Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626822 (CVE-2017-11552) - media-libs/libmad: Dos (memory corruption) via crafted MP3 files
Summary: media-libs/libmad: Dos (memory corruption) via crafted MP3 files
Status: IN_PROGRESS
Alias: CVE-2017-11552
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://seclists.org/fulldisclosure/2...
Whiteboard: A2 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-01 18:31 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2020-03-09 00:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-01 18:31:47 UTC
From URL:

Description
The mad_decoder_run function in decoder.c in libmad 0.15.1b allows remote attackers to cause a denial of service (memory corruption) via a crafted MP3 file.
Comment 1 Andreas Sturmlechner gentoo-dev 2018-10-03 21:05:48 UTC
Debian bug report suggests this is an issue with mpg321?

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11552
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870406
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 18:38:25 UTC
Maintainer(s), RedHat has this fixed in version libmad-0.15.1b-26.el6, please advise if the version in tree contains this fix.
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-03-09 00:22:48 UTC
(In reply to Yury German from comment #2)
> Maintainer(s), RedHat has this fixed in version libmad-0.15.1b-26.el6,
> please advise if the version in tree contains this fix.

I haven't tested on Fedora but build log from that version (git+https://src.fedoraproject.org/rpms/libmad.git#f34ffbead19e2214ba880d66a24f7cf31fee682b) shows that two patches

> Patch6:         length-check.patch
> Patch7:         md_size.diff

were added.

When I add these patches to our libmad version I still get the same crash with the PoC from $URL.


(In reply to Andreas Sturmlechner from comment #1)
> Debian bug report suggests this is an issue with mpg321?
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11552
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870406

Well, the backtrace from $URL clearly shows that it's crashing in libmad. So libmad needs to be patched. In case of Debian: According to my understanding they applied https://sources.debian.org/src/mpg321/0.3.2-3/debian/patches/handle_illegal_bitrate_value.patch/ to error out early in case of bad data like used in the PoC before reaching vulnerable libmad. However, with this patch applied, I still see mpg321 crashing when using the PoC.

I doubt that this is fixed somewhere.
Comment 4 Thomas Deutschmann gentoo-dev Security 2020-03-09 00:31:01 UTC
Correction: Looks like handle_illegal_bitrate_value.patch is for CVE-2019-14247 (bug 711918).