I recently reported to Red Hat a remote buffer overflow vulnerability in grip. I've since investigated the heritage of the code and found that 2 other packages (libcdaudio and the gnome-vfs2 cdda module) are likely affected in the same way. I can't easily test the vulnerability in those packages, but it seems likely that the vulnerability exists. I've attached untested patches for both packages. The vulnerability would be triggered when the CDDB server returns more than MAX_INEXACT_MATCHES (ie 16) matches to a query. This overflows an array in the client code. The potential exploit involves a rogue/hijacked CDDB server or a CDDB server to which an attacker has submitted multiple special constructed DB entries. Such a server could return matches containing exploit code.
To avoid any confusion. The above is taken from Vendor-Sec, it is NOT my work. The grip issue mentioned did not apply to our version, I haven't checked if this is also the case with libcdaudio and gnome-vfs.
Created attachment 53233 [details, diff] gnome-vfs2.patch
Created attachment 53234 [details, diff] libcdaudio.patch
GNOME team: please patch and bump gnome-vfs gnome-vfs2.patch applies cleanly to 2.8.3-r1 or 2.8.4 so your choice for the fixed stable version. max: please patch and bump libcdaudio (note: max wasn't active since 14 weeks and package is no-herd... we might need another bumper. Masking that package would break : x11-misc/bbcd media-sound/cdcd media-plugins/mythmusic dev-perl/Audio-CD-disc-cover app-cdr/gtkcdlabel app-emacs/cdi app-cdr/disc-cover If anyone in GNOME or sound feels like patching this one... )
Created attachment 55185 [details, diff] libcdaudio-CAN-2005-0706.patch To help whoever will patch libcdaudio: Attached is a patch applying cleanly to libcdaudio-0.99.10. Tested as compiling OK.
gnome-vfs fixed versions are: gnome-vfs-2.8.4-r1 (KEYWORDS="x86 ~ppc ~alpha ~sparc ~hppa ~amd64 ~mips ~ia64 ~ppc64 ~arm") gnome-vfs-2.10.0-r1 (package.masked) Could archs please stabilise gnome-vfs-2.8.4-r1.
ppc done
Applied the patch to libcdaudio-0.99.10-r1 libcdaudio-0.99.10-r1 (KEYWORDS="x86 ppc ~sparc ~alpha ~hppa ~mips ~amd64 ~ia64") Could archs please stabilise this version.
Arches, please test and mark stable the 2 fixed ebuilds TARGET KEYWORDS : gnome-vfs-2.8.4-r1: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86 libcdaudio-0.99.10-r1: alpha amd64 ~hppa ia64 ~mips ppc ppc64 sparc x86
stable on ppc64
sparc done.
mips done
Stable on alpha.
amd64 is done... just waiting on ia64
eradicator/amd64: apparently gnome-vfs-2.8.4-r1 is still ~amd64...
GLSA 200504-07 arm ia64 hppa : mark stable to benefit from the GLSA
Stable on hppa.
GNOME team: shouldn't the patch also be applied to the gnome-vfs-1.0.5 ebuild ? Or should everyone remove that affected SLOT ?
Applied to gnome-vfs-1.0.5-r4, apologies for missing that one gnome-vfs-1.0.5-r4 (KEYWORDS="~x86 ~ppc ~sparc ~alpha ~hppa ~amd64 ~ia64 ~mips ~ppc64 ~arm") Koon - if only!
Arches, please test and mark gnome-vfs-1.0.5-r4 stable...
x86/ppc done.
mips done (again)
sparc done again.
Alpha done.
gnome-1.4 is not keyworded on amd64, so it seems that gnome-vfs-1.0.5-r4 shouldn't need to be marked stable for amd64 either.
amd64 stable
Ready, GLSA should be updated to include *>=1.0.5-r4 as unaffected
update committed.
Already stable on hppa