Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 210564 (CVE-2008-2109) - media-libs/libid3tag <0.15.1b-r2 Infinite loop (CVE-2008-2109)
Summary: media-libs/libid3tag <0.15.1b-r2 Infinite loop (CVE-2008-2109)
Status: RESOLVED FIXED
Alias: CVE-2008-2109
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-02-18 08:07 UTC by Viktor Ashirov
Modified: 2020-04-06 21:01 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
libid3tag-0.15.1b-fix_overflow.patch (libid3tag-0.15.1b-fix_overflow.patch,485 bytes, patch)
2008-02-18 08:08 UTC, Viktor Ashirov
no flags Details | Diff
strace madplay (strace,46.27 KB, text/plain)
2008-02-18 08:12 UTC, Viktor Ashirov
no flags Details
mp3 file for testing (test.mp3,90.00 KB, application/octet-stream)
2008-02-18 08:29 UTC, Viktor Ashirov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Viktor Ashirov 2008-02-18 08:07:10 UTC
http://www.mars.org/mailman/public/mad-dev/2008-January/001366.html

The problem occurs when parsing an ID3_FIELD_TYPE_STRINGLIST field,
specifically when data to be parsed is ended with '\0'.
In this case, **ptr == 0, but the condition end - *ptr is 1 so loop
continues infinitely.

Reproducible: Always

Steps to Reproduce:
Comment 1 Viktor Ashirov 2008-02-18 08:08:56 UTC
Created attachment 143858 [details, diff]
libid3tag-0.15.1b-fix_overflow.patch
Comment 2 Viktor Ashirov 2008-02-18 08:12:49 UTC
Created attachment 143859 [details]
strace madplay
Comment 3 Viktor Ashirov 2008-02-18 08:29:41 UTC
Created attachment 143861 [details]
mp3 file for testing
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-04-20 18:57:13 UTC
Security team please advise..
Comment 5 Olivier Crete (RETIRED) gentoo-dev 2008-05-05 02:55:34 UTC
libid3tag-0.15.1b-r1 has this patch and more.. I guess the security guys don't care? WeI should probably wait 30 days anyway since I added a lot of patches.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-05-05 08:29:59 UTC
(In reply to comment #5)
> libid3tag-0.15.1b-r1 has this patch and more.. I guess the security guys don't
> care? WeI should probably wait 30 days anyway since I added a lot of patches.

We do care, thank you for bugging again. Which of the patches you added is the fix for this bug (because I failed to find the patch attached here in CVS)?
Also, considering this is a security bug, I'd rather fix it sooner than later. We could agree on a five day testing period, if you like.
Comment 7 Olivier Crete (RETIRED) gentoo-dev 2008-05-05 14:10:03 UTC
I'm an idiot, I forgot to add the patch for this bug, anyway, its in now.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-05-05 14:31:33 UTC
(In reply to comment #7)
> I'm an idiot, I forgot to add the patch for this bug, anyway, its in now.

We need to revbump this then, to make sure everyone who upgraded to 0.15.1b-r1 is safe from the issue.
Comment 9 Olivier Crete (RETIRED) gentoo-dev 2008-05-05 14:40:16 UTC
bumped
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-05-05 15:54:36 UTC
Arches, please test and mark stable:
=media-libs/libid3tag-0.15.1b-r2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sh sparc x86"
Comment 11 Jeroen Roovers gentoo-dev 2008-05-05 18:05:18 UTC
Stable for HPPA.
Comment 12 Markus Meier gentoo-dev 2008-05-05 20:16:06 UTC
amd64/x86 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2008-05-06 13:15:28 UTC
alpha/ia64/sparc stable
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-06 18:02:01 UTC
ppc stable
Comment 15 Markus Rothe (RETIRED) gentoo-dev 2008-05-07 18:44:34 UTC
ppc64 stable
Comment 16 Christian Hoffmann (RETIRED) gentoo-dev 2008-05-07 20:55:11 UTC
CVE-2008-2109
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-10 11:37:35 UTC
Time for GLSA decision. This seems to be a client only application, so this would be a client DoS => voting NO.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-05-10 12:20:22 UTC
media-sound/mt-daapd uses this library. Also, the infinite loop will eat up all memory, it does not only crash the player. I rather tend for a yes here.
Comment 19 Peter Volkov (RETIRED) gentoo-dev 2008-05-11 15:10:03 UTC
Fixed in release snapshot.
Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-13 20:49:20 UTC
(In reply to comment #18)
> media-sound/mt-daapd uses this library. Also, the infinite loop will eat up all
> memory, it does not only crash the player. I rather tend for a yes here.
> 

ok, changing my vote. GLSA request filed.
Comment 21 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-21 21:01:54 UTC
GLSA 200805-15