| Summary: | media-sound/bladeenc: global buffer overflow write | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ajak, fordfrog, sound |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://blogs.gentoo.org/ago/2017/09/19/bladeenc-global-buffer-overflow-in-iteration_loop-loop-c/ | ||
| Whiteboard: | B2 [glsa+ cve] | ||
| Package list: | Runtime testing required: | --- | |
| Deadline: | 2021-05-29 | ||
Maintainer(s): Ping. bladeenc's homepage seems to be gone for a long time. It looks like few others have this package, it may be time to think of last-riting it. The only reverse dependency FWICS is media-sound/rip, last update early 2003. masked for removal The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=310d4c6c60f74d21bbbccaadf637ee218b9539b0 commit 310d4c6c60f74d21bbbccaadf637ee218b9539b0 Author: Jakov Smolic <jakov.smolic@sartura.hr> AuthorDate: 2021-05-26 09:31:29 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-05-26 12:34:04 +0000 media-sound/bladeenc: Remove last-rited pkg Bug: https://bugs.gentoo.org/631394 Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr> Signed-off-by: Sam James <sam@gentoo.org> media-sound/bladeenc/Manifest | 1 - media-sound/bladeenc/bladeenc-0.94.2-r1.ebuild | 15 --------------- media-sound/bladeenc/files/bladeenc-0.94.2-secfix.diff | 11 ----------- media-sound/bladeenc/metadata.xml | 8 -------- profiles/package.mask | 6 ------ 5 files changed, 41 deletions(-) New GLSA request filed This issue was resolved and addressed in GLSA 202107-18 at https://security.gentoo.org/glsa/202107-18 by GLSA coordinator John Helmert III (ajak). |
Description: bladeenc is an mp3 encoder. There is a write overflow by default without a crafted file in the bladeenc command-line tool. The upstream website does not work anymore for me. The complete ASan output of the issue: # bladeenc $FILE ==15358==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000141c3b4 at pc 0x00000052afc8 bp 0x7ffcb9e50bb0 sp 0x7ffcb9e50ba8 WRITE of size 4 at 0x00000141c3b4 thread T0 #0 0x52afc7 in iteration_loop /var/tmp/portage/media-sound/bladeenc-0.94.2-r1/work/bladeenc-0.94.2/bladeenc/loop.c:728:20 #1 0x54fb91 in codecEncodeChunk /var/tmp/portage/media-sound/bladeenc-0.94.2-r1/work/bladeenc-0.94.2/bladeenc/codec.c:353:2 #2 0x519694 in main /var/tmp/portage/media-sound/bladeenc-0.94.2-r1/work/bladeenc-0.94.2/bladeenc/main.c:518:23 #3 0x7f3d35989680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289 #4 0x419dc8 in getenv (/usr/bin/bladeenc+0x419dc8) 0x00000141c3b4 is located 44 bytes to the left of global variable 'lo_quant_s' defined in 'loop.c:372:17' (0x141c3e0) of size 156 0x00000141c3b4 is located 0 bytes to the right of global variable 'hi_quant_l' defined in 'loop.c:370:17' (0x141c360) of size 84 SUMMARY: AddressSanitizer: global-buffer-overflow /var/tmp/portage/media-sound/bladeenc-0.94.2-r1/work/bladeenc-0.94.2/bladeenc/loop.c:728:20 in iteration_loop Shadow bytes around the buggy address: 0x00008027b820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008027b830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008027b840: 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x00008027b850: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x00008027b860: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 =>0x00008027b870: 00 00 00 00 00 00[04]f9 f9 f9 f9 f9 00 00 00 00 0x00008027b880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 0x00008027b890: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x00008027b8a0: 00 00 00 00 00 00 00 04 f9 f9 f9 f9 04 f9 f9 f9 0x00008027b8b0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x00008027b8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==15358==ABORTING Aborted Affected version: 0.94.2 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: Waiting for a CVE assignment Timeline: 2017-09-19: bug discovered 2017-09-19: blog post about the issue Note: This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative. Permalink: https://blogs.gentoo.org/ago/2017/09/19/bladeenc-global-buffer-overflow-in-iteration_loop-loop-c/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.