Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631394 (CVE-2017-14648) - media-sound/bladeenc: global buffer overflow write
Summary: media-sound/bladeenc: global buffer overflow write
Status: RESOLVED FIXED
Alias: CVE-2017-14648
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Deadline: 2021-05-29
Assignee: Gentoo Security
URL: https://blogs.gentoo.org/ago/2017/09/...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-19 07:57 UTC by Agostino Sarubbo
Modified: 2021-07-08 04:00 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-09-19 07:57:04 UTC
Description:
bladeenc is an mp3 encoder.

There is a write overflow by default without a crafted file in the bladeenc command-line tool. The upstream website does not work anymore for me.
The complete ASan output of the issue:

# bladeenc $FILE
==15358==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000141c3b4 at pc 0x00000052afc8 bp 0x7ffcb9e50bb0 sp 0x7ffcb9e50ba8
WRITE of size 4 at 0x00000141c3b4 thread T0
    #0 0x52afc7 in iteration_loop /var/tmp/portage/media-sound/bladeenc-0.94.2-r1/work/bladeenc-0.94.2/bladeenc/loop.c:728:20
    #1 0x54fb91 in codecEncodeChunk /var/tmp/portage/media-sound/bladeenc-0.94.2-r1/work/bladeenc-0.94.2/bladeenc/codec.c:353:2
    #2 0x519694 in main /var/tmp/portage/media-sound/bladeenc-0.94.2-r1/work/bladeenc-0.94.2/bladeenc/main.c:518:23
    #3 0x7f3d35989680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
    #4 0x419dc8 in getenv (/usr/bin/bladeenc+0x419dc8)

0x00000141c3b4 is located 44 bytes to the left of global variable 'lo_quant_s' defined in 'loop.c:372:17' (0x141c3e0) of size 156
0x00000141c3b4 is located 0 bytes to the right of global variable 'hi_quant_l' defined in 'loop.c:370:17' (0x141c360) of size 84
SUMMARY: AddressSanitizer: global-buffer-overflow /var/tmp/portage/media-sound/bladeenc-0.94.2-r1/work/bladeenc-0.94.2/bladeenc/loop.c:728:20 in iteration_loop
Shadow bytes around the buggy address:
  0x00008027b820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008027b830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008027b840: 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x00008027b850: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00008027b860: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
=>0x00008027b870: 00 00 00 00 00 00[04]f9 f9 f9 f9 f9 00 00 00 00
  0x00008027b880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
  0x00008027b890: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008027b8a0: 00 00 00 00 00 00 00 04 f9 f9 f9 f9 04 f9 f9 f9
  0x00008027b8b0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008027b8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15358==ABORTING

Aborted
Affected version:
0.94.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
Waiting for a CVE assignment

Timeline:
2017-09-19: bug discovered
2017-09-19: blog post about the issue

Note:
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

Permalink:
https://blogs.gentoo.org/ago/2017/09/19/bladeenc-global-buffer-overflow-in-iteration_loop-loop-c/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 John Helmert III gentoo-dev Security 2020-06-12 03:45:47 UTC
Maintainer(s): Ping.

bladeenc's homepage seems to be gone for a long time. It looks like few others have this package, it may be time to think of last-riting it. The only reverse dependency FWICS is media-sound/rip, last update early 2003.
Comment 2 Miroslav Šulc gentoo-dev 2021-04-29 06:45:31 UTC
masked for removal
Comment 3 Larry the Git Cow gentoo-dev 2021-05-26 12:37:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=310d4c6c60f74d21bbbccaadf637ee218b9539b0

commit 310d4c6c60f74d21bbbccaadf637ee218b9539b0
Author:     Jakov Smolic <jakov.smolic@sartura.hr>
AuthorDate: 2021-05-26 09:31:29 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-05-26 12:34:04 +0000

    media-sound/bladeenc: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/631394
    Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-sound/bladeenc/Manifest                          |  1 -
 media-sound/bladeenc/bladeenc-0.94.2-r1.ebuild         | 15 ---------------
 media-sound/bladeenc/files/bladeenc-0.94.2-secfix.diff | 11 -----------
 media-sound/bladeenc/metadata.xml                      |  8 --------
 profiles/package.mask                                  |  6 ------
 5 files changed, 41 deletions(-)
Comment 4 John Helmert III gentoo-dev Security 2021-07-05 23:53:01 UTC
New GLSA request filed
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2021-07-08 04:00:53 UTC
This issue was resolved and addressed in
 GLSA 202107-18 at https://security.gentoo.org/glsa/202107-18
by GLSA coordinator John Helmert III (ajak).