Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 210564
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Victor Ashirov <victor.ashirov@gmail.com>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
libid3tag-0.15.1b-fix_overflow.patch libid3tag-0.15.1b-fix_overflow.patch patch Victor Ashirov 2008-02-18 08:08 0000 485 bytes Details | Diff
strace strace madplay text/plain Victor Ashirov 2008-02-18 08:12 0000 46.27 KB Details
test.mp3 mp3 file for testing application/octet-stream Victor Ashirov 2008-02-18 08:29 0000 90.00 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 210564 depends on: Show dependency tree
Bug 210564 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-02-18 08:07 0000 
http://www.mars.org/mailman/public/mad-dev/2008-January/001366.html

The problem occurs when parsing an ID3_FIELD_TYPE_STRINGLIST field,
specifically when data to be parsed is ended with '\0'.
In this case, **ptr == 0, but the condition end - *ptr is 1 so loop
continues infinitely.

Reproducible: Always

Steps to Reproduce:

------- Comment #1 From Victor Ashirov 2008-02-18 08:08:56 0000 ------- 
Created an attachment (id=143858) [details]
libid3tag-0.15.1b-fix_overflow.patch

------- Comment #2 From Victor Ashirov 2008-02-18 08:12:49 0000 ------- 
Created an attachment (id=143859) [details]
strace madplay

------- Comment #3 From Victor Ashirov 2008-02-18 08:29:41 0000 ------- 
Created an attachment (id=143861) [details]
mp3 file for testing

------- Comment #4 From Diego E. 'Flameeyes' Pettenò 2008-04-20 18:57:13 0000 ------- 
Security team please advise..

------- Comment #5 From Olivier Crete 2008-05-05 02:55:34 0000 ------- 
libid3tag-0.15.1b-r1 has this patch and more.. I guess the security guys don't
care? WeI should probably wait 30 days anyway since I added a lot of patches.

------- Comment #6 From Robert Buchholz 2008-05-05 08:29:59 0000 ------- 
(In reply to comment #5)
> libid3tag-0.15.1b-r1 has this patch and more.. I guess the security guys don't
> care? WeI should probably wait 30 days anyway since I added a lot of patches.

We do care, thank you for bugging again. Which of the patches you added is the
fix for this bug (because I failed to find the patch attached here in CVS)?
Also, considering this is a security bug, I'd rather fix it sooner than later.
We could agree on a five day testing period, if you like.

------- Comment #7 From Olivier Crete 2008-05-05 14:10:03 0000 ------- 
I'm an idiot, I forgot to add the patch for this bug, anyway, its in now.

------- Comment #8 From Robert Buchholz 2008-05-05 14:31:33 0000 ------- 
(In reply to comment #7)
> I'm an idiot, I forgot to add the patch for this bug, anyway, its in now.

We need to revbump this then, to make sure everyone who upgraded to 0.15.1b-r1
is safe from the issue.

------- Comment #9 From Olivier Crete 2008-05-05 14:40:16 0000 ------- 
bumped

------- Comment #10 From Robert Buchholz 2008-05-05 15:54:36 0000 ------- 
Arches, please test and mark stable:
=media-libs/libid3tag-0.15.1b-r2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sh sparc x86"

------- Comment #11 From Jeroen Roovers 2008-05-05 18:05:18 0000 ------- 
Stable for HPPA.

------- Comment #12 From Markus Meier 2008-05-05 20:16:06 0000 ------- 
amd64/x86 stable

------- Comment #13 From Raúl Porcel 2008-05-06 13:15:28 0000 ------- 
alpha/ia64/sparc stable

------- Comment #14 From Tobias Scherbaum 2008-05-06 18:02:01 0000 ------- 
ppc stable

------- Comment #15 From Markus Rothe 2008-05-07 18:44:34 0000 ------- 
ppc64 stable

------- Comment #16 From Christian Hoffmann 2008-05-07 20:55:11 0000 ------- 
CVE-2008-2109

------- Comment #17 From Pierre-Yves Rofes 2008-05-10 11:37:35 0000 ------- 
Time for GLSA decision. This seems to be a client only application, so this
would be a client DoS => voting NO.

------- Comment #18 From Robert Buchholz 2008-05-10 12:20:22 0000 ------- 
media-sound/mt-daapd uses this library. Also, the infinite loop will eat up all
memory, it does not only crash the player. I rather tend for a yes here.

------- Comment #19 From Peter Volkov 2008-05-11 15:10:03 0000 ------- 
Fixed in release snapshot.

------- Comment #20 From Pierre-Yves Rofes 2008-05-13 20:49:20 0000 ------- 
(In reply to comment #18)
> media-sound/mt-daapd uses this library. Also, the infinite loop will eat up all
> memory, it does not only crash the player. I rather tend for a yes here.
> 

ok, changing my vote. GLSA request filed.

------- Comment #21 From Tobias Heinlein 2008-05-21 21:01:54 0000 ------- 
GLSA 200805-15
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug