Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 74692

Summary: media-sound/mpg123: find_next_file overflows linetmp buffer
Product: Gentoo Security Reporter: Sascha Silbe <sascha-gentoo-bugzilla>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: sound
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B2 [glsa] koon
Package list:
Runtime testing required: ---
Attachments:
Description Flags
8.list from advisory none

Description Sascha Silbe 2004-12-16 14:51:58 UTC
The following advisory from securesoftware@list.cr.yp.to is for mpg123 0.59r, but the given exploit causes media-sound/mpg123-0.59s-r6 to SegFault, so it probably still vulnerable.

Date: 15 Dec 2004 08:14:59 -0000
From: "D. J. Bernstein" <djb@cr.yp.to>
Subject: [remote] [control] mpg123 0.59r find_next_file overflows linetmp buffer
To: securesoftware@list.cr.yp.to, hippm@informatik.uni-tuebingen.de
X-HELOcheck: OK: FQDN
Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm
Mail-Followup-To: securesoftware@list.cr.yp.to,
        hippm@informatik.uni-tuebingen.de
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.

[-- Attachment #1 [details] --]
[-- Type: text/plain, Encoding: 7bit, Size: 1.6K --]

Bartlomiej Sieka, a student in my Fall 2004 UNIX Security Holes course,
has discovered a remotely exploitable security hole in mpg123. I'm
publishing this notice, but all the discovery credits should be assigned
to Sieka.

You are at risk if you use mpg123 --list to take an MP3 playlist from a
web page (or any other source that could be controlled by an attacker).
Whoever provides that input then has complete control over your account:
he can read and modify your files, watch the programs you're running,
etc.

Of course, when you accept a playlist from someone else, you are running
the risk that the playlist will include some of your files, conceivably
secret audio files. But the mpg123 documentation does not suggest that
there is any larger risk.

Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type

   cd /usr/ports/audio/mpg123
   make install

to download and compile the mpg123 program, version 0.59r (current ports
version; note that pre0.59s does not appear to have fixed the bug).
Then, as any user, save the file 8.list attached to this message, and
type

   mkdir 1234567890123456789
   mv 8.list 1234567890123456789/8.list
   mpg123 -s --list 1234567890123456789/8.list >/dev/null

with the unauthorized result that a file named EXPLOIT is created in the
current directory. (I tested this with a 4621-byte environment, as
reported by printenv | wc -c.)

Here's the bug: In playlist.c, find_next_file() uses strcat() to copy
any amount of data into a 1024-byte linetmp[] array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
Comment 1 Sascha Silbe 2004-12-16 14:53:09 UTC
Created attachment 46169 [details]
8.list from advisory
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-17 09:19:17 UTC
sound heard, pls verify/advise

setting to upstream as no patch seems to be available yet

__

http://secunia.com/advisories/13511/
Comment 3 Jeremy Huddleston (RETIRED) gentoo-dev 2004-12-18 17:39:20 UTC
CAN-2004-0982 also needs fixing... and upstream is dead.... ugg...  I'll get on this

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0982
Comment 4 Jeremy Huddleston (RETIRED) gentoo-dev 2004-12-18 17:42:50 UTC
CAN-2004-0982 was fixed... nevermind...
Comment 5 Jeremy Huddleston (RETIRED) gentoo-dev 2004-12-18 18:02:24 UTC
fixed in cvs... adding archs
Comment 6 Daniel Black (RETIRED) gentoo-dev 2004-12-18 22:28:29 UTC
I'm getting a SEGV on ppc and x86 when running the test described

/usr/bin/mpg123 -s --list ~/bug74692-9.list >/dev/null
Comment 7 Jeremy Huddleston (RETIRED) gentoo-dev 2004-12-18 23:29:20 UTC
that's expected... mpg123 is crap in general, so the easiest way around this was to just segfault on entries >1023 characters rather than overflow.
Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2004-12-19 01:35:07 UTC
PowerPC done.
Comment 9 Bryan Ƙstergaard (RETIRED) gentoo-dev 2004-12-19 09:09:22 UTC
Stable on alpha.
Comment 10 SpanKY gentoo-dev 2004-12-20 08:20:29 UTC
hppa/ia64 stable
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2004-12-20 12:26:08 UTC
stable on ppc64
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 07:12:50 UTC
GLSA 200412-22 (thx SeJo for the draft)
mips should mark stable to benefit from GLSA
Comment 13 Hardave Riar (RETIRED) gentoo-dev 2004-12-30 00:43:55 UTC
Stable on mips.