I have found some remote buffer overflows in streamripper. They occur when a streamripper user connects to a malicious server - by being social engineered into doing so or by technical means such as DNS poisoning. The overflows are stack-based and gives an attacker the opportunity to run arbitrary machine code programs. I have attached a patch and a test-exploit (must be started from inetd/xinetd) that shows in gdb which registers that can be overwritten (a lot). I hope that we can cooperate on solving this security problem and agree on a release date when we will make this public in a coordinated manner. // Ulf Harnhammar, Debian Security Audit Project http://www.debian.org/security/audit/
Created attachment 94940 [details, diff] streamripper.bufoflows.patch
Chainsaw please attach an ebuild to this bug or be prepared to commit tomorrow at some point.
Please note that I have touched this package only once, in the distant past (a year ago). I consider GTK+ 1 a legacy library which has been locally masked on my system for at least 6 months. I am CC'ing the two people that possibly care about this package. I for one do not, and would suggest that we package.mask this if nobody steps up.
I have no problem with dropping this package.
(In reply to comment #3) > I consider GTK+ 1 a legacy library which has been locally masked on > my system for at least 6 months. Chainsaw, are we talking about the same package here? media-sound/streamripper-1.61.17 only depends on libogg, libvorbis, and libmad. tcort@cheese /usr/portage/media-sound/streamripper $ grep gtk * tcort@cheese /usr/portage/media-sound/streamripper $ grep GTK * tcort@cheese /usr/portage/media-sound/streamripper $ > I am CC'ing the two people that possibly care about this package. I for one do > not, and would suggest that we package.mask this if nobody steps up. I care :) (In reply to comment #2) > Chainsaw please attach an ebuild to this bug or be prepared to commit tomorrow > at some point. The package needs a version bump too (Bug #128563). I'll attach an updated ebuild and patch for 1.61.25 later today. I'll be moving and without internet access for a week starting tomorrow. So you'll either need someone else to commit it or have me commit it soon after midnight tonight.
Created attachment 94954 [details] streamripper-1.61.25.ebuild An ebuild for streamripper-1.61.25. Solves Bug #128563 (version bump request) and this bug.
Created attachment 94955 [details, diff] streamripper-1.61.25-CVE-2006-3124 Buffer overflow patch for streamripper-1.61.25. Same as attachment #94940 [details, diff] but for 1.61.25. (i.e. the file lib/http.c changed and the fixes happen on different line numbers now).
This one is public now. Sound please commit the updated ebuild.
*** Bug 128563 has been marked as a duplicate of this bug. ***
FYI Streamripper 1.61.26 also incorporates the fix.
An ebuild for streamripper-1.61.26 has been committed. It contains the fixes in attachment #94955 [details, diff].
Arch teams, please test and mark stable =media-sound/streamripper-1.61.26 Testing hints... Testing Streaming MP3 Ripping: Go to http://www.shoutcast.com/ Click on one of the "Tune In!" buttons to download shoutcast-playlist.pls Look in the *.pls file for a URL, ex: http://64.236.34.196:80/stream/1074 Run "streamripper http://64.236.34.196:80/stream/1074" Other options are explained in the man page. Use ctrl+c to quit Try playing the ripped songs, they are in $(pwd)/${STATION}/*.mp3 Testing Streaming OGG/Vorbis Ripping (requires the 'vorbis' USE flag): Go to http://dir.xiph.org/index.php Click on one of the "Ogg Vorbis" buttons to download listen.m3u Look in the *.m3u file for a URL. Rip some songs (as described above) and try playing the ripped files.
Thx Thomas. Arches please test and mark stable.
ppc64 stable
emerges fine on amd64, passes multilib-strict and collision-test, rips mp3/ogg without any problems. Portage 2.1-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r7 x86_64) ================================================================= System uname: 2.6.17-gentoo-r7 x86_64 AMD Athlon(tm) 64 Processor 3000+ Gentoo Base System version 1.12.4 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-test distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.ISO8859-1" LC_ALL="en_US.ISO8859-1" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlay" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="amd64 X a52 aac acpi alsa asf avi berkdb bitmap-fonts bzip2 cairo cdda cddb cdinstall cdr cli crypt cups dbus dlloader dri dvd dvdr emboss encode expat fam firefox fortran gdbm gif glut gpm gstreamer gtk gtk2 hal imagemagick isdnlog jpeg lcms ldap libg++ lirc mad mikmod mng mp3 mpeg musicbrainz ncurses nls nptl nptlonly ogg opengl pam pcre pdflib php png ppds pppd quicktime readline reflection sdl session socks5 spl ssl svg tcpd tiff truetype truetype-fonts type1-fonts udev unicode v4l v4l2 vorbis xine xinerama xml xorg xv zlib elibc_glibc input_devices_evdev input_devices_keyboard input_devices_mouse kernel_linux lirc_devices_hauppauge userland_GNU video_cards_fglrx video_cards_radeon" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
sparc stable.
amd64 stable.
ppc stable
1.) emerges fine on x86 with and without USE="vorbis" (with gcc 3.4 and 4.1.1) 2.) passes collision test 3.) mp3 and ogg ripping works fine Portage 2.1-r2 (default-linux/x86/2006.1/desktop, gcc-3.4.6, glibc-2.4-r3, 2.6.17.6 i686) ================================================================= System uname: 2.6.17.6 i686 AMD Athlon(TM) XP1800+ Gentoo Base System version 1.12.4 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.3.5-r2, 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LANG="en_GB.utf8" LINGUAS="en de en_GB" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/normal /usr/local/portage/testing" SYNC="rsync://192.168.2.1/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aac acpi alsa apache2 avi bash-completion berkdb bitmap-fonts bzip2 cairo cdr cli crypt css cups dbus divx4linux dlloader dri dts dvd dvdr dvdread emboss exif fam ffmpeg firefox font-server fortran gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal ipv6 isdnlog java jpeg kde kdeenablefinal ldap libclamav libg++ logitech-mouse mad mikmod mmx mmxext mono mozcalendar mozdevelop mozsvg mp3 mpeg ncurses network nls nptl nptlonly nvidia oav ogg opengl oss pam pcre pdflib perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl tcltk tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb vcd vorbis win32codecs xine xinerama xml xorg xorg-x11 xprint xv xvg xvid zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_en linguas_de linguas_en_GB userland_GNU video_cards_nv video_cards_none" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
1) emerges fine 2) passes collision test 3) works Portage 2.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r7 i686) ================================================================= System uname: 2.6.17-gentoo-r7 i686 AMD Athlon(tm) XP 2500+ Gentoo Base System version 1.12.4 app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-O2" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/" LANG="de_DE@euro" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage" USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile avi bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap ipv6 isdnlog java javascript jikes jpeg jpeg2k ldap leim libg++ lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf pdflib perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd tetex theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_de userland_GNU video_cards_radeon video_cards_vesa video_cards_fbdev" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
x86's bad, we're the last and now stable ^.^;;
Everyone's stable that needs to be stable. Removed the old and/or vulnerable ebuilds.
Reopening for GLSA. Thomas please don't close security bugs.
(In reply to comment #23) > Thomas please don't close security bugs. I didn't, tsunam did.... From: bugzilla-daemon@gentoo.org To: tcort@gentoo.org Subject: [Bug 144861] media-sound/streamripper remote buffer overflows (CVE-2006-3124) Date: Mon, 04 Sep 2006 06:45:43 +0000 Clear-Text: http://bugs.gentoo.org/show_bug.cgi?id=144861 Secure: https://bugs.gentoo.org/show_bug.cgi?id=144861 tsunam@gentoo.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC|x86@gentoo.org | Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Comment #21 from tsunam@gentoo.org 2006-09-03 23:45 PST ------- x86's bad, we're the last and now stable ^.^;;
Ok, sorry I missed that initially.
GLSA 200609-01