1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] taglib CVE for MP4 files
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20taglib%20CVE%20for%20MP4%20files&In-Reply-To=%3C1337025038.2788.YahooMailClassic%40web160505.mail.bf1.yahoo.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="015706.html">
<LINK REL="Next" HREF="015653.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] taglib CVE for MP4 files</H1>
<B>David Walser</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20taglib%20CVE%20for%20MP4%20files&In-Reply-To=%3C1337025038.2788.YahooMailClassic%40web160505.mail.bf1.yahoo.com%3E"
TITLE="[Mageia-dev] taglib CVE for MP4 files">luigiwalser at yahoo.com
</A><BR>
<I>Mon May 14 21:50:38 CEST 2012</I>
<P><UL>
<LI>Previous message: <A HREF="015706.html">[Mageia-dev] sysadmin please remove tuxguitar-1.2-7.1.mga1
</A></li>
<LI>Next message: <A HREF="015653.html">[Mageia-dev] taglib CVE for MP4 files
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#15650">[ date ]</a>
<a href="thread.html#15650">[ thread ]</a>
<a href="subject.html#15650">[ subject ]</a>
<a href="author.html#15650">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>--- On Mon, 5/14/12, Shlomi Fish <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">shlomif at shlomifish.org</A>> wrote:
><i> From: Shlomi Fish <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">shlomif at shlomifish.org</A>>
</I>><i> Subject: Re: [Mageia-dev] taglib CVE for MP4 files
</I>><i> To: "Mageia development mailing-list" <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">mageia-dev at mageia.org</A>>
</I>><i> Cc: <A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">luigiwalser at yahoo.com</A>
</I>><i> Date: Monday, May 14, 2012, 3:21 PM
</I>><i> Hi David,
</I>><i>
</I>><i> On Mon, 14 May 2012 11:43:46 -0700 (PDT)
</I>><i> David Walser <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">luigiwalser at yahoo.com</A>>
</I>><i> wrote:
</I>><i>
</I>><i> > taglib 1.7.2 was issued to fix a minor security DoS
</I>><i> issue due to a divide by zero error in the MP4 file
</I>><i> decoder.
</I>><i> >
</I>><i> > I built it in updates_testing but I don't have an MP4
</I>><i> file to test it with.
</I>><i> >
</I>><i> > If interested people could test it, it could be pushed
</I>><i> to updates.  Thanks.
</I>><i> >
</I>><i>
</I>><i> Thanks for your work. I have some .mp4s files (mostly
</I>><i> videos) around, which I
</I>><i> have downloaded from YouTube using youtube-dl (and you can
</I>><i> too). But what
</I>><i> should I do to test that the bug was fixed? Can you provide
</I>><i> instructions?
</I>
Thanks for your interest.
Basically all you need to do is use an application that uses taglib and make sure it can read the metadata (mainly the length) from mp4 files without regressions from the previous version. You can find such applications with the command:
urpmq --whatrequires libtaglib1 (or lib64taglib1 on x86_64).
Examples include amarok, clementine, juk, and vlc.
If you really want to do a deep investigation you can see if there are any Proof of Concept files out there. The CVE affects the reading of the media header (mdhd) portion of the MP4 file. You don't really need to worry about this though.
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="015706.html">[Mageia-dev] sysadmin please remove tuxguitar-1.2-7.1.mga1
</A></li>
<LI>Next message: <A HREF="015653.html">[Mageia-dev] taglib CVE for MP4 files
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#15650">[ date ]</a>
<a href="thread.html#15650">[ thread ]</a>
<a href="subject.html#15650">[ subject ]</a>
<a href="author.html#15650">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
