[Mageia-dev] taglib CVE for MP4 files
David Walser
luigiwalser at yahoo.com
Mon May 14 21:50:38 CEST 2012
--- On Mon, 5/14/12, Shlomi Fish <shlomif at shlomifish.org> wrote:
> From: Shlomi Fish <shlomif at shlomifish.org>
> Subject: Re: [Mageia-dev] taglib CVE for MP4 files
> To: "Mageia development mailing-list" <mageia-dev at mageia.org>
> Cc: luigiwalser at yahoo.com
> Date: Monday, May 14, 2012, 3:21 PM
> Hi David,
>
> On Mon, 14 May 2012 11:43:46 -0700 (PDT)
> David Walser <luigiwalser at yahoo.com>
> wrote:
>
> > taglib 1.7.2 was issued to fix a minor security DoS
> issue due to a divide by zero error in the MP4 file
> decoder.
> >
> > I built it in updates_testing but I don't have an MP4
> file to test it with.
> >
> > If interested people could test it, it could be pushed
> to updates. Thanks.
> >
>
> Thanks for your work. I have some .mp4s files (mostly
> videos) around, which I
> have downloaded from YouTube using youtube-dl (and you can
> too). But what
> should I do to test that the bug was fixed? Can you provide
> instructions?
Thanks for your interest.
Basically all you need to do is use an application that uses taglib and make sure it can read the metadata (mainly the length) from mp4 files without regressions from the previous version. You can find such applications with the command:
urpmq --whatrequires libtaglib1 (or lib64taglib1 on x86_64).
Examples include amarok, clementine, juk, and vlc.
If you really want to do a deep investigation you can see if there are any Proof of Concept files out there. The CVE affects the reading of the media header (mdhd) portion of the MP4 file. You don't really need to worry about this though.
More information about the Mageia-dev
mailing list