Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 254896 (CVE-2009-0135) - <media-sound/amarok-{1.4.10-r2, 2.0.1.1}: Several integer overflows and unchecked allocation vulnerabilities (CVE-2009-{0135,0136})
Summary: <media-sound/amarok-{1.4.10-r2, 2.0.1.1}: Several integer overflows and unche...
Status: RESOLVED FIXED
Alias: CVE-2009-0135
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.trapkit.de/advisories/TKAD...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-01-13 22:34 UTC by Stefan Behte (RETIRED)
Modified: 2009-03-20 20:24 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-01-13 22:34:19 UTC
From advisory in $URL:
Amarok contains several integer overflows and unchecked allocation 
vulnerabilities while parsing malformed Audible digital audio files. 
The vulnerabilities may be exploited by a (remote) attacker to execute 
arbitrary code in the context of Amarok.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-13 22:42:24 UTC
Advisory says amarok < 2.0.1.1, but we need to verify the code. Issue opened because this slipped under the radar and I don't want to forget to file this.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-01-14 13:48:28 UTC
Upstream states:
Patches are revision 908415 (for Amarok 1.4.x), 908391 (for trunk) and 908401
(for 2.0.x branch).
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-17 01:30:22 UTC
CVE-2009-0135 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0135):
  Multiple integer overflows in the Audible::Tag::readTag function in
  metadata/audible/audibletag.cpp in Amarok 1.4.10 through 2.0.1 allow
  remote attackers to execute arbitrary code via an Audible Audio (.aa)
  file with a large (1) nlen or (2) vlen Tag value, each of which
  triggers a heap-based buffer overflow.

CVE-2009-0136 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0136):
  Multiple array index errors in the Audible::Tag::readTag function in
  metadata/audible/audibletag.cpp in Amarok 1.4.10 through 2.0.1 allow
  remote attackers to cause a denial of service (application crash) or
  execute arbitrary code via an Audible Audio (.aa) file with a crafted
  (1) nlen or (2) vlen Tag value, each of which can lead to an invalid
  pointer dereference, or the writing of a 0x00 byte to an arbitrary
  memory location, after an allocation failure.

Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-03-04 17:39:13 UTC
ping, kde herd?
Comment 5 Tomáš Chvátal (RETIRED) gentoo-dev 2009-03-04 17:45:53 UTC
There is ANY older 2series than 2.0.1.1 version in the tree?
Comment 6 Tomáš Chvátal (RETIRED) gentoo-dev 2009-03-04 17:46:38 UTC
Ow i missed it is for 1.4.X too. Dont mind me then. i cant test/fix kde3 packages sorry, but i will get tampakrap here.
Comment 7 Theo Chatzimichos (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-04 19:13:41 UTC
i added amarok-1.4.10-r2 to the tree, which can be stabilized. All previous versions can be removed after that. All later versions aren't affected.
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-04 19:33:03 UTC
Arches, please test and mark stable:
=media-sound/amarok-1.4.10-r2
Target keywords : "amd64 ppc ppc64 sparc x86"
Comment 9 Markus Meier gentoo-dev 2009-03-07 11:06:12 UTC
configure: WARNING: unrecognized options: --with-x, --enable-mitshm, --without-xinerama, --without-debug

apart from that, looks good on amd64/x86.
Comment 10 Markus Meier gentoo-dev 2009-03-07 11:08:28 UTC
amd64/x86 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2009-03-07 19:03:18 UTC
sparc stable
Comment 12 Brent Baude (RETIRED) gentoo-dev 2009-03-11 16:04:30 UTC
ppc64 done
Comment 13 Brent Baude (RETIRED) gentoo-dev 2009-03-19 12:51:26 UTC
ppc done
Comment 14 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-19 13:02:50 UTC
Secunia mentions a possibility to execute code, so B2 sounds right to me.
Request filed.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-20 20:24:04 UTC
GLSA 200903-34, thanks everyone.