Summary: | <media-libs/libid3tag-0.16.2: multiple vulnerabilites | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Christopher Díaz Riveros (RETIRED) <chrisadr> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | IN_PROGRESS --- | ||||||||
Severity: | minor | CC: | ajak, bss, fordfrog, marcec, sound | ||||||
Priority: | Normal | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://seclists.org/fulldisclosure/2017/Jul/85 | ||||||||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=842273 | ||||||||
Whiteboard: | B3 [glsa? cve] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Bug Depends on: | 842273, 843623 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Christopher Díaz Riveros (RETIRED)
2017-07-31 13:07:57 UTC
RedHat has this as will not fix: https://access.redhat.com/security/cve/cve-2017-11550 Maintainer(s) please advise on this. Can't reproduce either issue. i could not reproduce any of the issues so you can proceed. $ equery list libid3tag * Searching for libid3tag ... [IP-] [ ] media-libs/libid3tag-0.15.1b-r4:0 Closing as invalid like the other. Thanks! I just ran into this today with libid3tag-0.16.1 - backtrace is slightly different but it's still throwing segfault/null pointer dereference in id3_ucs4_length while reading a file. (In reply to Michael Moon from comment #5) > I just ran into this today with libid3tag-0.16.1 - backtrace is slightly > different but it's still throwing segfault/null pointer dereference in > id3_ucs4_length while reading a file. With what file? I ran into this problem as well, so hopefully I can provide the necessary information to resolve this problem. In total I have 188 files that I had to exclude from my collection for causing segfaults when being imported into mpd. mp3 file: http://files.combuster.nl/tchaikovsky-the-nutcracker-suite.mp3 (will be taken down later due to fair use and copyright concerns) compiled mpd: http://files.combuster.nl/mpd compiled libid3tag: http://files.combuster.nl/libid3tag.so.0.16.1 stacktrace ================ (...) client: [0] process command "lsinfo "streams/mp3"" client: [0] command returned 0 update: reading streams/mp3/Tchaikovsky - The Nutcracker Suite.mp3 Thread 9 "update" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffeddaf640 (LWP 18749)] id3_ucs4_length (ucs4=ucs4@entry=0x0) at /var/tmp/portage/media-libs/libid3tag-0.16.1-r1/work/libid3tag-0.16.1/ucs4.c:42 42 /var/tmp/portage/media-libs/libid3tag-0.16.1-r1/work/libid3tag-0.16.1/ucs4.c: No such file or directory. (gdb) bt #0 id3_ucs4_length (ucs4=ucs4@entry=0x0) at /var/tmp/portage/media-libs/libid3tag-0.16.1-r1/work/libid3tag-0.16.1/ucs4.c:42 #1 0x00007ffff5e9ad97 in id3_compat_fixup (tag=tag@entry=0x7fffdc0192d0) at /var/tmp/portage/media-libs/libid3tag-0.16.1-r1/work/libid3tag-0.16.1_build-abi_x86_64.amd64/compat.gperf:240 #2 0x00007ffff5e9fb28 in v2_parse (ptr=<optimized out>) at /var/tmp/portage/media-libs/libid3tag-0.16.1-r1/work/libid3tag-0.16.1/tag.c:609 #3 id3_tag_parse (data=<optimized out>, length=140737183858392) at /var/tmp/portage/media-libs/libid3tag-0.16.1-r1/work/libid3tag-0.16.1/tag.c:661 #4 0x00005555555fe5a4 in MadDecoder::ParseId3(unsigned long, Tag*) (this=0x7fffedd9c220, tagsize=1920, mpd_tag=0x0) at ../mpd-0.22.3/src/decoder/plugins/MadDecoderPlugin.cxx:323 #5 0x00005555555fea8e in MadDecoder::DecodeNextFrame(bool, Tag*) (this=this@entry=0x7fffedd9c220, skip=skip@entry=false, tag=tag@entry=0x0) at ../mpd-0.22.3/src/decoder/plugins/MadDecoderPlugin.cxx:405 #6 0x00005555555feae0 in MadDecoder::DecodeFirstFrame(Tag*) (this=this@entry=0x7fffedd9c220, tag=tag@entry=0x0) at ../mpd-0.22.3/src/decoder/plugins/MadDecoderPlugin.cxx:696 #7 0x00005555555ff283 in MadDecoder::RunScan(TagHandler&) (handler=..., this=0x7fffedd9c220) at ../mpd-0.22.3/src/decoder/plugins/MadDecoderPlugin.cxx:999 #8 mad_decoder_scan_stream(InputStream&, TagHandler&) (is=<optimized out>, handler=...) at ../mpd-0.22.3/src/decoder/plugins/MadDecoderPlugin.cxx:1019 #9 0x00005555555ad101 in DecoderPlugin::ScanStream(InputStream&, TagHandler&) const (handler=<optimized out>, is=<optimized out>, this=0x55555569ed40 <mad_decoder_plugin>) at ../mpd-0.22.3/src/decoder/DecoderPlugin.hxx:236 #10 TagFileScan::ScanStream(DecoderPlugin const&) (plugin=..., this=0x7fffeddadfe0) at ../mpd-0.22.3/src/TagFile.cxx:64 #11 TagFileScan::Scan(DecoderPlugin const&) (plugin=..., this=0x7fffeddadfe0) at ../mpd-0.22.3/src/TagFile.cxx:69 #12 TagFileScan::Scan(DecoderPlugin const&) (plugin=..., this=0x7fffeddadfe0) at ../mpd-0.22.3/src/TagFile.cxx:67 #13 operator() (plugin=..., __closure=<synthetic pointer>) at ../mpd-0.22.3/src/TagFile.cxx:88 #14 decoder_plugins_try<ScanFileTagsNoGeneric(Path, TagHandler&)::<lambda(const DecoderPlugin&)> > (f=...) at ../mpd-0.22.3/src/decoder/DecoderList.hxx:72 --Type <RET> for more, q to quit, c to continue without paging-- #15 ScanFileTagsNoGeneric(Path, TagHandler&) (path_fs=..., handler=<optimized out>) at ../mpd-0.22.3/src/TagFile.cxx:87 #16 0x00005555555ad1ca in ScanFileTagsWithGeneric(Path, TagBuilder&, AudioFormat*) (path=..., builder=..., audio_format=audio_format@entry=0x7fffeddae0e8) at ../mpd-0.22.3/src/TagFile.cxx:98 #17 0x00005555555ab08a in Song::UpdateFile(Storage&) (this=0x7fffdc019390, storage=...) at ../mpd-0.22.3/src/util/StringPointer.hxx:52 #18 0x00005555555ab1cf in Song::LoadFile(Storage&, char const*, Directory&) (storage= ..., path_utf8=path_utf8@entry=0x7fffdc008e00 "Tchaikovsky - The Nutcracker Suite.mp3", parent=...) at ../mpd-0.22.3/src/SongUpdate.cxx:59 #19 0x000055555560d058 in UpdateWalk::UpdateSongFile2(Directory&, char const*, char const*, StorageFileInfo const&) (this=this@entry=0x5555557b7310, directory=..., name=name@entry=0x7fffdc008e00 "Tchaikovsky - The Nutcracker Suite.mp3", suffix=suffix@entry=0x7fffdc008e23 "mp3", info=...) at ../mpd-0.22.3/src/db/update/UpdateSong.cxx:65 #20 0x000055555560d360 in UpdateWalk::UpdateSongFile(Directory&, char const*, char const*, StorageFileInfo const&) (this=this@entry=0x5555557b7310, directory=..., name=name@entry=0x7fffdc008e00 "Tchaikovsky - The Nutcracker Suite.mp3", suffix=suffix@entry=0x7fffdc008e23 "mp3", info=...) at ../mpd-0.22.3/src/db/update/UpdateSong.cxx:107 #21 0x000055555560c934 in UpdateWalk::UpdateRegularFile(Directory&, char const*, StorageFileInfo const&) (info=..., name=0x7fffdc008e00 "Tchaikovsky - The Nutcracker Suite.mp3", directory=..., this=0x5555557b7310) at ../mpd-0.22.3/src/db/update/Walk.cxx:196 #22 UpdateWalk::UpdateDirectoryChild(Directory&, ExcludeList const&, char const*, StorageFileInfo const&) (this=0x5555557b7310, directory=..., exclude_list=..., name=0x7fffdc008e00 "Tchaikovsky - The Nutcracker Suite.mp3", info=...) at ../mpd-0.22.3/src/db/update/Walk.cxx:209 #23 0x000055555560c59e in UpdateWalk::UpdateDirectory(Directory&, ExcludeList const&, StorageFileInfo const&) (this=0x5555557b7310, directory=..., exclude_list=<optimized out>, info=...) at ../mpd-0.22.3/src/db/update/Walk.cxx:373 #24 0x000055555560c899 in UpdateWalk::UpdateDirectoryChild(Directory&, ExcludeList const&, char const*, StorageFileInfo const&) (this=0x5555557b7310, directory=..., exclude_list=..., name=0x7fffdc009098 "mp3", info=...) at ../mpd-0.22.3/src/db/update/Walk.cxx:223 #25 0x000055555560c59e in UpdateWalk::UpdateDirectory(Directory&, ExcludeList const&, StorageFileInfo const&) (this=0x5555557b7310, directory=..., exclude_list=<optimized out>, info=...) at ../mpd-0.22.3/src/db/update/Walk.cxx:373 #26 0x000055555560c899 in UpdateWalk::UpdateDirectoryChild(Directory&, ExcludeList const&, char const*, StorageFileInfo const&) (this=0x5555557b7310, directory=..., exclude_list=..., name=0x7fffdc008ff0 "streams", info=...) at ../mpd-0.22.3/src/db/update/Walk.cxx:223 #27 0x000055555560c59e in UpdateWalk::UpdateDirectory(Directory&, ExcludeList const&, StorageFileInfo const&) (this=0x5555557b7310, directory=..., exclude_list=<optimized out>, info=...) at ../mpd-0.22.3/src/db/update/Walk.cxx:373 #28 0x000055555560cd9a in UpdateWalk::Walk(Directory&, char const*, bool) (this=0x5555557b7310, root=..., path=<optimized out>, discard=<optimized out>) at ../mpd-0.22.3/src/db/update/Walk.cxx:498 #29 0x000055555560a156 in UpdateService::Task() (this=0x55555571d1b0) at ../mpd-0.22.3/src/db/plugins/simple/SimpleDatabasePlugin.hxx:85 #30 0x00005555555c4193 in BoundMethod<void () noexcept>::operator()() const (this=0x55555571d200) at ../mpd-0.22.3/src/util/BindMethod.hxx:90 #31 Thread::Run() (this=0x55555571d200) at ../mpd-0.22.3/src/thread/Thread.cxx:63 #32 Thread::ThreadProc(void*) (ctx=0x55555571d200) at ../mpd-0.22.3/src/thread/Thread.cxx:92 #33 0x00007ffff5714d4e in start_thread () at /lib64/libpthread.so.0 #34 0x00007ffff564afaf in clone () at /lib64/libc.so.6 (gdb) ================ I have also seen this recently via mpd. Slightly different stacktrace but the segfault is in id3_ucs4_length, same as above. File in question can be found at https://ocrmirror.org/files/music/remixes/Castlevania_Bloodlines_Unintentional_OC_ReMix.mp3 Same bug also crashes EasyTAG on the same file, FWIW. Well, I'm hitting CVE-2017-11550 through MPD. https://github.com/tenacityteam/libid3tag/issues/6 There is a patch here to fix it (works for me): https://github.com/tenacityteam/libid3tag/pull/7 Created attachment 762005 [details]
out
Attached an afl-minimized test case.
Incidentally (before refreshing this bug and seeing that pull request from tenacityteam) I slapped up a patch that fixed my issues, it is the same as the compat.c change linked above. (In reply to John Helmert III from comment #10) > Well, I'm hitting CVE-2017-11550 through MPD. My MPD instance was also SEGFAULT-ing in id3_ucs4_length(), but I was able to work around it by reinstalling MPD with USE="-mad", oddly enough, which allowed a database update to complete. I had moved the root file system to a new drive and was trying to generate the DB from scratch, and before the workaround MPD was repeatedly SEGFAULT-ing at the same file. Note that I'm not sure why the workaround helped. I guess libmad calls libid3tag (or vice versa? or something else?) and removing libmad avoids a buggy code path, but neither ebuild depends on the other, so maybe it's specific to how MPD uses them. Also odd is that based on some of the log output MPD is using ffmpeg for decoding MP3s even with USE="mad". Whatever, I don't know enough about any of these code bases to understand what's happening :-/ . In any case, I don't personally care so much about the security aspect of this, but I find it really annoying to have software crashing and having to figure out a workaround. Created attachment 775146 [details, diff]
fix patch
I just made the patchfile for myself from the github PR mentionned earlier, so I'm uploading here for easy access to others people, since the PR is still not merged.
Tested by placing the file in /etc/portage/patches/media-libs/libid3tag-0.16.1-r1/
Upstream fix is merged https://github.com/tenacityteam/libid3tag/pull/7 has been merged, I've asked if they'll drop a new release - hopefully this 5 year old issue can be closed with a version bump soon :) Version bump @ bug 842273 Please stable when ready The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54cefb43b5930d180027b1689ab769c21538f31c commit 54cefb43b5930d180027b1689ab769c21538f31c Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2022-05-11 06:00:12 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-05-11 06:00:20 +0000 media-libs/libid3tag: dropped obsolete and vulnerable 0.16.1-r1 Bug: https://bugs.gentoo.org/843623 Bug: https://bugs.gentoo.org/626698 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> media-libs/libid3tag/Manifest | 1 - media-libs/libid3tag/libid3tag-0.16.1-r1.ebuild | 17 ----------------- 2 files changed, 18 deletions(-) the tree is clean now, you can proceed. |