| Summary: | media-libs/libmikmod heap overflow in GT2's loadChunk (CVE-2006-3879) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
| Component: | Auditing | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | CC: | hiyuh.root, sound |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://aluigi.altervista.org/adv/lmmgt2ho-adv.txt | ||
| Whiteboard: | B2? [] | ||
| Package list: | Runtime testing required: | --- | |
CCing sound herd for info Still unfixed upstream There still does not seem to be a fix available upstream and actually to me it seems like upstream is dead. Anyone got other news/suggestions here? btw... !rrdep mikmod no reverse rdepends info for mikmod !rrdep libmikmod media-libs/libmikmod <- dev-games/clanlib dev-games/crystalspace dev-games/crystalspace-cvs games-action/heroes games-arcade/methane games-engines/stratagus games-puzzle/ensemblist games-puzzle/fbg games-puzzle/gweled games-strategy/xscorch media-libs/sdl-mixer media-libs/sdl-sound media-plugins/gst-plugins-mikmod media-sound/ecasound media-sound/mikmod media-sound/mpd actually I don't see loaders/load_gt2.c in neither of the two versions that are in the tree, so it seems we are not affected by this Can someone confirm that? sound herd? The original advisory says "versions 2.x.x and all the others in which the GT2 file format isn't implemented are not vulnerable". This really looks like 3.1.11-r2 doesn't include GT2 format, so I think we can close this one. after another check, there's definitely no GT2 support in the versions we ship, so we're not affected. closing as invalid, feel free to reopen if you disagree. |
####################################################################### Luigi Auriemma Application: libmikmod http://mikmod.raphnet.net http://sourceforge.net/projects/mikmod/ Versions: <= 3.2.2 and current CVS versions 2.x.x and all the others in which the GT2 file format isn't implemented are not vulnerable Platforms: Windows, POSIX, Mac Bug: heap overflow in GT2's loadChunk Exploitation: local Date: 24 Jul 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== libmikmod is a library mainly used by Mikmod for playing different types of audio modules (669, amf, asy, dsm, far, gdm, gt2, imf, it, m15, med, mod, mtm, okt, s3m, stm, stx, ult, uni and xm). ####################################################################### ====== 2) Bug ====== GT2 is the GRAOUMF TRACKER module file format (http://thorkildsen.no/faqsys/docs/gt2-form.txt). During the handling of the XCOM chunk (a field which contains an extra comment) libmikmod reads the 32 bit number which specifies the size of the comment and then allocates an amount of memory equal to this value plus one, probably for an optional but unused NULL byte at the end of the comment. The result is that the library allocates about zero bytes of memory ("about" since MikMod_malloc allocates 20 bytes more than the desired size) if an attacker uses the value 0xffffffff (0xffffffff + 1 = 0) and then tries to read the amount of memory specified by the size value overflowing the allocated memory. From loaders/load_gt2.c: GT_CHUNK *loadChunk(void) ... if (!memcmp(new_chunk, "XCOM", 4)) { new_chunk->xcom.chunk_size = _mm_read_M_ULONG(modreader); new_chunk->xcom.comment_len = _mm_read_M_ULONG(modreader); new_chunk->xcom.comment = MikMod_malloc(new_chunk->xcom.comment_len + 1); _mm_read_UBYTES(new_chunk->xcom.comment, new_chunk->xcom.comment_len, modreader); return new_chunk; } ... ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/lmmgt2ho.zip ####################################################################### ====== 4) Fix ====== No fix. No reply from the developers. #######################################################################