Bug#928306: unblock: liblivemedia/2018.11.26-1.1

[Hugo Lefeuvre <hle@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package liblivemedia

Dear Release team,

liblivemedia 2018.11.26-1 from Buster is affected by CVE-2019-9215[1] and
CVE-2019-7314[2], two security issues in the server part of the library.

The impact is at least DoS, which is trivial to manage using a publicly
available script. In fact theses issues might allow any script kiddie to
make any live555 server fully unusable.

These issues have been fixed in oldstable and stable. Not fixing them in
Buster would be a security regression.

Sebastian Ramacher (Debian maintainer) did not want to take time for this
NMU, but did not oppose either[3]. He meant that these CVEs are only
affecting the server part of the library, which is not used by reverse
dependencies.

debdiff with targeted fixes in attachment.

[0] https://security-tracker.debian.org/tracker/CVE-2019-9215
[1] https://security-tracker.debian.org/tracker/CVE-2019-7314
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924655

unblock liblivemedia/2018.11.26-1.1

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

diff -Nru liblivemedia-2018.11.26/debian/changelog liblivemedia-2018.11.26/debian/changelog
--- liblivemedia-2018.11.26/debian/changelog	2018-11-28 21:08:09.000000000 +0100
+++ liblivemedia-2018.11.26/debian/changelog	2019-05-01 17:56:46.000000000 +0200
@@ -1,3 +1,12 @@
+liblivemedia (2018.11.26-1.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2019-7314: use-after-free during RTSP stream termination.
+  * CVE-2019-9215: malformed headers lead to invalid memory access
+    in the parseAuthorizationHeader function.
+
+ -- Hugo Lefeuvre <hle@debian.org>  Wed, 01 May 2019 17:54:20 +0100
+
 liblivemedia (2018.11.26-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru liblivemedia-2018.11.26/debian/patches/CVE-2019-7314.patch liblivemedia-2018.11.26/debian/patches/CVE-2019-7314.patch
--- liblivemedia-2018.11.26/debian/patches/CVE-2019-7314.patch	1970-01-01 01:00:00.000000000 +0100
+++ liblivemedia-2018.11.26/debian/patches/CVE-2019-7314.patch	2019-05-01 17:52:25.000000000 +0200
@@ -0,0 +1,17 @@
+Description: fix use-after-free in the RTSP server implementation
+ Whenever a stream ends (via StreamState::endPlaying), the stream socket
+ is removed but the request alternative byte handler of this same stream
+ socket is not updated to reflect the stream deletion. Remote attackers
+ might leverage this vulnerability to trigger a use-after-free and
+ subsequent server crash.
+Origin: upstream
+--- a/liveMedia/OnDemandServerMediaSubsession.cpp	2016-11-28 22:42:18.000000000 +0100
++++ b/liveMedia/OnDemandServerMediaSubsession.cpp	2019-03-12 16:37:46.040247175 +0100
+@@ -582,6 +582,7 @@
+ 
+   if (dests->isTCP) {
+     if (fRTPSink != NULL) {
++      RTPInterface::clearServerRequestAlternativeByteHandler(fRTPSink->envir(), dests->tcpSocketNum);
+       fRTPSink->removeStreamSocket(dests->tcpSocketNum, dests->rtpChannelId);
+     }
+     if (fRTCPInstance != NULL) {
diff -Nru liblivemedia-2018.11.26/debian/patches/CVE-2019-9215.patch liblivemedia-2018.11.26/debian/patches/CVE-2019-9215.patch
--- liblivemedia-2018.11.26/debian/patches/CVE-2019-9215.patch	1970-01-01 01:00:00.000000000 +0100
+++ liblivemedia-2018.11.26/debian/patches/CVE-2019-9215.patch	2019-05-01 17:52:25.000000000 +0200
@@ -0,0 +1,80 @@
+Description: fix invalid memory access in parseAuthorizationHeader
+ sscanf(fields, "%[^=]=\"\"", parameter) returns 1 even if the entry is
+ incorrectly formatted (e.g. fields = "p="), leading to excessive
+ incrementation of fields pointer later:
+   fields += strlen(parameter) + 2 /*="*/ + strlen(value) + 1 /*"*/;
+ .
+ This might allow attackers to perform invalid memory accesses.
+ .
+ This patch implements manual parsing of the keywords, allowing for better
+ error resilience.
+ .
+ Patch source: diff v2019.02.03 -> v2019.02.27
+Origin: upstream
+--- a/liveMedia/RTSPServer.cpp	2019-03-12 18:36:07.618027268 +0100
++++ b/liveMedia/RTSPServer.cpp	2019-03-12 18:36:07.614027288 +0100
+@@ -894,6 +894,8 @@
+   }
+ }
+ 
++#define SKIP_WHITESPACE while (*fields != '\0' && (*fields == ' ' || *fields == '\t')) ++fields
++
+ static Boolean parseAuthorizationHeader(char const* buf,
+ 					char const*& username,
+ 					char const*& realm,
+@@ -911,15 +913,28 @@
+   
+   // Then, run through each of the fields, looking for ones we handle:
+   char const* fields = buf + 22;
+-  while (*fields == ' ') ++fields;
+   char* parameter = strDupSize(fields);
+   char* value = strDupSize(fields);
+-  while (1) {
+-    value[0] = '\0';
+-    if (sscanf(fields, "%[^=]=\"%[^\"]\"", parameter, value) != 2 &&
+-	sscanf(fields, "%[^=]=\"\"", parameter) != 1) {
+-      break;
+-    }
++  char* p;
++  Boolean success;
++  do {
++    // Parse: <parameter>="<value>"
++    success = False;
++    parameter[0] = value[0] = '\0';
++    SKIP_WHITESPACE;
++    for (p = parameter; *fields != '\0' && *fields != ' ' && *fields != '\t' && *fields != '='; ) *p++ = *fields++;
++    SKIP_WHITESPACE;
++    if (*fields++ != '=') break; // parsing failed
++    *p = '\0'; // complete parsing <parameter>
++    SKIP_WHITESPACE;
++    if (*fields++ != '"') break; // parsing failed
++    for (p = value; *fields != '\0' && *fields != '"'; ) *p++ = *fields++;
++    if (*fields++ != '"') break; // parsing failed
++    *p = '\0'; // complete parsing <value>
++    SKIP_WHITESPACE;
++    success = True;
++
++    // Copy values for parameters that we understand:
+     if (strcmp(parameter, "username") == 0) {
+       username = strDup(value);
+     } else if (strcmp(parameter, "realm") == 0) {
+@@ -931,14 +946,12 @@
+     } else if (strcmp(parameter, "response") == 0) {
+       response = strDup(value);
+     }
+-    
+-    fields += strlen(parameter) + 2 /*="*/ + strlen(value) + 1 /*"*/;
+-    while (*fields == ',' || *fields == ' ') ++fields;
+-        // skip over any separating ',' and ' ' chars
+-    if (*fields == '\0' || *fields == '\r' || *fields == '\n') break;
+-  }
++
++    // Check for a ',', indicating that more <parameter>="<value>" pairs follow:
++  } while (*fields++ == ',');
++
+   delete[] parameter; delete[] value;
+-  return True;
++  return success;
+ }
+ 
+ Boolean RTSPServer::RTSPClientConnection
diff -Nru liblivemedia-2018.11.26/debian/patches/series liblivemedia-2018.11.26/debian/patches/series
--- liblivemedia-2018.11.26/debian/patches/series	2018-08-28 20:26:21.000000000 +0200
+++ liblivemedia-2018.11.26/debian/patches/series	2019-05-01 17:55:15.000000000 +0200
@@ -2,3 +2,6 @@
 0002-Add-a-pkg-config-file-for-the-shared-libraries.patch
 0003-Link-shared-libraries-with-g-instead-of-gcc-to-fix-b.patch
 0004-Reduce-number-of-unresolved-symbols-by-linking-libra.patch
+
+CVE-2019-7314.patch
+CVE-2019-9215.patch

Attachment: signature.asc
Description: PGP signature