发布日期：2009-01-22
更新日期：2009-02-09

受影响系统：

GStreamer gst-plugins-good < 0.10.12

不受影响系统：

GStreamer gst-plugins-good 0.10.12

描述：

---

BUGTRAQ  ID: 33405
CVE(CAN) ID: CVE-2009-0397,CVE-2009-0386,CVE-2009-0387,CVE-2009-0398

GStreamer是GNOME桌面环境下用来创建流媒体应用的多媒体框架。

GStreamer在解析畸形的QuickTime媒体文件时存在多个堆溢出和数组索引越界漏洞，远程攻击者可以利用这些漏洞以使用Streamer多媒体框架应用程序的权限执行任意代码。

QuickTime ctts元素解析堆溢出漏洞

[..]
2915   static gboolean
2916   qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream,
2917      GNode * stbl)
2918   {
..
3145    /* composition time to sample */
3146    if ((ctts = qtdemux_tree_get_child_by_type (stbl, FOURCC_ctts))) {
3147      const guint8 *ctts_data = (const guint8 *) ctts->data;
3148      guint32 n_entries = QT_UINT32 (ctts_data + 12);
3149      guint32 count;
3150      gint32 soffset;
3151
3152      /* Fill in the pts_offsets */
3153      for (i = 0, j = 0; (j < stream->n_samples) &&
                  (i < n_entries); i++) {
3154 [1]    count = QT_UINT32 (ctts_data + 16 + i * 8);
3155 [2]    soffset = QT_UINT32 (ctts_data + 20 + i * 8);
3156 [3]    for (k = 0; k < count; k++, j++) {
3157          /* we operate with very small soffset values here, it
                 shouldn't overflow */
3158 [4]      samples[j].pts_offset = soffset * GST_SECOND /
                           stream->timescale;
3159        }
3160      }
3161    }
[..]

[1] 来自媒体文件的用户提供数据填充无符int变量count
[2] 用户提供数据还填充了int变量soffset
[3] 用户可以控制循环计数器k、count和j
[4] 在将j用作数组索引时将用户控制数据（soffset * GST_SECOND / stream->timescale）拷贝到samples[]堆缓冲区

QuickTime stss原子解析数组索引越界漏洞

[..]
3045     if (stss) {
3046       /* mark keyframes */
3047       guint32 n_sample_syncs;
3048
3049 [1]   n_sample_syncs = QT_UINT32 ((guint8 *) stss->data + 12);
3050       if (n_sample_syncs == 0) {
3051         stream->all_keyframe = TRUE;
3052       } else {
3053         offset = 16;
3054 [2]     for (i = 0; i < n_sample_syncs; i++) {
3055           /* note that the first sample is index 1, not 0 */
3056 [3]       index = QT_UINT32 ((guint8 *) stss->data + offset);
3057           if (index > 0) {
3058 [4]         samples[index - 1].keyframe = TRUE;
3059             offset += 4;
3060           }
3061         }
3062       }
3063     } else {
[..]

[1] 来自媒体文件的用户提供数据填充无符int变量n_sample_syncs
[2] n_sample_syncs用作了循环计数器
[3] 用户提供数据填充int变量index
[4] 由于使用用户控制数据index作为samples[]缓冲区的数组索引，可以将int值0x00000001写入到几乎任意内存位置
    
QuickTime stts原子解析堆溢出漏洞

[..]
3018 [1] n_sample_times = QT_UINT32 ((guint8 *) stts->data + 12);
3019     timestamp = 0;
3020     stream->min_duration = 0;
3021     time = 0;
3022     index = 0;
3023 [2] for (i = 0; i < n_sample_times; i++) {
3024       guint32 n;
3025       guint32 duration;
3026
3027 [3]   n = QT_UINT32 ((guint8 *) stts->data + 16 + 8 * i);
3028 [8]   duration = QT_UINT32 ((guint8 *) stts->data + 16 + 8 * i + 4);
3029 [4]   for (j = 0; j < n; j++) {
3030        GST_DEBUG_OBJECT (qtdemux, "sample %d: timestamp %"
                GST_TIME_FORMAT,
3031            index, GST_TIME_ARGS (timestamp));
3032
3033 [5]    samples[index].timestamp = timestamp;
3034        /* take first duration for fps */
3035        if (stream->min_duration == 0)
3036          stream->min_duration = duration;
3037        /* add non-scaled values to avoid rounding errors */
3038 [9]    time += duration;
3039 [10]   timestamp = gst_util_uint64_scale (time, GST_SECOND,
                  stream->timescale);
3040 [6]    samples[index].duration = timestamp - samples[index].timestamp;
3041
3042 [7]    index++;
3043       }
3044     }
[..]

[1] 来自媒体文件的用户提供数据填充int变量n_sample_times
[2] 将n_sample_times用作循环计数器
[3] 用户提供数据填充无符int变量
[4] n用作了循环计数器
[5] + [6] 在将index用作数组索引时部分用户控制的数据（见[8]、[9]和[10]）拷贝到了samples[]缓冲区。由于index是随每次循环递增的（见[7]），且循环计数器n是用户可控的（见[3]和[4]），因此可以写出samples[]缓冲区的边界。

<*来源：Tobias Klein
  
  链接：http://secunia.com/advisories/33650/
        http://marc.info/?l=bugtraq&m=123266069904452&w=2
        https://www.redhat.com/support/errata/RHSA-2009-0271.html
        https://www.redhat.com/support/errata/RHSA-2009-0270.html
        https://www.redhat.com/support/errata/RHSA-2009-0269.html
        http://www.debian.org/security/2009/dsa-1729
*>

建议：

---

厂商补丁：

Debian
------
Debian已经为此发布了一个安全公告（DSA-1729-1）以及相应补丁:
DSA-1729-1：New gst-plugins-bad0.10 packages fix multiple vulnerabilities
链接：http://www.debian.org/security/2009/dsa-1729

补丁下载：
Source archives:

http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gst-plugins-bad0.10_0.10.3-3.1+etch1.dsc
Size/MD5 checksum:      819 3a44313023fb5a930247b5b981e700ae
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gst-plugins-bad0.10_0.10.3.orig.tar.gz
Size/MD5 checksum:  1377759 6d09962ac9ae6218932578ccc623407f
http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gst-plugins-bad0.10_0.10.3-3.1+etch1.diff.gz
Size/MD5 checksum:     9477 74cfd15f0e32f3b56509e648953fdec8

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_alpha.deb
Size/MD5 checksum:   733630 5a57a10505b41e4c28bc4e0642f8650a

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_amd64.deb
Size/MD5 checksum:   549878 cd0413ebf02e178ea27c5c8d16ad95fa

arm architecture (ARM)

http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_arm.deb
Size/MD5 checksum:   561194 a0724a6cab918a8da823d7bf46443ef1

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_i386.deb
Size/MD5 checksum:   552386 5925c3bdbbb3d1f498653ca201112ca0

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_ia64.deb
Size/MD5 checksum:   832140 365297044bf80b32378e97fa3657f201

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_mips.deb
Size/MD5 checksum:   619356 053cceaa42b6c38dc1cc1d64a8d3e7bd

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_mipsel.deb
Size/MD5 checksum:   600068 09cf53d117f6c449664d96bba3e3fc9a

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_powerpc.deb
Size/MD5 checksum:   600966 6a0e5ed57d4da5875040be8cc96345f5

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_s390.deb
Size/MD5 checksum:   580644 1bdfe57a99a1b2398fe163421d97cc9d

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/g/gst-plugins-bad0.10/gstreamer0.10-plugins-bad_0.10.3-3.1+etch1_sparc.deb
Size/MD5 checksum:   576270 cbe44fa23352da55f24506ee60262bfd

补丁安装方法：

1. 手工安装补丁包：

  首先，使用下面的命令来下载补丁软件：
  # wget url  (url是补丁下载链接地址)

  然后，使用下面的命令来安装补丁：  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包：

   首先，使用下面的命令更新内部数据库：
   # apt-get update
  
   然后，使用下面的命令安装更新软件包：
   # apt-get upgrade

RedHat
------
RedHat已经为此发布了一个安全公告（RHSA-2009:0269-01）以及相应补丁:
RHSA-2009:0269-01：Important: gstreamer-plugins security update
链接：https://www.redhat.com/support/errata/RHSA-2009-0269.html

GStreamer
---------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good_-0.10.12.tar.bz2

浏览次数：3767
严重程度：0（网友投票）