Описание
Security update for live555
This update fixes two security issues in live555:
- CVE-2018-4013: Remote code execution vulnerability (bsc#1114779)
- CVE-2019-6256: Denial of Service issue with RTSP-over-HTTP tunneling via x-sessioncookie HTTP headers (boo#1121892)
This library is statically linked into VLC. However VLC is not affected because it only uses the live555 library to implement the RTSP client.
Список пакетов
SUSE Package Hub 15
openSUSE Leap 15.0
Ссылки
- E-Mail link for openSUSE-SU-2019:0058-1
- SUSE Security Ratings
- SUSE Bug 1114779
- SUSE Bug 1121892
- SUSE CVE CVE-2018-4013 page
- SUSE CVE CVE-2019-6256 page
Описание
An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library version 0.92. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability.
Затронутые продукты
Ссылки
- CVE-2018-4013
- SUSE Bug 1114779
Описание
A Denial of Service issue was discovered in the LIVE555 Streaming Media libraries as used in Live555 Media Server 0.93. It can cause an RTSPServer crash in handleHTTPCmd_TunnelingPOST, when RTSP-over-HTTP tunneling is supported, via x-sessioncookie HTTP headers in a GET request and a POST request within the same TCP session. This occurs because of a call to an incorrect virtual function pointer in the readSocket function in GroupsockHelper.cpp.
Затронутые продукты
Ссылки
- CVE-2019-6256
- SUSE Bug 1121892