Operating System:

[UNIX/Linux][Debian]

Published:

09 February 2015

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2015.0303 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0303
                       liblivemedia security update
                              9 February 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           liblivemedia
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-6933  

Original Bulletin: 
   http://www.debian.org/security/2015/dsa-3156

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running liblivemedia check for an updated version of the software 
         for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3156-1                   security@debian.org
http://www.debian.org/security/                        Alessandro Ghedini
February 07, 2015                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : liblivemedia
CVE ID         : CVE-2013-6933

A vulnerability was found in liveMedia, a set of C++ libraries for 
multimedia streaming. RTSP messages starting with whitespace were assumed 
to have a zero length, triggering an integer underflow, infinite loop, 
and then a buffer overflow. This could allow remote attackers to cause a 
denial of service (crash) or arbitrary code execution via crafted RTSP 
messages.

The packages vlc and mplayer have also been updated to reflect this 
improvement.

For the stable distribution (wheezy), this problem has been fixed in 
liblivemedia version 2012.05.17-1+wheezy1, vlc version 2.0.3-5+deb7u2+b1, 
and mplayer version 2:1.0~rc4.dfsg1+svn34540-1+deb7u1.

For the upcoming stable distribution (jessie), this problem has been 
fixed in liblivemedia version 2014.01.13-1.

For the unstable distribution (sid), this problem has been fixed in 
liblivemedia version 2014.01.13-1.

We recommend that you upgrade your liblivemedia, vlc, and mplayer 
packages.

Further information about Debian Security Advisories, how to apply these 
updates to your system and frequently asked questions can be found at: 
https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU1iZ6AAoJEG7C3vaP/jd0MCcP/27ObP4bPSLUYrCVG+/x0v/1
vtuW4ZlazfmT2EO7oz47Td6VAYdym90CF7NasCLHZaueJdTYG71cVsLxWe1NuzZ5
TWL81pM6ff0+b4D0Tj50SFzExMeIG6rqcUYPK1Sq9r3Eww4CBKG3Dxhyz4xva3ZJ
tospDb5zVDSqGXkeBIpY5om15k8FGc+C6YKuyBbWaTsCSISo4m3/NYAJvlqvPiry
Xy3hgpW6mYsemB6ooGWwSK3zU1NVB4dr9Wjv1aFBa2Ar4JTlt2Zz5sqBsRGXuvCV
QVjB+bL/b4C5gP6iJC14OppJqEL2lLwzlYPT9UVmv6nLvwRSPAqAFOAexzk2EIqU
LKs2edQF5HBrxQuvtD3DJcUX88C5/v+A8TYHXEISLdQmaKjF5NWP/ihpWJqocSYB
d3tT2sP0RhthVFIWu5ybZlBZ1T25cTMnaLGCObKDWstNJ8ZJLoSdsqM6Aki8OVka
uVdHvTQhMUh7u2Kx0rQ25B17GRIp+zvA5uNIFk/6SZBA4BR4RDoELMGcepjuTvVn
REEJ1NlQmXrR1Lmr6mVz+JlTDIY4tMN4B7XNxI43PoLsiEhwPo6V5eC44B3oJo+O
mPx6dJsXIe10VTxOfE26Im9Hwkg+uh41Jzoeji7kyK9bxpfWpjwgqkfzupmyoygE
ZIO4G908tuyRPIPs1vdx
=Lhkt
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVNgcBRLndAQH1ShLAQJLPBAAt76fe3I7ajtg0Qs06R7FlZXm7RpSFZiq
KNluL/W7wsI8+nboFIE9hHjXNPEebznUxduxwq6WbP5P17EuzI15zgKgueVP+a4F
x8xhdvEKjYbFAYX0MuY7NjrAMd/9KefyD/RUIXFbXQhoXULPWQZC5apKiPZa58NB
QwqiU7HLOLsGBkVSalHlf0C9HR8vughbBSI6DGJmPjMrjQNquVlggQ36BOOt0MPj
MoZCSNi9hPHKLA1UJ6cTek7+9SzGqrmFX3OghU7+L+RfYMASwre1lqOOKvso3mxU
eM/8g094GCZipg2tblidU0QV0s/nPR8tn1gQUmiS/8l+kUqyBcVWVGbsaldy7Kl5
guMXtvjJxIJrti+6FVFqmX17b4vqfFxSXgopFX9NCRdza8ZMMJApq6Nrv066i/jz
hVe2WnnphFtZXTH7uBC7jADWDv35ZcnIJ87Frq6LUSUjvpRgo+x8U3dLGcQCB7zP
vRRsX4zRV8t0iWhHY8rDkSGYEd/e0D6WdtKAiDueijIF5mSB0yXdHVDccMOM6oFu
AjcelrItFJ2DbgC82yjqOhObVTVsOY8/3asl2NARlZ5PvfP0FMYHqgQ//Reb4SJ2
1balI//OCdXMNBvUbSDU/tBARTbeWZrmbJm4l35jZUAihYQHw4tM7Cnp11n9Hyl9
TD5Aa4A8sAA=
=gZMe
-----END PGP SIGNATURE-----