http://www.mars.org/mailman/public/mad-dev/2008-January/001366.html The problem occurs when parsing an ID3_FIELD_TYPE_STRINGLIST field, specifically when data to be parsed is ended with '\0'. In this case, **ptr == 0, but the condition end - *ptr is 1 so loop continues infinitely. Reproducible: Always Steps to Reproduce:
Created attachment 143858 [details, diff] libid3tag-0.15.1b-fix_overflow.patch
Created attachment 143859 [details] strace madplay
Created attachment 143861 [details] mp3 file for testing
Security team please advise..
libid3tag-0.15.1b-r1 has this patch and more.. I guess the security guys don't care? WeI should probably wait 30 days anyway since I added a lot of patches.
(In reply to comment #5) > libid3tag-0.15.1b-r1 has this patch and more.. I guess the security guys don't > care? WeI should probably wait 30 days anyway since I added a lot of patches. We do care, thank you for bugging again. Which of the patches you added is the fix for this bug (because I failed to find the patch attached here in CVS)? Also, considering this is a security bug, I'd rather fix it sooner than later. We could agree on a five day testing period, if you like.
I'm an idiot, I forgot to add the patch for this bug, anyway, its in now.
(In reply to comment #7) > I'm an idiot, I forgot to add the patch for this bug, anyway, its in now. We need to revbump this then, to make sure everyone who upgraded to 0.15.1b-r1 is safe from the issue.
bumped
Arches, please test and mark stable: =media-libs/libid3tag-0.15.1b-r2 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sh sparc x86"
Stable for HPPA.
amd64/x86 stable
alpha/ia64/sparc stable
ppc stable
ppc64 stable
CVE-2008-2109
Time for GLSA decision. This seems to be a client only application, so this would be a client DoS => voting NO.
media-sound/mt-daapd uses this library. Also, the infinite loop will eat up all memory, it does not only crash the player. I rather tend for a yes here.
Fixed in release snapshot.
(In reply to comment #18) > media-sound/mt-daapd uses this library. Also, the infinite loop will eat up all > memory, it does not only crash the player. I rather tend for a yes here. > ok, changing my vote. GLSA request filed.
GLSA 200805-15