dest, 0, 2 * len); for (i = 0; i < len; i++) { dest[i * 2] = src[i]; @@ -534,13 +534,17 @@ goto error; header->packet_len = LE_32(this->buf + 8) + 4; + if (header->packet_len > BUF_SIZE - 12) { + header->packet_len = 0; + goto error; + } lprintf("mms command\n"); packet_type = MMS_PACKET_COMMAND; } else { header->packet_seq = LE_32(this->buf); header->packet_id_type = this->buf[4]; header->flags = this->buf[5]; - header->packet_len = LE_16(this->buf + 6) - 8; + header->packet_len = (LE_16(this->buf + 6) - 8) & 0xffff; if (header->packet_id_type == ASF_HEADER_PACKET_ID_TYPE) { lprintf("asf header\n"); packet_type = MMS_PACKET_ASF_HEADER; @@ -669,6 +673,11 @@ break; case MMS_PACKET_ASF_HEADER: case MMS_PACKET_ASF_PACKET: + if (header.packet_len + this->asf_header_len > ASF_HEADER_LEN) { + lprintf( "***LOG:*** -- " + "libmms: asf packet too large\n"); + return 0; + } len = io_read(io, this->s, this->asf_header + this->asf_header_len, header.packet_len); if (len != header.packet_len) { @@ -715,6 +724,12 @@ case GUID_ASF_FILE_PROPERTIES: this->asf_packet_len = LE_32(this->asf_header + i + 92 - 24); + if (this->asf_packet_len > BUF_SIZE) { + this->asf_packet_len = 0; + lprintf( "***LOG:*** -- " + "libmms: asf packet len too large\n"); + break; + } this->file_len = LE_32(this->asf_header + i + 40 - 24); lprintf ("file object, packet length = %d (%d)\n", this->asf_packet_len, LE_32(this->asf_header + i + 96 - 24)); @@ -1391,8 +1406,20 @@ /* explicit padding with 0 */ lprintf("padding: %d bytes\n", this->asf_packet_len - header.packet_len); - memset(this->buf + header.packet_len, 0, this->asf_packet_len - header.packet_len); - this->buf_size = this->asf_packet_len; + { + char *base = (char *)(this->buf); + char *start = base + header.packet_len; + char *end = start + this->asf_packet_len - header.packet_len; + if ((start > base) && (start < (base+BUF_SIZE-1)) && + (start < end) && (end < (base+BUF_SIZE-1))) { + memset(this->buf + header.packet_len, 0, this->asf_packet_len - header.packet_len); + } + if (this->asf_packet_len > BUF_SIZE) { + this->buf_size = BUF_SIZE; + } else { + this->buf_size = this->asf_packet_len; + } + } } break; } --- libmms-0.1.orig/config.guess +++ libmms-0.1/config.guess @@ -1,9 +1,9 @@ #! /bin/sh # Attempt to guess a canonical system name. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. +# 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. -timestamp='2004-08-13' +timestamp='2005-04-22' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -53,7 +53,7 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO @@ -319,6 +319,9 @@ *:OS/390:*:*) echo i370-ibm-openedition exit 0 ;; + *:z/VM:*:*) + echo s390-ibm-zvmoe + exit 0 ;; *:OS400:*:*) echo powerpc-ibm-os400 exit 0 ;; @@ -342,7 +345,7 @@ DRS?6000:unix:4.0:6*) echo sparc-icl-nx6 exit 0 ;; - DRS?6000:UNIX_SV:4.2*:7*) + DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) case `/usr/bin/uname -p` in sparc) echo sparc-icl-nx7 && exit 0 ;; esac ;; @@ -801,6 +804,9 @@ i*:UWIN*:*) echo ${UNAME_MACHINE}-pc-uwin exit 0 ;; + amd64:CYGWIN*:*:*) + echo x86_64-unknown-cygwin + exit 0 ;; p*:CYGWIN*:*) echo powerpcle-unknown-cygwin exit 0 ;; @@ -824,6 +830,12 @@ cris:Linux:*:*) echo cris-axis-linux-gnu exit 0 ;; + crisv32:Linux:*:*) + echo crisv32-axis-linux-gnu + exit 0 ;; + frv:Linux:*:*) + echo frv-unknown-linux-gnu + exit 0 ;; ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit 0 ;; @@ -1128,6 +1140,10 @@ # From seanf@swdc.stratus.com. echo i860-stratus-sysv4 exit 0 ;; + i*86:VOS:*:*) + # From Paul.Green@stratus.com. + echo ${UNAME_MACHINE}-stratus-vos + exit 0 ;; *:VOS:*:*) # From Paul.Green@stratus.com. echo hppa1.1-stratus-vos @@ -1188,6 +1204,9 @@ *:QNX:*:4*) echo i386-pc-qnx exit 0 ;; + NSE-?:NONSTOP_KERNEL:*:*) + echo nse-tandem-nsk${UNAME_RELEASE} + exit 0 ;; NSR-?:NONSTOP_KERNEL:*:*) echo nsr-tandem-nsk${UNAME_RELEASE} exit 0 ;; @@ -1241,7 +1260,10 @@ A*) echo alpha-dec-vms && exit 0 ;; I*) echo ia64-dec-vms && exit 0 ;; V*) echo vax-dec-vms && exit 0 ;; - esac + esac ;; + *:XENIX:*:SysV) + echo i386-pc-xenix + exit 0 ;; esac #echo '(No uname command or uname output not recognized.)' 1>&2 @@ -1401,7 +1423,9 @@ the operating system you are using. It is advised that you download the most up to date version of the config scripts from - ftp://ftp.gnu.org/pub/gnu/config/ + http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess +and + http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub If the version you run ($0) is already up to date, please send the following data and any information you think might be --- libmms-0.1.orig/config.sub +++ libmms-0.1/config.sub @@ -1,9 +1,9 @@ #! /bin/sh # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. +# 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. -timestamp='2004-06-24' +timestamp='2005-04-22' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -70,7 +70,7 @@ version="\ GNU config.sub ($timestamp) -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO @@ -231,13 +231,14 @@ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \ + | bfin \ | c4x | clipper \ | d10v | d30v | dlx | dsp16xx \ | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ - | m32r | m32rle | m68000 | m68k | m88k | mcore \ + | m32r | m32rle | m68000 | m68k | m88k | maxq | mcore \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ @@ -262,12 +263,13 @@ | pyramid \ | sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ - | sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv8 | sparcv9 | sparcv9b \ + | sparc | sparc64 | sparc64b | sparc86x | sparclet | sparclite \ + | sparcv8 | sparcv9 | sparcv9b \ | strongarm \ | tahoe | thumb | tic4x | tic80 | tron \ | v850 | v850e \ | we32k \ - | x86 | xscale | xstormy16 | xtensa \ + | x86 | xscale | xscalee[bl] | xstormy16 | xtensa \ | z8k) basic_machine=$basic_machine-unknown ;; @@ -298,7 +300,7 @@ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* \ - | bs2000-* \ + | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \ | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ @@ -310,7 +312,7 @@ | ip2k-* | iq2000-* \ | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | mcore-* \ + | m88110-* | m88k-* | maxq-* | mcore-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ @@ -336,15 +338,16 @@ | romp-* | rs6000-* \ | sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ - | sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \ + | sparc-* | sparc64-* | sparc64b-* | sparc86x-* | sparclet-* \ + | sparclite-* \ | sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \ | tahoe-* | thumb-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ | tron-* \ | v850-* | v850e-* | vax-* \ | we32k-* \ - | x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \ - | xtensa-* \ + | x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \ + | xstormy16-* | xtensa-* \ | ymp-* \ | z8k-*) ;; @@ -457,6 +460,9 @@ crds | unos) basic_machine=m68k-crds ;; + crisv32 | crisv32-* | etraxfs*) + basic_machine=crisv32-axis + ;; cris | cris-* | etrax*) basic_machine=cris-axis ;; @@ -486,6 +492,10 @@ basic_machine=m88k-motorola os=-sysv3 ;; + djgpp) + basic_machine=i586-pc + os=-msdosdjgpp + ;; dpx20 | dpx20-*) basic_machine=rs6000-bull os=-bosx @@ -1026,6 +1036,10 @@ basic_machine=hppa1.1-winbond os=-proelf ;; + xbox) + basic_machine=i686-pc + os=-mingw32 + ;; xps | xps100) basic_machine=xps100-honeywell ;; @@ -1294,6 +1308,9 @@ -kaos*) os=-kaos ;; + -zvmoe) + os=-zvmoe + ;; -none) ;; *) --- libmms-0.1.orig/debian/dirs +++ libmms-0.1/debian/dirs @@ -0,0 +1,2 @@ +usr/bin +usr/sbin --- libmms-0.1.orig/debian/docs +++ libmms-0.1/debian/docs @@ -0,0 +1,2 @@ +README +TODO --- libmms-0.1.orig/debian/control +++ libmms-0.1/debian/control @@ -0,0 +1,22 @@ +Source: libmms +Priority: optional +Maintainer: Søren Hansen +Build-Depends: debhelper (>= 4.0.0), autotools-dev, libglib2.0-dev +Standards-Version: 3.6.2 +Section: libs + +Package: libmms-dev +Section: libdevel +Architecture: any +Depends: libmms0 (= ${Source-Version}) +Description: MMS stream protocol library - development files + libmms is a library implementing the mms streaming protocol + . + These are the development files + +Package: libmms0 +Section: libs +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: MMS stream protocol library - development files + libmms is a library implementing the mms streaming protocol --- libmms-0.1.orig/debian/libmms0.dirs +++ libmms-0.1/debian/libmms0.dirs @@ -0,0 +1 @@ +usr/lib --- libmms-0.1.orig/debian/libmms0.install +++ libmms-0.1/debian/libmms0.install @@ -0,0 +1 @@ +usr/lib/lib*.so.* --- libmms-0.1.orig/debian/rules +++ libmms-0.1/debian/rules @@ -0,0 +1,79 @@ +#!/usr/bin/make -f + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + + +# These are used for cross-compiling and for saving the configure script +# from having to guess our platform (since we know it already) +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + + +CFLAGS = -Wall -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif + +config.status: configure + dh_testdir + CFLAGS="$(CFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info + + +build: build-stamp +build-stamp: config.status + dh_testdir + $(MAKE) + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + + -$(MAKE) distclean +ifneq "$(wildcard /usr/share/misc/config.sub)" "" + cp -f /usr/share/misc/config.sub config.sub +endif +ifneq "$(wildcard /usr/share/misc/config.guess)" "" + cp -f /usr/share/misc/config.guess config.guess +endif + + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + $(MAKE) install DESTDIR=$(CURDIR)/debian/tmp + + +binary-indep: build install + +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs ChangeLog + dh_installdocs + dh_installexamples + dh_install --sourcedir=debian/tmp + dh_installman + dh_link + dh_strip + dh_compress + dh_fixperms + dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- libmms-0.1.orig/debian/changelog +++ libmms-0.1/debian/changelog @@ -0,0 +1,28 @@ +libmms (0.1-0ubuntu1.2) breezy-security; urgency=low + + * SECURITY UPDATE: More buffer overflows. + * Additional fixes thanks to Matthias Hopf: + - even more checks on "packet_length" / "packet_len" in src/mms.c. + - fix memset() calls in the two string_utf16() implementations in + src/mms.c to clear all bytes in dest, "len" is the UTF-16 length of the + string in wide chars, so the memset should use "2 * len". + * Thanks to Loic Minier for preparing the patch for + this package. + + -- Martin Pitt Tue, 11 Jul 2006 19:23:54 +0200 + +libmms (0.1-0ubuntu1.1) breezy-security; urgency=low + + * SECURITY UPDATE: Remote DoS. + * Port Loic Minier's patch from 0.2-5 to fix memset() buffer overflows in + the MMS parser. This allowed a crafted file to write arbitrarily many + zeros into arbitrary memory. + * CVE-2006-2200 + + -- Martin Pitt Wed, 5 Jul 2006 14:10:09 +0000 + +libmms (0.1-0ubuntu1) breezy; urgency=low + + * Initial release + + -- Søren Hansen Thu, 15 Sep 2005 16:56:05 +0200 --- libmms-0.1.orig/debian/libmms-dev.dirs +++ libmms-0.1/debian/libmms-dev.dirs @@ -0,0 +1,2 @@ +usr/lib +usr/include --- libmms-0.1.orig/debian/compat +++ libmms-0.1/debian/compat @@ -0,0 +1 @@ +4 --- libmms-0.1.orig/debian/libmms-dev.install +++ libmms-0.1/debian/libmms-dev.install @@ -0,0 +1,6 @@ +usr/include/* +usr/lib/lib*.a +usr/lib/lib*.so +usr/lib/pkgconfig/* +usr/lib/*.la +usr/share/pkgconfig/* --- libmms-0.1.orig/debian/copyright +++ libmms-0.1/debian/copyright @@ -0,0 +1,28 @@ +This package was debianized by Søren Hansen on +Wed, 14 Sep 2005 19:44:38 +0200. + +It was downloaded from SourceForge (http://sourceforge.net/projects/libmms/ + +Copyright Holder: the xine project + +License: +Copyright (C) 2002-2004 the xine project + +This file is part of LibMMS, an MMS protocol handling library. + +xine is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the ree Software Foundation; either version 2 of the License, or +(at your option) any later version. + +xine is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + + +The full license can be found at /usr/share/common-licenses/LGPL-2