Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 143404 - media-libs/libmodplug - buffer overflows and heap overflow (CVE-2006-4192)
Summary: media-libs/libmodplug - buffer overflows and heap overflow (CVE-2006-4192)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://aluigi.altervista.org/adv/mpth...
Whiteboard: B2 [glsa] vorlon
Keywords:
Depends on:
Blocks:
 
Reported: 2006-08-09 17:24 UTC by Carsten Lohrke (RETIRED)
Modified: 2019-12-26 10:27 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2006-08-09 17:24:05 UTC
---------------------------------------------------
A] various global buffer overflows in ReadITProject
---------------------------------------------------

All the text fields in the ITP files are not sanitized so is possible
to overflow the global variables through this function and possibly
executing malicious code (confirmed in my tests).
Note: ITP files are not supported in libmodplug

From soundlib/Load_it.cpp:

BOOL CSoundFile::ReadITProject(LPCBYTE lpStream, DWORD dwMemLength)
{
    ...
// Song name

    // name string length
    memcpy(&id,lpStream+streamPos,sizeof(DWORD));
    len = id;
    streamPos += sizeof(DWORD);

    // name string
    memcpy(&m_szNames[0],lpStream+streamPos,len);
    streamPos += len;
    ...
    (other overflows)
    ...


------------------------------
B] heap overflow in ReadSample
------------------------------

In some modules the ReadSample function can be used to cause a heap
overflow through an invalid nLength value.
As visible by the code below, nLength is incremented of 6 bytes (mem)
and in some cases its value is multiplicated by two, the final value is
then used to allocate pIns->pSample (FYI AllocateSample allocates
"(nbytes + 39) & ~7" and returns the pointer plus 16).
An attacker, after having forced the program to allocate 0 bytes, will
be able to overflow the memory through the memcpy instructions which
will copy (depending by nFlags) all the remaining bytes in the file.
The best type of module for exploiting this vulnerability seems to be
AMF.

From soundlib/Sndfile.cpp:

UINT CSoundFile::ReadSample(MODINSTRUMENT *pIns, UINT nFlags, LPCSTR lpMemFile, DWORD dwMemLength)
//------------------------------------------------------------------------------------------------
{
    UINT len = 0, mem = pIns->nLength+6;

    if ((!pIns) || (pIns->nLength < 4) || (!lpMemFile)) return 0;
    if (pIns->nLength > MAX_SAMPLE_LENGTH) pIns->nLength = MAX_SAMPLE_LENGTH;
    ...
    if ((pIns->pSample = AllocateSample(mem)) == NULL)
    ...
    default:
        len = pIns->nLength;
        if (len > dwMemLength) len = pIns->nLength = dwMemLength;
        memcpy(pIns->pSample, lpMemFile, len);
    }
    ...


http://aluigi.altervista.org/adv/mptho-adv.txt
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-10 00:20:46 UTC
Sound please advise.
Comment 2 Thomas Cort (RETIRED) gentoo-dev 2006-08-10 07:11:33 UTC
(In reply to comment #1)
> Sound please advise.

mptho-adv.txt says libmodplug <= 0.8 and current CVS are affected. It also says that 'a new version will be released soon' to fix the problem. No new version has been released yet.

libmodplug publishes releases here:
http://sourceforge.net/project/showfiles.php?group_id=1275
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-03 09:05:40 UTC
any news? has this been fixed in the latest version?
otherwise upstream should probably be contacted

if this is open for much longer we should mask it i guess
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-10-03 09:12:26 UTC
I think we're still waiting for the release (I did miss this bug because I was away at the opening time)...
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-03 11:43:33 UTC
opened an upstream bug:
http://sourceforge.net/tracker/index.php?func=detail&aid=1570164&group_id=1275&atid=101275
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-02 01:52:52 UTC
0.8.4 is out and supposed to fix the issue
<quote>
Release Name: 0.8.4

Notes: A long overdue release, which adds support for .ABC and .MID files, as well as security patch [CVE-2006-4192], and a few small cleanups.
Changes: - Added Support for .ABC and .MID files (requires timidity patch sets) - Cleaned up types by using stdint.h uint*_t types (requires autoconf 2.60 to redo configure.in->configure) - Security patch, as applied in several distributions.
</quote>

security fix seems to be this one: http://modplug-xmms.cvs.sourceforge.net/modplug-xmms/libmodplug/src/sndfile.cpp?r1=1.3&r2=1.4

sound, pls provide an ebuild
Comment 7 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-24 12:51:52 UTC
I'm on it.
Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-24 12:59:23 UTC
libmodplug-0.8-r1 in tree.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-24 13:44:20 UTC
Thx Flameeyes.

Arches please test and mark stable. Target keywords are:

 
libmodplug-0.8-r1.ebuild:KEYWORDS=""alpha amd64 arm hppa ia64 mips ppc ppc64 sh -sparc x86"
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2006-11-24 15:12:20 UTC
ppc64 stable
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2006-11-25 01:08:57 UTC
Done on x86
Comment 12 Bryan Østergaard (RETIRED) gentoo-dev 2006-11-25 08:09:22 UTC
Stable on Alpha + ia64.
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-27 05:12:34 UTC
huh no, it's -sparc :)
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-27 10:46:45 UTC
ppc stable
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2006-11-27 19:54:06 UTC
Stable for HPPA.
Comment 16 Christoph Mende (RETIRED) gentoo-dev 2006-11-28 11:33:57 UTC
emerges fine on amd64, can't really test it since I don't have any MOD-like music files, but modplugplay emerges fine with it.

Portage 2.1.2_rc2-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-ck1-r2 x86_64)
=================================================================
System uname: 2.6.18-ck1-r2 x86_64 AMD Athlon(tm) 64 Processor 3000+
Gentoo Base System version 1.12.6
Last Sync: Tue, 28 Nov 2006 17:20:01 +0000
ccache version 2.3 [enabled]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildsyspkg ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ "
LANG="en_US.ISO-8859-15"
LC_ALL="en_US.ISO-8859-15"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/overlay /usr/local/portage/xfce"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="amd64 X a52 aac acpi alsa audiofile berkdb bitmap-fonts branding bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus divx dlloader dri dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox fortran gdbm gif gpm gstreamer gtk gtk2 hal iconv imagemagick input_devices_evdev input_devices_keyboard ipod jpeg kernel_linux ldap libg++ lirc lirc_devices_inputlirc logrotate mad mikmod mp3 mpeg ncurses nls nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection rtc sdl session socks5 spl ssl svg symlink tcpd tiff truetype truetype-fonts type1-fonts udev unicode userland_GNU v4l v4l2 video_cards_fglrx video_cards_radeon vim-with-x vorbis wmp xinerama xorg xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
Comment 17 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-05 11:55:33 UTC
isn't this a B2?
changing B3->B2
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-10 06:04:30 UTC
GLSA 200612-04