Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 249039 (CVE-2008-4829) - media-sound/streamripper<1.64.0 multiple buffer overflows in lib/http.c (CVE-2008-4829)
Summary: media-sound/streamripper<1.64.0 multiple buffer overflows in lib/http.c (CVE-...
Alias: CVE-2008-4829
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
: 245959 (view as bug list)
Depends on:
Reported: 2008-11-26 23:57 UTC by Stefan Behte (RETIRED)
Modified: 2009-01-11 14:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-26 23:57:33 UTC
CVE-2008-4829 (
  Multiple buffer overflows in lib/http.c in Streamripper 1.63.5 allow
  remote attackers to execute arbitrary code via (1) a long "Zwitterion
  v" HTTP header, related to the http_parse_sc_header function; (2) a
  crafted pls playlist with a long entry, related to the http_get_pls
  function; or (3) a crafted m3u playlist with a long File entry,
  related to the http_get_m3u function.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-11-27 11:33:01 UTC
*** Bug 245959 has been marked as a duplicate of this bug. ***
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-11-27 11:33:51 UTC
B1 because it is a client, and you need to entice a user to visit the malicious URL.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-11-27 11:35:56 UTC
We can either bump:

New for 1.64.0
Wed Nov 19 09:00:06 EST 2008
* Security patch for CVE-2008-4829, multiple buffer overflows in http.c
  that could result in remote exploit.

... or patch:
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2008-11-27 12:13:51 UTC
1.64.0 is now in Portage. Test and stable.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-11-27 12:42:55 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2008-11-27 14:42:39 UTC
For hppa this means stabilizing cdk without ~arch testing, DEPEND.bad, RDEPEND.bad, media-sound/streamripper/streamripper-1.64.0.ebuild: ~hppa(default/linux/hppa/2008.0) ['dev-libs/cdk'] or mass unkeywording 
of media applications.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-11-27 14:53:27 UTC
We can add a grace period for cdk ~hppa testing and stable it in a week.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2008-11-27 16:20:10 UTC
Stable for HPPA.
Comment 9 Norman Jonas 2008-11-28 02:08:25 UTC
May I ask why streamripper-1.64.0 ebuild depends on cdk ? I removed the cdk dep ( cdk not installed on my system ) and it built just fine. Output was

Using included CDK library?        no

Which means neither did it use the internal one nor is there a system one.

./configure --help says

--with-included-cdk use the cdk library included with streamripper

No option is there for using system cdk.

I conclude that

a) cdk is optional and unternal only - maybe needs a cdk useflag
b) it seems that streamripper will not build against a system cdk at all ( unsure about this - please check with ldd )

Sorry if it was wrong to post here instead of doing a new bug right away.
Comment 10 Samuli Suominen (RETIRED) gentoo-dev 2008-11-28 05:13:20 UTC
Next arch touching this.

- Remove dev-libs/cdk from RDEPEND.
- Remove unused "inherit eutils"

Thank you.
Comment 11 Markus Meier gentoo-dev 2008-11-28 20:43:23 UTC
(In reply to comment #10)
> Next arch touching this.
> - Remove dev-libs/cdk from RDEPEND.
> - Remove unused "inherit eutils"
> Thank you.

done, as amd64/x86.
Comment 12 Samuli Suominen (RETIRED) gentoo-dev 2008-11-28 20:48:22 UTC
For The Record, cdk was used for cstreamripper which is supposed to be some sort of ncurses frontend to streamripper itself. I remember looking at this issue like an year ago, and seeing some upstream message it was temp. disabled for a reason.

Anyway, I will investigate this issue more closely later (again).

Luckily, streamripper has other frontends available in Portage.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-28 21:17:25 UTC
ppc stable
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2008-11-29 17:01:02 UTC
alpha/sparc stable
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 16:13:09 UTC
ppc64: *PING*
Comment 16 Brent Baude (RETIRED) gentoo-dev 2008-12-01 15:40:50 UTC
ppc64 done
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-07 20:22:59 UTC
GLSA request filed.
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-11 14:15:53 UTC
GLSA 200901-05