Ubuntu

VLC media player RealText Processing Stack Overflow

Reported by Nicola Ferralis on 2008-11-08
268
Affects Status Importance Assigned to Milestone
vlc (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Unassigned

Bug Description

Binary package hint: vlc

http://www.trapkit.de/advisories/TKADV2008-011.txt

Includes: hardy, Intrepid, jaunty

Advisory: VLC media player RealText Processing Stack Overflow Vulnerability
Advisory ID: TKADV2008-011
Revision: 1.0
Release Date: 2008/11/05
Last Modified: 2008/11/05
Date Reported: 2008/11/03
Author: Tobias Klein (tk at trapkit.de)
Affected Software: VLC media player < 0.9.6
Remotely Exploitable: Yes
Locally Exploitable: No
Vendor URL: http://www.videolan.org/
Vendor Status: Vendor has released an updated version
Patch development time: 2 days

======================
Vulnerability details:
======================

The VLC media player contains a stack overflow vulnerability while parsing
malformed RealText (rt) subtitle files. The vulnerability can be trivially
exploited by a (remote) attacker to execute arbitrary code in the context
of VLC media player.

VLC handles subtitles automatically. It just checks the presence of a
subtitle file with the same name of the loaded video. If such a subtitle
file is found, VLC loads and parses the file.

==================
Technical Details:
==================

Source code file: modules\demux\subtitle.c

[...]
1843 static int ParseRealText( demux_t *p_demux, subtitle_t *p_subtitle,
                                int i_idx )
1844 {
1845 VLC_UNUSED( i_idx );
1846 demux_sys_t *p_sys = p_demux->p_sys;
1847 text_t *txt = &p_sys->txt;
1848 char *psz_text = NULL;
1849 [1] char psz_end[12]= "", psz_begin[12] = "";
1850
1851 for( ;; )
1852 {
1853 int h1 = 0, m1 = 0, s1 = 0, f1 = 0;
1854 int h2 = 0, m2 = 0, s2 = 0, f2 = 0;
1855 const char *s = TextGetLine( txt );
1856 free( psz_text );
1857
1858 if( !s )
1859 return VLC_EGENERIC;
1860
1861 psz_text = malloc( strlen( s ) + 1 );
1862 if( !psz_text )
1863 return VLC_ENOMEM;
1864
1865 /* Find the good begining. This removes extra spaces at the
1866 beginning of the line.*/
1867 char *psz_temp = strcasestr( s, "<time");
1868 if( psz_temp != NULL )
1869 {
1870 /* Line has begin and end */
1871 [2] if( ( sscanf( psz_temp,
1872 "<%*[t|T]ime %*[b|B]egin=\"%[^\"]\"
                        %*[e|E]nd=\"%[^\"]%*[^>]%[^\n\r]",
1873 psz_begin, psz_end, psz_text) != 3 ) &&
1874 /* Line has begin and no end */
1875 [3] ( sscanf( psz_temp,
1876 "<%*[t|T]ime
                                    %*[b|B]egin=\"%[^\"]\"%*[^>]%[^\n\r]",
1877 psz_begin, psz_text ) != 2) )
1878 /* Line is not recognized */
1879 {
1880 continue;
1881 }
[...]

[1] The stack buffers "psz_end" and "psz_begin" can be overflowed
[2] The sscanf() function reads its input from a user controlled character
    string pointed to by "psz_temp". The user controlled data gets stored
    in the stack buffers "psz_end" and "psz_begin" without any bounds
    checking. This leads to a straight stack overflow that can be trivially
    exploited by a (remote) attacker to execute arbitrary code in the
    context of VLC.
[3] see [2]

=========
Solution:
=========

  See "Workarounds" and "Solution" sections of the VideoLAN-SA-0810 [1].

========
History:
========

  2008/11/03 - Vendor notified
  2008/11/04 - Patch developed by VideoLAN team
  2008/11/05 - Public disclosure of vulnerability details by the vendor
  2008/11/05 - Release date of this security advisory

========
Credits:
========

  Vulnerability found and advisory written by Tobias Klein.

===========
References:
===========

 [1] http://www.videolan.org/security/sa0810.html
 [2] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=e3cef65
     1125701a2e33a8d75b815b3e39681a447
 [3] http://www.trapkit.de/advisories/TKADV2008-011.txt

CVE References

Kees Cook (kees) wrote :
Changed in vlc (Ubuntu):
status: New → Confirmed
Nicola Ferralis (feranick) wrote :

This bug only affects intrepid and hardy, since Jaunty and karmic have vlc in version 0.9.9a. This bug should then be easily fixed (at least in intrepid) with a backport to Intrepid.

Thank you for reporting this bug.

When you updated to Lucid, does this still happen?

Changed in vlc (Ubuntu):
status: Confirmed → Incomplete
Nicola Ferralis (feranick) wrote :

No, it was fixed. It still needs the patch in Lucid, though...

Benjamin Drung (bdrung) wrote :

Only hardy is still affected (intrepid EOL).

Changed in vlc (Ubuntu Hardy):
status: New → Triaged
Changed in vlc (Ubuntu):
status: Incomplete → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in vlc (Ubuntu Hardy):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers