发布日期：2007-04-25
更新日期：2007-07-17

受影响系统：

Apple QuickTime Player 7.1.5

不受影响系统：

Apple QuickTime Player 7.2

描述：

---

BUGTRAQ  ID: 23650
CVE(CAN) ID: CVE-2007-2295

Apple QuickTime是一款流行的多媒体播放器，支持多种媒体格式。

QuickTime在处理畸形格式的MOV文件时存在缓冲区溢出漏洞，远程攻击者可能利用此漏洞控制用户机器。

如果使用QuickTime加载了畸形的.mov文件的话，JVTCompEncodeFrame()函数可能无法正确地解析畸形数据，触发堆溢出，播放器会由于分段错误而停止响应，或以登录用户的权限执行任意指令。

调试信息如下：

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00041656
0x90003646 in szone_malloc ()
(gdb) bt
#0 0x90003646 in szone_malloc ()
#1 0x90003527 in malloc_zone_malloc ()
#2 0x90325591 in mem_heap_malloc ()
#3 0x90325511 in shape_alloc_bounds () #4 0x9170d8ec in RectRgn ()
#5 0x91726437 in SetRectRgn ()
#6 0x9436d3b4 in ICMDeviceLoop ()
#7 0x9437728a in DecompressSequenceFrameWhen ()
#8 0x94376c3a in ICMDecompressionSessionDecodeFrame ()
#9 0x98b0c58c in v2m_rDecompressSequenceFrameWhen ()
#10 0x98b1333b in v2m_decompressVideoFrame ()
#11 0x98b13cd7 in QueueAFrame ()
#12 0x98b14d49 in v2m_doWhatTheMentorTellsUs ()
#13 0x98b166ac in Video2MoviesTask ()
#14 0x90cceccf in CallComponentFunctionCommon ()
#15 0x98b056c0 in Video2ComponentDispatch ()
#16 0x90cce7f8 in CallComponentDispatch ()
#17 0x94369f27 in MediaMoviesTask ()
#18 0x94368c04 in TaskMovie_priv ()
#19 0x98bb9b42 in doIdleMovie ()
#20 0x98bc8691 in internalDoAction ()
#21 0x98bb9a1a in _MCIdle ()
#22 0x90cceb13 in CallComponentFunctionCommon ()
#23 0x98bb4f19 in _MCComponentDispatch ()
#24 0x90cce7f8 in CallComponentDispatch ()
#25 0x943679fc in MCIdle ()
#26 0x9436664d in QTOMovieObject::SendCommand ()
#27 0x9433b1e2 in DispatchQTMsg ()
#28 0x9433af0f in QTObjectTokenPriv::SendMessageToObject ()
#29 0x9433a338 in QTObjectTokenPriv::DispatchMessage ()
#30 0x9436646a in QTSendToObject ()
#31 0x95a21142 in QTObjectTokenExecuteCommand ()
#32 0x95a32f85 in -[QTMovie idle] ()
#33 0x9082a6eb in CFSetApplyFunction ()
#34 0x95a2feab in +[QTMovie idleAllMovies:] ()
#35 0x9282c2de in __NSFireTimer ()
#36 0x9082c7e2 in CFRunLoopRunSpecific ()
#37 0x9082bace in CFRunLoopRunInMode ()
#38 0x92dd78d8 in RunCurrentEventLoopInMode ()
#39 0x92dd6fe2 in ReceiveNextEventCommon ()
#40 0x92dd6e39 in BlockUntilNextEventMatchingListInMode ()
#41 0x9327d465 in _DPSNextEvent ()
#42 0x9327d056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#43 0x93276ddb in -[NSApplication run] ()
#44 0x9326ad2f in NSApplicationMain ()
#45 0x00040632 in _start ()
#46 0x0004054d in start ()
(gdb)

<*来源：Tom Ferris （tommy@security-protocols.com）
  
  链接：http://security-protocols.com/sp-x45-advisory.php
        http://docs.info.apple.com/article.html?artnum=305947
        http://www.us-cert.gov/cas/techalerts/TA07-193A.html
*>

建议：

---

厂商补丁：

Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=14402&cat=59&platform=osx&method=sa/
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=14401&cat=59&platform=osx&method=sa/

浏览次数：2955
严重程度：0（网友投票）