Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 573
Alerts This Week
Warning Icon 1 573

Arch Linux ASA-201601-1 High Severity: Rtmpdump Remote Execution Risk

Archlinux Large Esm H446
The package rtmpdump before version 1:2.4.r96.fa8646d-1 is vulnerable to arbitrary code execution.
Arch Linux Security Advisory ASA-201601-1
========================================
Severity: High
Date    : 2016-01-02
CVE-ID  : Pending
Package : rtmpdump
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package rtmpdump before version 1:2.4.r96.fa8646d-1 is vulnerable to
arbitrary code execution.

Resolution
=========
Upgrade to 1:2.4.r96.fa8646d-1.

# pacman -Syu "rtmpdump>=1:2.4.r96.fa8646d-1"

The problem has been fixed upstream but no updated version has been
released.

Workaround
=========
None.

Description
==========
Several issues have been found in the part of rtmpdump handling RTMP
streams by LMX of Qihoo 360 Codesafe Team. These issues include memory
leak, integer overflow, type confusion when dealing with AMF strings and
objects, and several other parsing issues.

Impact
=====
A remote attacker is able to craft a special rtmp stream that, when
processed, can cause arbitrary code execution.

References
=========
https://bugs.archlinux.org/task/47564