Bug#745301: libmms: CVE-2014-2892: heap-based buffer overflow

Sebastian Ramacher sramacher at debian.org
Fri Apr 25 14:41:36 UTC 2014 

On 2014-04-25 16:40:28, Sebastian Ramacher wrote:
> Hi Security Team,
> 
> On 2014-04-20 11:59:23, Salvatore Bonaccorso wrote:
> > Source: libmms
> > Version: 0.6-1
> > Severity: grave
> > Tags: security upstream fixed-upstream
> > 
> > Hi,
> > 
> > the following vulnerability was published for libmms.
> > 
> > CVE-2014-2892[0]:
> > heap-based buffer overflow
> 
> Please find attached the debdiffs for squeeze and wheezy. Please let me know if
> it's okay to upload them to the squeeze-security and wheezy-security.

And here are the patches.

Cheers
-- 
Sebastian Ramacher
-------------- next part --------------
diff -u libmms-0.6/debian/changelog libmms-0.6/debian/changelog
--- libmms-0.6/debian/changelog
+++ libmms-0.6/debian/changelog
@@ -1,3 +1,11 @@
+libmms (0.6-1+squeeze2) squeeze-security; urgency=high
+
+  * Team upload.
+  * debian/patches/0002-CVE-2014-2892.patch: Apply upstream patch for
+    CVE-2014-2892. (Closes: #745301)
+
+ -- Sebastian Ramacher <sramacher at debian.org>  Fri, 25 Apr 2014 16:14:59 +0200
+
 libmms (0.6-1+squeeze1) stable; urgency=low
 
   * Apply patch by Paul Burton cherry-picked from upstream git to fix
diff -u libmms-0.6/debian/patches/series libmms-0.6/debian/patches/series
--- libmms-0.6/debian/patches/series
+++ libmms-0.6/debian/patches/series
@@ -4,0 +5 @@
+0002-CVE-2014-2892.patch
only in patch2:
unchanged:
--- libmms-0.6.orig/debian/patches/0002-CVE-2014-2892.patch
+++ libmms-0.6/debian/patches/0002-CVE-2014-2892.patch
@@ -0,0 +1,22 @@
+Description: Fix heap based buffer overrun
+Bug-Debian: https://bugs.debian.org/745301
+Origin: upstream,
+ http://sourceforge.net/p/libmms/code/ci/03bcfccc22919c72742b7338d02859962861e0e8
+Last-Update: 2014-04-25
+
+diff --git a/src/mmsh.c b/src/mmsh.c
+index f7cee4a..bca7fb8 100644
+--- a/src/mmsh.c
++++ b/src/mmsh.c
+@@ -307,7 +307,10 @@ static int get_answer (mms_io_t *io, mmsh_t *this) {
+         len = 0;
+       }
+     } else {
+-      len ++;
++      if (++len >= sizeof(this->buf)) {
++        lprintf("answer too large\n");
++        return 0;
++      }
+     }
+   }
+   if (this->stream_type == MMSH_UNKNOWN) {
-------------- next part --------------
diff -Nru libmms-0.6.2/debian/changelog libmms-0.6.2/debian/changelog
--- libmms-0.6.2/debian/changelog	2012-02-14 11:17:26.000000000 +0100
+++ libmms-0.6.2/debian/changelog	2014-04-25 16:15:06.000000000 +0200
@@ -1,3 +1,11 @@
+libmms (0.6.2-3+deb7u1) wheezy-security; urgency=high
+
+  * Team upload.
+  * debian/patches/0002-CVE-2014-2892.patch: Apply upstream patch for
+    CVE-2014-2892. (Closes: #745301)
+
+ -- Sebastian Ramacher <sramacher at debian.org>  Fri, 25 Apr 2014 16:14:59 +0200
+
 libmms (0.6.2-3) unstable; urgency=low
 
   * Team upload.
diff -Nru libmms-0.6.2/debian/gbp.conf libmms-0.6.2/debian/gbp.conf
--- libmms-0.6.2/debian/gbp.conf	2011-01-21 11:13:39.000000000 +0100
+++ libmms-0.6.2/debian/gbp.conf	2014-04-25 16:09:10.000000000 +0200
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = upstream
-debian-branch = master
+debian-branch = wheezy
 upstream-tag = upstream/%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = True
diff -Nru libmms-0.6.2/debian/patches/0002-CVE-2014-2892.patch libmms-0.6.2/debian/patches/0002-CVE-2014-2892.patch
--- libmms-0.6.2/debian/patches/0002-CVE-2014-2892.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmms-0.6.2/debian/patches/0002-CVE-2014-2892.patch	2014-04-25 16:10:12.000000000 +0200
@@ -0,0 +1,22 @@
+Description: Fix heap based buffer overrun
+Bug-Debian: https://bugs.debian.org/745301
+Origin: upstream,
+ http://sourceforge.net/p/libmms/code/ci/03bcfccc22919c72742b7338d02859962861e0e8
+Last-Update: 2014-04-25
+
+diff --git a/src/mmsh.c b/src/mmsh.c
+index f7cee4a..bca7fb8 100644
+--- a/src/mmsh.c
++++ b/src/mmsh.c
+@@ -307,7 +307,10 @@ static int get_answer (mms_io_t *io, mmsh_t *this) {
+         len = 0;
+       }
+     } else {
+-      len ++;
++      if (++len >= sizeof(this->buf)) {
++        lprintf("answer too large\n");
++        return 0;
++      }
+     }
+   }
+   if (this->stream_type == MMSH_UNKNOWN) {
diff -Nru libmms-0.6.2/debian/patches/series libmms-0.6.2/debian/patches/series
--- libmms-0.6.2/debian/patches/series	2012-02-14 11:03:15.000000000 +0100
+++ libmms-0.6.2/debian/patches/series	2014-04-25 16:10:12.000000000 +0200
@@ -1 +1,2 @@
 0001-Fixup-bswap.h-macros.patch
+0002-CVE-2014-2892.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20140425/dc5ef92d/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list