OpenCORE insufficient bounds checking during MP3 decoding

2009.02.12
Credit: Will Drewry
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-189


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#2009-002 OpenCORE insufficient bounds checking during MP3 decoding Description: OpenCORE, an open source multimedia decoding subsystem, suffers from an integer underflow during Huffman decoding resulting in improper bounds checking when writing to a heap allocated buffer. Decoding a specially crafted mp3 file will result in unexpected process termination or, potentially, arbitrary code execution due to heap corruption. Patches have been made available by PacketVideo: http://ocert.org/patches/2009-002/opencore_mp3_dec.patch http://review.source.android.com/Gerrit#change,8815 Affected version: OpenCore <= 2.0 (secondary affected versions) Android without change 8815 Fixed version: OpenCore >= 2.0 with change 8815 Android with change 8815 Credit: Initial vulnerability report and sample crasher provided by Owen Arden <owen (at) securityevaluators (dot) com [email concealed]> and Charlie Miller <cmiller (at) securityevaluators (dot) com [email concealed]>. Thanks to PacketVideo for the comprehensive analysis and patching. CVE: CVE-2009-0475 Timeline: 2009-01-21: Android Security Team informed of issue 2009-01-23: Android Security Team requested coordination aid from oCERT 2009-01-24: oCERT investigated for other potential affected projects 2009-02-05: vendor supplied patch 2009-02-05: vendor indicated that no other open source projects affected 2009-02-05: did not discover other open source projects affected 2009-02-05: emailed vendor-sec (at) lst (dot) de [email concealed] as a cross-check 2009-02-06: supplied vulnerability analysis to upstream vendor 2009-02-06: walked through affected code with upstream vendor 2009-02-06: CVE assignment requested and received 2009-02-07: advisory published References: http://review.source.android.com/Gerrit#change,8815 http://review.source.android.com/Gerrit#change,8604 http://android.git.kernel.org/?p=platform/external/opencore.git;a=summar y http://android.git.kernel.org/?p=platform/external/opencore.git;a=blob;f =codecs_v2/audio/mp3/dec/src/pvmp3_huffman_parsing.cpp;h=491c0cc1b05adec b4ed2d53489c82e7fb4f46108;hb=d8b443ddaa386ed85ba31fbd663c40423a8d4ded http://android.git.kernel.org/?p=platform/external/opencore.git;a=blob;f =codecs_v2/audio/mp3/dec/src/pvmp3_mpeg2_stereo_proc.cpp;h=bc4c227fbd60f 3f0a90355d7d52c71d46cd4a87c;hb=d8b443ddaa386ed85ba31fbd663c40423a8d4ded Links: http://www.packetvideo.com/products/core/index.html http://android.git.kernel.org http://android.com Permalink: http://www.ocert.org/advisories/ocert-2009-002.html -- Will Drewry <redpig (at) ocert (dot) org [email concealed]> oCERT Team :: http://ocert.org

References:

http://www.securityfocus.com/bid/33673
http://www.securityfocus.com/archive/1/archive/1/500750/100/0/threaded
http://www.ocert.org/advisories/ocert-2009-002.html
http://review.source.android.com/Gerrit#change,8815
http://android.git.kernel.org/?p=platform/external/opencore.git;a=commit;h=7b466cd0ecfdba72c4cbd0f3a8c2001141376b0f


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top