Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 86033

Summary: media-sound/mpg321: format string vulnerability (CVE-2003-0969)
Product: Gentoo Security Reporter: Tavis Ormandy (RETIRED) <taviso>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: sound
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B2 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Tavis Ormandy (RETIRED) gentoo-dev 2005-03-20 10:51:18 UTC 
my libprintf module identified a format string vulnerability in mpg321's parsing of id3 comments. This could be exploited with a malicious mp3 files to execute arbitrary code.

Mar 20 18:43:19 insomniac mpg321: [24030] no format specifiers: fprintf(/dev/pts/10, "The Hives Are Law, You Are Cri");
Mar 20 18:43:19 insomniac mpg321: [24030] no format specifiers: fprintf(/dev/pts/10, "The Hives                     ");
Mar 20 18:43:19 insomniac mpg321: [24030] no format specifiers: fprintf(/dev/pts/10, "Your New Favourite Band       ");
Mar 20 18:43:19 insomniac mpg321: [24030] no format specifiers: fprintf(/dev/pts/10, "2001");
Mar 20 18:43:19 insomniac mpg321: [24030] no format specifiers: fprintf(/dev/pts/10, "Created by Grip               ");
Mar 20 18:43:19 insomniac mpg321: [24030] no format specifiers: fprintf(/dev/pts/10, "Other                         ");

I checked the package and noticed mpg321-0.2.10-r2, currently only ~ppc-macos, fixes this issue with a patch from freebsd, this fix needs to be marked stable for everyone else to fix this issue.

An example that would crash mpg321 (in case anyone wants to verify):

$ id3tag -wnc__FOOB test.mp3
$ perl -pi -e 's/__FOOB/%.500n/g' test.mp3
$ mpg321 test.mp3

(id3tag wont set % characters in comment).
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-03-20 11:28:14 UTC 
media-sound/mpg123 is also affected by this issue.
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2005-03-20 11:31:01 UTC 
oops, no it isnt..disregard that.
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-03-20 13:25:51 UTC 
CVE-2003-0969
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-03-23 06:31:48 UTC 
The only difference between mpg321-0.2.10-r1 (currently KEYWORDS="amd64 x86 ~ppc sparc mips alpha ppc64") and mpg321-0.2.10-r2 (currently KEYWORDS="-* ~ppc-macos")  is the addition of a patch from freebsd which is "obviously correct", it fixes this security issue and looks like it fixes a couple of fd leaks.

-r2 should be ready for arch stabilisation.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-03-23 06:49:28 UTC 
Arches, for mpg321-0.2.10-r2:
amd64 x86 sparc mips alpha ppc64: please test and mark stable
ppc: please test and mark ~ppc

Ccing sound team, in case it wants to test and mark stable a few arches by itself
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2005-03-23 07:09:51 UTC 
Stable on sparc.
Comment 7 Jan Brinkmann (RETIRED) gentoo-dev 2005-03-23 07:19:14 UTC 
stable on amd64 and x86
Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-23 11:55:32 UTC 
Stable on ppc.
Comment 9 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-24 07:14:55 UTC 
Stable on alpha.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2005-03-26 11:15:42 UTC 
stable on ppc64
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-28 07:49:04 UTC 
GLSA 200503-34
Comment 12 Hardave Riar (RETIRED) gentoo-dev 2005-04-03 07:25:01 UTC 
Stable on mips.