|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 647 CVE : CVE-2006-1502 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : Yes Exploit Available : No Credit : XFOCUS Security Team Published : 29.03.2006
Advisory Content : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [xfocus-SD-060329]MPlayer: Multiple integer overflows MPlayer is a media player capable of handling multiple multimedia file formats. XFOCUS team (http://www.xfocus.org/) had discovered Multiple integer overflows .Those can lead to a heap-based buffer overflow. This could result in the execution of arbitrary code with the permissions of the user running MPlayer. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- media-video/mplayer <= 1.0.20060329 Description =========== [1]in libmpdemux/asfheader.c - ----------------------------------- 218 asf_scrambling_h=buffer[0]; 219 asf_scrambling_w=(buffer[2]<<8)|buffer[1]; 220 asf_scrambling_b=(buffer[4]<<8)|buffer[3]; 221 asf_scrambling_w/=asf_scrambling_b; char convert to int ,int value would be negative number. this lead to asf_descrambling() heap-based buffer overflow. [2]in libmpdemux/aviheader.c - ----------------------------------- 218 s->wLongsPerEntry = stream_read_word_le(demuxer->stream); 219 s->bIndexSubType = stream_read_char(demuxer->stream); 220 s->bIndexType = stream_read_char(demuxer->stream); 221 s->nEntriesInUse = stream_read_dword_le(demuxer->stream); 222 *(uint32_t *)s->dwChunkId = stream_read_dword_le(demuxer->stream); 223 stream_read(demuxer->stream, (char *)s->dwReserved, 3*4); 224 memset(s->dwReserved, 0, 3*4); 225 226 print_avisuperindex_chunk(s,MSGL_V); 227 228 msize = sizeof (uint32_t) * s->wLongsPerEntry * s->nEntriesInUse;[ERROR] 229 s->aIndex = malloc(msize); 230 memset (s->aIndex, 0, msize); 231 s->stdidx = malloc (s->nEntriesInUse * sizeof (avistdindex_chunk));[ERROR] 232 memset (s->stdidx, 0, s->nEntriesInUse * sizeof (avistdindex_chunk)); 233 234 // now the real index of indices 235 for (i=0; i<s->nEntriesInUse; i++) { 236 chunksize-=16; 237 s->aIndex[i].qwOffset = stream_read_dword_le(demuxer->stream) & 0xffffffff; 238 s->aIndex[i].qwOffset |= ((uint64_t)stream_read_dword_le(demuxer->stream) & 0xffffffff)<<32; 239 s->aIndex[i].dwSize = stream_read_dword_le(demuxer->stream); 240 s->aIndex[i].dwDuration = stream_read_dword_le(demuxer->stream); 241 mp_msg (MSGT_HEADER, MSGL_V, "ODML (%.4s): [%d] 0x%016"PRIx64" 0x%04x %un", 242 (s->dwChunkId), i, 243 (uint64_t)s->aIndex[i].qwOffset, s->aIndex[i].dwSize, s->aIndex[i].dwDuration); 244 } [ERROR] two integer overflows lead to a heap-based buffer overflow. NOTE: aviheader.c have another potential integer overflows. ABOUT XCON (Ad Time ;) ) ======================== XCon2006 the Fifth Information Security Conference will be held in Beijing, China, during August 18-20, 2006. ... more at xcon2006 call for paper http://www.xfocus.org/documents/200603/14.html Welcome ;) - -- Kind Regards, - --- XFOCUS Security Team http://www.xfocus.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEKiVkwhDwaF6cSWIRAppzAJ9cCFzXSN9yuU6gNqecBlGV1IaBOgCeJfGM Vck95rxGIr86/9BZ3csUl0w= =NdG5 -----END PGP SIGNATURE-----  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |