Arch Linux alert ASA-201601-1 (rtmpdump)

From:
    	       Jelle van der Waa <jelle@vdwaa.nl> 
To:
    	       arch-security@lists.archlinux.org 
Subject:
    	       [arch-security] [ASA-201601-1] rtmpdump: multiple issues 
Date:
    	       Sat, 2 Jan 2016 17:44:06 +0100
Message-ID:
    	       <20160102164404.4ahy6vi2bxtilw7f@gmail.com>
Arch Linux Security Advisory ASA-201601-1
=========================================

Severity: High
Date    : 2016-01-02
CVE-ID  : Pending
Package : rtmpdump
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package rtmpdump before version 1:2.4.r96.fa8646d-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 1:2.4.r96.fa8646d-1.

# pacman -Syu "rtmpdump>=1:2.4.r96.fa8646d-1"

The problem has been fixed upstream but no updated version has been
released.

Workaround
==========

None.

Description
===========

Several issues have been found in the part of rtmpdump handling RTMP
streams by LMX of Qihoo 360 Codesafe Team. These issues include memory
leak, integer overflow, type confusion when dealing with AMF strings and
objects, and several other parsing issues.

Impact
======

A remote attacker is able to craft a special rtmp stream that, when
processed, can cause arbitrary code execution.

References
==========

http://article.gmane.org/gmane.comp.security.oss.general/...
https://bugs.archlinux.org/task/47564

From:		Jelle van der Waa <jelle@vdwaa.nl>
To:		arch-security@lists.archlinux.org
Subject:		[arch-security] [ASA-201601-1] rtmpdump: multiple issues
Date:		Sat, 2 Jan 2016 17:44:06 +0100
Message-ID:		<20160102164404.4ahy6vi2bxtilw7f@gmail.com>