Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626822 (CVE-2017-11552) - media-libs/libmad: Dos (memory corruption) via crafted MP3 files
Summary: media-libs/libmad: Dos (memory corruption) via crafted MP3 files
Status: IN_PROGRESS
Alias: CVE-2017-11552
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://seclists.org/fulldisclosure/2...
Whiteboard: A2 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-01 18:31 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2021-04-29 06:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-01 18:31:47 UTC
From URL:

Description
The mad_decoder_run function in decoder.c in libmad 0.15.1b allows remote attackers to cause a denial of service (memory corruption) via a crafted MP3 file.
Comment 1 Andreas Sturmlechner gentoo-dev 2018-10-03 21:05:48 UTC
Debian bug report suggests this is an issue with mpg321?

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11552
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870406
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 18:38:25 UTC
Maintainer(s), RedHat has this fixed in version libmad-0.15.1b-26.el6, please advise if the version in tree contains this fix.
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-03-09 00:22:48 UTC
(In reply to Yury German from comment #2)
> Maintainer(s), RedHat has this fixed in version libmad-0.15.1b-26.el6,
> please advise if the version in tree contains this fix.

I haven't tested on Fedora but build log from that version (git+https://src.fedoraproject.org/rpms/libmad.git#f34ffbead19e2214ba880d66a24f7cf31fee682b) shows that two patches

> Patch6:         length-check.patch
> Patch7:         md_size.diff

were added.

When I add these patches to our libmad version I still get the same crash with the PoC from $URL.


(In reply to Andreas Sturmlechner from comment #1)
> Debian bug report suggests this is an issue with mpg321?
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11552
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870406

Well, the backtrace from $URL clearly shows that it's crashing in libmad. So libmad needs to be patched. In case of Debian: According to my understanding they applied https://sources.debian.org/src/mpg321/0.3.2-3/debian/patches/handle_illegal_bitrate_value.patch/ to error out early in case of bad data like used in the PoC before reaching vulnerable libmad. However, with this patch applied, I still see mpg321 crashing when using the PoC.

I doubt that this is fixed somewhere.
Comment 4 Thomas Deutschmann gentoo-dev Security 2020-03-09 00:31:01 UTC
Correction: Looks like handle_illegal_bitrate_value.patch is for CVE-2019-14247 (bug 711918).
Comment 5 Miroslav Šulc gentoo-dev 2021-04-29 06:41:28 UTC
i cannot reproduce the issue:

$ mpg321-mpg123 libmad_0.15.1b_memory_corruption.mp3 
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3.
Version 0.3.2-1 (2012/03/25). Written and copyrights by Joe Drew,
now maintained by Nanakos Chrysostomos and others.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
Title	: ExifTool Test                  Artist : Phil Harvey                   
Album	: Phil's Greatest Hits           Year	 : 2005
Comment : My Comments                    Genre : Testing                       
Illegal bit allocation value

Playing MPEG stream from libmad_0.15.1b_memory_corruption.mp3 ...
MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo
                                                                            
[0:00] Decoding of libmad_0.15.1b_memory_corruption.mp3 finished.


so i suppose you can proceed.