Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 188698 - media-sound/streamripper < 1.62.2 Buffer Overflow
Summary: media-sound/streamripper < 1.62.2 Buffer Overflow
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2007-08-13 11:52 UTC by Matt Fleming (RETIRED)
Modified: 2007-09-13 19:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fleming (RETIRED) gentoo-dev 2007-08-13 11:52:33 UTC
A vulnerability has been reported in Streamripper, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the "httplib_parse_sc_header()" function. This can be exploited to cause a buffer overflow by e.g. tricking the user into connecting to a malicious server.

The vulnerability is reported in versions prior to 1.62.2.
Comment 1 Matt Fleming (RETIRED) gentoo-dev 2007-08-13 12:04:30 UTC
CC'ing maintainer and setting whiteboard status.
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2007-08-13 15:00:54 UTC
(In reply to comment #1)
> CC'ing maintainer and setting whiteboard status.

Committed 1.62.2 to tree, and asked shell-tools if dev-libs/tre is good to go stable (required dep) and it is.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-14 11:00:04 UTC
Thx Samuli.

Arhces please test and mark stable. Target keywords are:

streamripper-1.62.2.ebuild:KEYWORDS="alpha amd64 ~hppa ppc ppc64 sparc x86"
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2007-08-14 13:07:45 UTC
sparc stable.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2007-08-14 17:30:20 UTC
x86 stable
Comment 6 Jonas Pedersen 2007-08-14 17:52:04 UTC

1. Compiles on AMD64. 
2. No collisions etc. 
3. Works - ripped some music from a shoutcast stream. 

Please mark stable on AMD64. 

Portage (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r2 x86_64)
System uname: 2.6.22-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Mon, 13 Aug 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.21
CFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/local/portage"
USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos lm_sensors mad midi mikmod mjpeg mmx mozilla mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"

Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2007-08-14 18:09:20 UTC
alpha stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-08-14 18:12:03 UTC
ppc stable
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2007-08-14 19:00:40 UTC
ppc64 stable
Comment 10 Christoph Mende (RETIRED) gentoo-dev 2007-08-15 01:14:55 UTC
amd64 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-15 02:53:02 UTC
Stable for HPPA.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-24 09:31:53 UTC
glsa request filed.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-13 19:44:55 UTC
GLSA 200709-03, thanks everybody!