First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 86033
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Tavis Ormandy (RETIRED) <taviso@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 86033 depends on: Show dependency tree
Bug 86033 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-03-20 10:51 0000 
my libprintf module identified a format string vulnerability in mpg321's
parsing of id3 comments. This could be exploited with a malicious mp3 files to
execute arbitrary code.

Mar 20 18:43:19 insomniac mpg321: [24030] no format specifiers:
fprintf(/dev/pts/10, "The Hives Are Law, You Are Cri");
Mar 20 18:43:19 insomniac mpg321: [24030] no format specifiers:
fprintf(/dev/pts/10, "The Hives                     ");
Mar 20 18:43:19 insomniac mpg321: [24030] no format specifiers:
fprintf(/dev/pts/10, "Your New Favourite Band       ");
Mar 20 18:43:19 insomniac mpg321: [24030] no format specifiers:
fprintf(/dev/pts/10, "2001");
Mar 20 18:43:19 insomniac mpg321: [24030] no format specifiers:
fprintf(/dev/pts/10, "Created by Grip               ");
Mar 20 18:43:19 insomniac mpg321: [24030] no format specifiers:
fprintf(/dev/pts/10, "Other                         ");

I checked the package and noticed mpg321-0.2.10-r2, currently only ~ppc-macos,
fixes this issue with a patch from freebsd, this fix needs to be marked stable
for everyone else to fix this issue.

An example that would crash mpg321 (in case anyone wants to verify):

$ id3tag -wnc__FOOB test.mp3
$ perl -pi -e 's/__FOOB/%.500n/g' test.mp3
$ mpg321 test.mp3

(id3tag wont set % characters in comment).

------- Comment #1 From Tavis Ormandy (RETIRED) 2005-03-20 11:28:14 0000 ------- 
media-sound/mpg123 is also affected by this issue.

------- Comment #2 From Tavis Ormandy (RETIRED) 2005-03-20 11:31:01 0000 ------- 
oops, no it isnt..disregard that.

------- Comment #3 From Tavis Ormandy (RETIRED) 2005-03-20 13:25:51 0000 ------- 
CVE-2003-0969

------- Comment #4 From Tavis Ormandy (RETIRED) 2005-03-23 06:31:48 0000 ------- 
The only difference between mpg321-0.2.10-r1 (currently KEYWORDS="amd64 x86
~ppc sparc mips alpha ppc64") and mpg321-0.2.10-r2 (currently KEYWORDS="-*
~ppc-macos")  is the addition of a patch from freebsd which is "obviously
correct", it fixes this security issue and looks like it fixes a couple of fd
leaks.

-r2 should be ready for arch stabilisation.

------- Comment #5 From Thierry Carrez (RETIRED) 2005-03-23 06:49:28 0000 ------- 
Arches, for mpg321-0.2.10-r2:
amd64 x86 sparc mips alpha ppc64: please test and mark stable
ppc: please test and mark ~ppc

Ccing sound team, in case it wants to test and mark stable a few arches by itself

------- Comment #6 From Gustavo Zacarias (RETIRED) 2005-03-23 07:09:51 0000 ------- 
Stable on sparc.

------- Comment #7 From Jan Brinkmann (RETIRED) 2005-03-23 07:19:14 0000 ------- 
stable on amd64 and x86

------- Comment #8 From Michael Hanselmann (hansmi) (RETIRED) 2005-03-23 11:55:32 0000 ------- 
Stable on ppc.

------- Comment #9 From Bryan Østergaard (RETIRED) 2005-03-24 07:14:55 0000 ------- 
Stable on alpha.

------- Comment #10 From Markus Rothe 2005-03-26 11:15:42 0000 ------- 
stable on ppc64

------- Comment #11 From Sune Kloppenborg Jeppesen 2005-03-28 07:49:04 0000 ------- 
GLSA 200503-34

------- Comment #12 From Hardave Riar (RETIRED) 2005-04-03 07:25:01 0000 ------- 
Stable on mips.
First Last Prev Next    No search results available      Search page      Enter new bug