Android OpenCORE pvmp3_huffman_parsing.cpp MP3文件解析整数下溢漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1183738 漏洞类型 数字错误
发布时间 2009-02-07 更新时间 2009-02-10
CVE编号 CVE-2009-0475 CNNVD-ID CNNVD-200902-266
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://www.securityfocus.com/bid/33673
https://cxsecurity.com/issue/WLB-2009020159
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-266
|漏洞详情
OpenCORE是开放源码的多媒体解码子系统。OpenCORE的pvmp3_huffman_parsing.cpp文件在Huffman解码期间存在整数下溢,导致在写入到堆分配缓冲区时出现错误的边界检查。如果用户受骗打开了恶意的mp3文件,就可以触发这个溢出,导致播放器崩溃或执行任意代码。
|漏洞EXP
#2009-002 OpenCORE insufficient bounds checking during MP3 decoding

Description:

OpenCORE, an open source multimedia decoding subsystem, suffers from an
integer underflow during Huffman decoding resulting in improper bounds
checking when writing to a heap allocated buffer.  Decoding a specially
crafted mp3 file will result in unexpected process termination or,
potentially, arbitrary code execution due to heap corruption.

Patches have been made available by PacketVideo:

http://ocert.org/patches/2009-002/opencore_mp3_dec.patch
   http://review.source.android.com/Gerrit#change,8815

Affected version:

OpenCore <= 2.0

(secondary affected versions)

Android without change 8815

Fixed version:

OpenCore >= 2.0 with change 8815

Android with change 8815

Credit: Initial vulnerability report and sample crasher provided by
        Owen Arden <owen (at) securityevaluators (dot) com [email concealed]> and
        Charlie Miller <cmiller (at) securityevaluators (dot) com [email concealed]>.
        Thanks to PacketVideo for the comprehensive analysis and
        patching.

CVE: CVE-2009-0475

Timeline:
2009-01-21: Android Security Team informed of issue
2009-01-23: Android Security Team requested coordination aid from oCERT
2009-01-24: oCERT investigated for other potential affected projects
2009-02-05: vendor supplied patch
2009-02-05: vendor indicated that no other open source projects affected
2009-02-05: did not discover other open source projects affected
2009-02-05: emailed vendor-sec (at) lst (dot) de [email concealed] as a cross-check
2009-02-06: supplied vulnerability analysis to upstream vendor
2009-02-06: walked through affected code with upstream vendor
2009-02-06: CVE assignment requested and received
2009-02-07: advisory published

References:
http://review.source.android.com/Gerrit#change,8815
http://review.source.android.com/Gerrit#change,8604
http://android.git.kernel.org/?p=platform/external/opencore.git;a=summar
y
http://android.git.kernel.org/?p=platform/external/opencore.git;a=blob;f
=codecs_v2/audio/mp3/dec/src/pvmp3_huffman_parsing.cpp;h=491c0cc1b05adec
b4ed2d53489c82e7fb4f46108;hb=d8b443ddaa386ed85ba31fbd663c40423a8d4ded
http://android.git.kernel.org/?p=platform/external/opencore.git;a=blob;f
=codecs_v2/audio/mp3/dec/src/pvmp3_mpeg2_stereo_proc.cpp;h=bc4c227fbd60f
3f0a90355d7d52c71d46cd4a87c;hb=d8b443ddaa386ed85ba31fbd663c40423a8d4ded

Links:
http://www.packetvideo.com/products/core/index.html
http://android.git.kernel.org
http://android.com

Permalink:
http://www.ocert.org/advisories/ocert-2009-002.html

--
Will Drewry <redpig (at) ocert (dot) org [email concealed]>
oCERT Team :: http://ocert.org
|受影响的产品
Open Handset Alliance OpenCORE 2.0 Open Handset Alliance Android 0 Google Android 0
|参考资料

来源:BID
名称:33673
链接:http://www.securityfocus.com/bid/33673
来源:BUGTRAQ
名称:20090207[oCERT-2009-002]OpenCOREinsufficientboundscheckingduringMP3decoding
链接:http://www.securityfocus.com/archive/1/archive/1/500750/100/0/threaded
来源:MISC
链接:http://www.ocert.org/advisories/ocert-2009-002.html
来源:review.source.android.com
链接:http://review.source.android.com/Gerrit#change,8815
来源:android.git.kernel.org
链接:http://android.git.kernel.org/?p=platform/external/opencore.git;a=commit;h=7b466cd0ecfdba72c4cbd0f3a8c2001141376b0f