Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 186220 - media-sound/flac123 < 0.0.10 Stack overflow in comment parsing (CVE-2007-3507)
Summary: media-sound/flac123 < 0.0.10 Stack overflow in comment parsing (CVE-2007-3507)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.isecpartners.com/advisorie...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-07-22 12:40 UTC by Sune Kloppenborg Jeppesen
Modified: 2007-09-14 23:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2007-07-22 12:40:23 UTC
iSEC Partners Security Advisory - 2007-002-flactools
http://www.isecpartners.com
--------------------------------------------

flac123 0.0.9 - Stack overflow in comment parsing

Vendor URL: http://flac-tools.sourceforge.net/
Severity: High (Allows for arbitrary code execution)
Author: David Thiel <david[at]isecpartners[dot]com>

Vendor notified: 2007-06-05
Public release: 2007-06-28
Systems affected: Verified code execution on FreeBSD 6.2 - should affect most 
	systems.
Advisory URL: http://www.isecpartners.com/advisories/2007-002-flactools.txt

Summary:
--------
flac123, also known as flac-tools, is vulnerable to a buffer overflow in
vorbis comment parsing. This allows for the execution of arbitrary code.

Details:
--------
The function local__vcentry_parse_value() in vorbiscomment.c does not
correctly handle a long value_length, causing it to overflow the buffer
"dest" during memcpy().

Fix Information:
----------------
This is the sole issue corrected in version 0.0.10.

Thanks to:
----------
Dan Johnson for quickly producing the fixed version.

About iSEC Partners:
--------------------
iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education
and software design verification.

Information on testing media players and codecs to expose and prevent
similar bugs and tools to do the same will be presented at BlackHat USA
2007.

115 Sansome Street, Suite 1005
San Francisco, CA 94104
Phone: (415) 217-0052
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-22 14:11:48 UTC
setting status. Sound herd, please advise and bump as necessary.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-20 14:40:46 UTC
sound, any news here?
Comment 3 Samuli Suominen gentoo-dev 2007-08-20 16:00:00 UTC
(In reply to comment #2)
> sound, any news here?
> 

yep, 0.0.11 is now in tree fixing this issue (and as a bonus we can drop all of our patches since they have been merged upstream)

tested it only with flac-1.2.0 so archteams/archtesters have to test it with stable version of flac.
Comment 4 Markus Ullmann (RETIRED) gentoo-dev 2007-08-20 20:27:24 UTC
Works fine here. Stable on x86
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2007-08-21 14:59:56 UTC
sparc stable.
Comment 6 Jonas Pedersen 2007-08-21 16:40:23 UTC
media-sound/flac123-0.0.11

1. compiles on AMD64. 
2. No collisions etc. 
3. Works. 

Please mark stable on AMD64. 

Portage 2.1.2.11 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r2 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Mon, 20 Aug 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://ftp.du.se/pub/os/gentoo http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo"
LC_ALL="en_DK.utf8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos lm_sensors mad midi mikmod mjpeg mmx mozilla mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 7 Christoph Mende (RETIRED) gentoo-dev 2007-08-21 16:53:24 UTC
amd64 stable
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2007-08-29 10:07:44 UTC
ppc64 stable - sorry, I'm late.
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-29 10:21:50 UTC
glsa request filed.
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-09-14 23:36:49 UTC
Hi, it's GLSA 200709-06!