[3.1] libebml: Several vulnerabilities (CVE-2015-8789, CVE-2015-8790, CVE-2015-8791)
CVE-2015-8789: Use-after-free vulnerability in EblMaster::Read()
Use-after-free vulnerability in the EbmlMaster::Read function in libEBML
before 1.3.3 allows context-dependent attackers to have unspecified
impact
via a “deeply nested element with infinite size” followed by another
element of an upper level in an EBML document.
References:
https://lists.matroska.org/pipermail/matroska-users/2015-October/006985.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8789
Patch:
https://github.com/Matroska-Org/libebml/commit/88409e2a94dd3b40ff81d08bf6d92f486d036b24
CVE-2015-8790: the EbmlUnicodeString::UpdateFromUTF8 function leaks information
The EbmlUnicodeString::UpdateFromUTF8 function in libEBML before 1.3.3
allows
context-dependent attackers to obtain sensitive information from process
heap
memory via a crafted UTF-8 string, which triggers an invalid memory
access.
References:
https://vuldb.com/?id.80728
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8790
Patch:
https://github.com/Matroska-Org/libebml/commit/ababb64e0c792ad2a314245233db0833ba12036b
CVE-2015-8791: function EbmlElement::ReadCodedSizeValue leaks information
The EbmlElement::ReadCodedSizeValue function in libEBML before 1.3.3
allows context-dependent attackers to obtain sensitive
information from process heap memory via a crafted length value in an
EBML id, which triggers an invalid memory access.
References:
https://vuldb.com/?id.80729
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8791
Patch:
https://github.com/Matroska-Org/libebml/commit/24e5cd7c666b1ddd85619d60486db0a5481c1b90
(from redmine: issue id 5400, created on 2016-04-12, closed on 2016-04-25)
- Relations:
- parent #5397 (closed)
- Changesets:
- Revision f668c307 on 2016-04-19T14:41:39Z:
main/libebml: security upgrade to 1.3.3 (CVE-2015-8789, CVE-2015-8790, CVE-2015-8791). Fixes #5400