Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 144089

Summary: media-libs/musicbrainz: boundary errors (CVE-2006-4197)
Product: Gentoo Security Reporter: Raphael Marichez (Falco) (RETIRED) <falco>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: sound, tcort
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa] Falco
Package list:
Runtime testing required: ---

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-16 02:45:34 UTC
No upstream patch available

SA 21404:

Software:	libmusicbrainz 2.x

Luigi Auriemma has reported some vulnerabilities in libmusicbrainz, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

1) A boundary error within the MBHttp::Download function in lib/http.cpp can be exploited to cause a buffer overflow via a large "location" field in a HTTP redirection received from a malicious MusicBrainz server.

2) Various boundary errors within rdfparse.c can be exploited to cause buffer overflows via very long URLs included in a malicious RDF feed.

Successful exploitation may allow execution of arbitrary code.

Do not connect to untrusted MusicBrainz servers.

Provided and/or discovered by:
Luigi Auriemma

Original Advisory:
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-09-29 05:05:41 UTC
should be fixed in 2.1.4

sound, pls bump

Changes for libmusicbrainz 2.1.4

   - Fixed buffer overflows in the RDF parsing and HTTP code. Patch by
     Martin Schulze. (#2066)

Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-15 12:30:57 UTC
two weeks without reaction....
sound herd, pls bump
Comment 3 Stefan Schweizer (RETIRED) gentoo-dev 2006-10-15 12:50:12 UTC
I have bumped it, go ahead.
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-15 12:53:18 UTC
arches, pls test and mark stable if possible
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-15 12:55:50 UTC
this time i even pushed the button....
Comment 6 Jason Wever (RETIRED) gentoo-dev 2006-10-15 18:35:39 UTC
SPARC stable
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2006-10-16 00:33:56 UTC
1) emerges fine
2) passes collision protect
3) audacious emerges fine on it and I think musicbrainz worked

Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 i686)
System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.12.5
Last Sync: Mon, 16 Oct 2006 05:20:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
USE="x86 3dnow 3dnowext X Xaw3d a52 aiglx alsa artworkextra asf audiofile bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds elibc_glibc emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap input_devices_keyboard input_devices_mouse ipv6 isdnlog java javascript jikes jpeg jpeg2k kde kernel_linux ldap leim libg++ linguas_de lm_sensors mad maildir matroska mbox mhash mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule mysql nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd tetex theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb userland_GNU vcd video_cards_fbdev video_cards_radeon video_cards_vesa videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib"
Comment 8 Chris Gianelloni (RETIRED) gentoo-dev 2006-10-16 14:09:32 UTC
amd64/x86 done
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2006-10-16 22:28:35 UTC
added ~ppc64
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2006-10-16 22:31:32 UTC
whoops.. wrong comment. I meant "ppc64 stable"
Comment 11 Thomas Cort (RETIRED) gentoo-dev 2006-10-17 03:45:10 UTC
alpha stable.
Comment 12 Thomas Cort (RETIRED) gentoo-dev 2006-10-17 03:46:03 UTC
oops... didn't mean to close the bug
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2006-10-18 11:28:32 UTC
ppc stable
Comment 14 René Nussbaumer (RETIRED) gentoo-dev 2006-10-20 01:39:19 UTC
Stable on hppa
Comment 15 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-20 07:05:46 UTC
ready for a GLSA, security pls review
Comment 16 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-22 11:16:05 UTC
GLSA 200610-09

thanks everyone