diff options
Diffstat (limited to 'zarb-ml/mageia-dev/2012-May/015653.html')
-rw-r--r-- | zarb-ml/mageia-dev/2012-May/015653.html | 153 |
1 files changed, 153 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/2012-May/015653.html b/zarb-ml/mageia-dev/2012-May/015653.html new file mode 100644 index 000000000..4b9db945a --- /dev/null +++ b/zarb-ml/mageia-dev/2012-May/015653.html @@ -0,0 +1,153 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] taglib CVE for MP4 files + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20taglib%20CVE%20for%20MP4%20files&In-Reply-To=%3C20120514234019.5b051281%40lap.shlomifish.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="015650.html"> + <LINK REL="Next" HREF="015652.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] taglib CVE for MP4 files</H1> + <B>Shlomi Fish</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20taglib%20CVE%20for%20MP4%20files&In-Reply-To=%3C20120514234019.5b051281%40lap.shlomifish.org%3E" + TITLE="[Mageia-dev] taglib CVE for MP4 files">shlomif at shlomifish.org + </A><BR> + <I>Mon May 14 22:40:19 CEST 2012</I> + <P><UL> + <LI>Previous message: <A HREF="015650.html">[Mageia-dev] taglib CVE for MP4 files +</A></li> + <LI>Next message: <A HREF="015652.html">[Mageia-dev] taglib CVE for MP4 files (please push to updates) +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#15653">[ date ]</a> + <a href="thread.html#15653">[ thread ]</a> + <a href="subject.html#15653">[ subject ]</a> + <a href="author.html#15653">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Hi David, + +On Mon, 14 May 2012 12:50:38 -0700 (PDT) +David Walser <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">luigiwalser at yahoo.com</A>> wrote: + +><i> --- On Mon, 5/14/12, Shlomi Fish <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">shlomif at shlomifish.org</A>> wrote: +</I>><i> > From: Shlomi Fish <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">shlomif at shlomifish.org</A>> +</I>><i> > Subject: Re: [Mageia-dev] taglib CVE for MP4 files +</I>><i> > To: "Mageia development mailing-list" <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">mageia-dev at mageia.org</A>> +</I>><i> > Cc: <A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">luigiwalser at yahoo.com</A> +</I>><i> > Date: Monday, May 14, 2012, 3:21 PM +</I>><i> > Hi David, +</I>><i> > +</I>><i> > On Mon, 14 May 2012 11:43:46 -0700 (PDT) +</I>><i> > David Walser <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">luigiwalser at yahoo.com</A>> +</I>><i> > wrote: +</I>><i> > +</I>><i> > > taglib 1.7.2 was issued to fix a minor security DoS +</I>><i> > issue due to a divide by zero error in the MP4 file +</I>><i> > decoder. +</I>><i> > > +</I>><i> > > I built it in updates_testing but I don't have an MP4 +</I>><i> > file to test it with. +</I>><i> > > +</I>><i> > > If interested people could test it, it could be pushed +</I>><i> > to updates.  Thanks. +</I>><i> > > +</I>><i> > +</I>><i> > Thanks for your work. I have some .mp4s files (mostly +</I>><i> > videos) around, which I +</I>><i> > have downloaded from YouTube using youtube-dl (and you can +</I>><i> > too). But what +</I>><i> > should I do to test that the bug was fixed? Can you provide +</I>><i> > instructions? +</I>><i> +</I>><i> Thanks for your interest. +</I>><i> +</I>><i> Basically all you need to do is use an application that uses taglib and make sure it can read the metadata (mainly the length) from mp4 files without regressions from the previous version. You can find such applications with the command: +</I>><i> urpmq --whatrequires libtaglib1 (or lib64taglib1 on x86_64). +</I>><i> +</I>><i> Examples include amarok, clementine, juk, and vlc. +</I>><i> +</I>><i> If you really want to do a deep investigation you can see if there are any Proof of Concept files out there. The CVE affects the reading of the media header (mdhd) portion of the MP4 file. You don't really need to worry about this though. +</I> +Using VLC and the lib64taglib1 from x86_64 I was able to save the tags header on +an .mp4 file and load it again correctly. The length of the track also seemed +fine. + +Is that OK? + +Regards, + + Shlomi Fish + +-- +----------------------------------------------------------------- +Shlomi Fish <A HREF="http://www.shlomifish.org/">http://www.shlomifish.org/</A> +What Makes Software Apps High Quality - <A HREF="http://shlom.in/sw-quality">http://shlom.in/sw-quality</A> + +The bad thing about hardware is that it sometimes works and it sometimes +doesn’t. The good thing about software is that it’s consistent: it always +does not work, and it always does not work in exactly the same way. + +Please reply to list if it's a mailing list post - <A HREF="http://shlom.in/reply">http://shlom.in/reply</A> . +</PRE> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="015650.html">[Mageia-dev] taglib CVE for MP4 files +</A></li> + <LI>Next message: <A HREF="015652.html">[Mageia-dev] taglib CVE for MP4 files (please push to updates) +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#15653">[ date ]</a> + <a href="thread.html#15653">[ thread ]</a> + <a href="subject.html#15653">[ subject ]</a> + <a href="author.html#15653">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |