Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 68343 - media-sound/mpg123: buffer overflows in httpget.c
Summary: media-sound/mpg123: buffer overflows in httpget.c
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa] vorlon
Keywords:
Depends on:
Blocks:
 
Reported: 2004-10-20 21:46 UTC by Luke Macken (RETIRED)
Modified: 2011-10-30 22:41 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2004-10-20 21:46:18 UTC
*******************************
                      * Security Advisory #01, 2004 *
                      *******************************
             Carlos Barros <barros [at] barrossecurity d0t com>
                          www.barrossecurity.com
******************************************************************************

Title: mpg123 buffer overflows

Vulnerable package(s): 
 * mpg123-pre0.59s;
 * mpg123-0.59r.

Date: 08/10/2004

Legal notice:

This Advisory is Copyright (c) 2004 Carlos Barros.
Permission is granted for the redistribution of this alert electronically. It
may not be edited in any way without the express written consent of the 
author.

Disclaimer:

The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information. Use of the information 
constitutes acceptance for use in an AS IS condition. There are no warranties 
with regard to this information. Neither the author nor the publisher accepts 
any liability for any direct, indirect, or consequential loss or damage 
arising from use of, or reliance on, this information.

Introduction:

mpg123 is a real time MPEG Audio Player for Layer 1,2 and Layer3. It can be
downloaded at: www.mpg123.de

Vulnerability details:

mpg123 is prone to a buffer overflow in the function getauthfromURL.

// httpget.c, line 114
int getauthfromURL(char *url,char *auth)
{
  char *pos;

  *auth = 0;

  if (!(strncmp(url, "http://", 7)))
    url += 7;

  if( (pos = strchr(url,'@')) ) {
    int i;
    for(i=0;i<pos-url;i++) {
      if( url[i] == '/' )
         return 0;
    }
    strncpy(auth,url,pos-url);  <-- HERE
    auth[pos-url] = 0;
    strcpy(url,pos+1);
    return 1;
  }
  return 0;
}

This function is called by http_open(), line 225 from httpget.c, and passes
"purl" and "httpauth1" as parameters. purl is a dinamic allocated variable
and httpauth1 is a static (global) var with a fixed length of 256. As you
can see, getauthfromURL function copies the purl string, until a @, into
httpauth1 without checking the length. I was not able to exploit this vuln
successfull to execute arbitraty code (too lazy), but I think it is not
impossible. httpauth1 can overwrite some useful address and it is appended
into a dinamic allocated variable (request) after a base64 encoding, 
overflowing this var too. 

if (strlen(httpauth1) || httpauth) {
  char buf[1023];
  strcat (request,"Authorization: Basic ");
  if(strlen(httpauth1))
    encode64(httpauth1,buf);
  else
    encode64(httpauth,buf);
  strcat (request,buf); <-- HERE
  strcat (request,"\r\n");
}

This vulnerability can be trigged locally via
 mpg123 -@ http://AAAAAAAAAAAAAA...AAAAA@www.somesite.com/somefile.xxx,
or remotely via crafted playlist with some file formatted as shown above.

There is another buffer overflow in the function http_open. At line 245 of
httpget.c,the prgName variable (mpg123 filename) is appended into the request 
variable. 

  sprintf (request + strlen(request),
     " HTTP/1.0\r\nUser-Agent: %s/%s\r\n",
     prgName, prgVersion);

The length of this variable is not checked, so, one can create a 
specially crafted symlink to overflow the request variable. It is not a 
serious bug cause it can be only exploited locally and mpg123 is not SUID by 
default.

Timeline:

02/10/2004: Vulnerability detected.
10/10/2004: Vendor contacted. No response.
20/10/2004: Public available

******************************************************************************
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-10-21 02:58:45 UTC
No confirmation from upstream
Comment 2 Jeremy Huddleston (RETIRED) gentoo-dev 2004-10-21 03:04:01 UTC
Upstream is dead.  I don't have time to look at this now.  I'll try to look at it tomorrow.
Comment 3 Chris White (RETIRED) gentoo-dev 2004-10-21 08:18:43 UTC
eradicator:

 I was working on this bug last night, but didn't get a chance to fix
it fully.  It seems there's a bit of a stability issues besides the security
fix that needs to be applied.  If you can look at it and get things done 
faster, please feel free to take it, otherwise I'll keep working on it.
Comment 4 Jeremy Huddleston (RETIRED) gentoo-dev 2004-10-21 12:39:47 UTC
the stability issues are documented in other bugs, and we shouldn't worry about fixing those at the same time as this security fix.  I'm on this now and will hopefully have a releasse soon
Comment 5 Jeremy Huddleston (RETIRED) gentoo-dev 2004-10-21 14:01:01 UTC
mpg123-0.59s-r5 is fixed.  the size of httpauth1 is upperbound by strlen(purl) + 1, so we allocate that much space.  Likewise for buf, we allocate (strlen(httpauth) + 1) * 4

Archs, please test and mark stable.
Comment 6 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-10-21 16:52:16 UTC
tried to emerge media-sound/mpg123-0.59s-r5 but the gentoo patch is not on any mirrors
that i tried and the original src is bad:

 >>> emerge (1 of 1) media-sound/mpg123-0.59s-r5 to /
[...]
>>> Downloading http://dev.gentoo.org/~eradicator/mpg123/mpg123-0.59s-gentoo-1.0.tar.bz2
--19:49:21--  http://dev.gentoo.org/%7Eeradicator/mpg123/mpg123-0.59s-gentoo-1.0.tar.bz2
           => `/usr/portage/distfiles/mpg123-0.59s-gentoo-1.0.tar.bz2'
Resolving dev.gentoo.org... 156.56.111.197
Connecting to dev.gentoo.org[156.56.111.197]:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
19:49:21 ERROR 403: Forbidden.


eradicator: please chmod a+r that file. thanks.

Comment 7 Jeremy Huddleston (RETIRED) gentoo-dev 2004-10-21 17:11:34 UTC
done, sorry
Comment 8 Joe Jezak (RETIRED) gentoo-dev 2004-10-21 18:19:16 UTC
Marked ppc stable.  The patchdir variable was also wrong, so I fixed that too.
Comment 9 Jeremy Huddleston (RETIRED) gentoo-dev 2004-10-22 13:21:33 UTC
Just the following need to mark it stable
~ia64
~alpha
~mips
~ppc64

IIRC, they're all tier-2 archs, so we can put out the GLSA.
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-22 13:59:40 UTC
Stable on alpha.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-10-22 14:05:02 UTC
Ready for a GLSA
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-25 01:29:03 UTC
Eradicator, could you comment on the other bug mentioned in the advisory? It doesn't appear to be fixed with the new patch.
Comment 13 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-25 02:24:25 UTC
Eradicator confirmed that a patch is missing for that.
Could someone pls look into it?

going back to ebuild status and removing arches for now
Comment 14 Jeremy Huddleston (RETIRED) gentoo-dev 2004-10-25 15:26:31 UTC
ok, -r6 has been added which addresses all 3 security fixes.  The changes to fix the last bug found that buffer overflows could easily result from more than just the prgName variable.  The httpauth lengths were not considered, and the proxy server was not considered.  This is now fixed now by allocating the corerct size to request.

Archs, please test -r6.
Comment 15 Joe Jezak (RETIRED) gentoo-dev 2004-10-25 16:01:05 UTC
Tested and marked stable on ppc.
Comment 16 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-25 17:54:33 UTC
-r6 stable on alpha.
Comment 17 Kurt Lieber (RETIRED) gentoo-dev 2004-10-27 05:26:44 UTC
glsa 20041027
Comment 18 Tom Gall (RETIRED) gentoo-dev 2004-10-30 08:55:17 UTC
stable on ppc64, 
Comment 19 René Rhéaume (a.k.a. repzilon, rener) 2004-11-04 05:29:18 UTC
Could this vulnerability affect the MP3 plugin based on mpg123 included in XMMS and Beep Media Player?
Comment 20 Jeremy Huddleston (RETIRED) gentoo-dev 2004-11-04 13:00:55 UTC
re: comment #19:

no
Comment 21 Hardave Riar (RETIRED) gentoo-dev 2004-11-08 01:13:04 UTC
Stable on mips.