Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 84936 - gnome-base/gnome-vfs,media-libs/libcdaudio: cdda response overflow, CAN-2005-0706
Summary: gnome-base/gnome-vfs,media-libs/libcdaudio: cdda response overflow, CAN-2005-...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2005-03-11 22:49 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-11-11 19:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

gnome-vfs2.patch (gnome-vfs2.patch,497 bytes, patch)
2005-03-11 22:53 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
libcdaudio.patch (libcdaudio.patch,443 bytes, patch)
2005-03-11 22:53 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
libcdaudio-CAN-2005-0706.patch (libcdaudio-CAN-2005-0706.patch,456 bytes, patch)
2005-04-03 06:48 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-11 22:49:54 UTC
I recently reported to Red Hat a remote buffer overflow vulnerability in
grip.  I've since investigated the heritage of the code and found that 2
other packages (libcdaudio and the gnome-vfs2 cdda module) are likely
affected in the same way.  I can't easily test the vulnerability in
those packages, but it seems likely that the vulnerability exists.  I've
attached untested patches for both packages.

The vulnerability would be triggered when the CDDB server returns more
than MAX_INEXACT_MATCHES (ie 16) matches to a query.  This overflows an
array in the client code.  The potential exploit involves a
rogue/hijacked CDDB server or a CDDB server to which an attacker has
submitted multiple special constructed DB entries.  Such a server could
return matches containing exploit code.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-11 22:52:08 UTC
To avoid any confusion. The above is taken from Vendor-Sec, it is NOT my work.

The grip issue mentioned did not apply to our version, I haven't checked if this is also the case with libcdaudio and gnome-vfs. 
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-11 22:53:06 UTC
Created attachment 53233 [details, diff]
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-11 22:53:58 UTC
Created attachment 53234 [details, diff]
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-04-03 06:46:03 UTC
GNOME team: please patch and bump gnome-vfs
gnome-vfs2.patch applies cleanly to 2.8.3-r1 or 2.8.4 so your choice for the fixed stable version.

max: please patch and bump libcdaudio
(note: max wasn't active since 14 weeks and package is no-herd... we might need another bumper. Masking that package would break :
If anyone in GNOME or sound feels like patching this one... )
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-04-03 06:48:52 UTC
Created attachment 55185 [details, diff]

To help whoever will patch libcdaudio:
Attached is a patch applying cleanly to libcdaudio-0.99.10. Tested as compiling
Comment 6 Mike Gardiner (RETIRED) gentoo-dev 2005-04-04 19:12:45 UTC
gnome-vfs fixed versions are:

gnome-vfs-2.8.4-r1 (KEYWORDS="x86 ~ppc ~alpha ~sparc ~hppa ~amd64 ~mips ~ia64 ~ppc64 ~arm")
gnome-vfs-2.10.0-r1 (package.masked)

Could archs please stabilise gnome-vfs-2.8.4-r1.
Comment 7 Mike Gardiner (RETIRED) gentoo-dev 2005-04-04 19:20:47 UTC
ppc done
Comment 8 Mike Gardiner (RETIRED) gentoo-dev 2005-04-04 19:29:18 UTC
Applied the patch to libcdaudio-0.99.10-r1

libcdaudio-0.99.10-r1 (KEYWORDS="x86 ppc ~sparc ~alpha ~hppa ~mips ~amd64 ~ia64")

Could archs please stabilise this version.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-04-05 00:33:34 UTC
Arches, please test and mark stable the 2 fixed ebuilds

gnome-vfs-2.8.4-r1: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86 
libcdaudio-0.99.10-r1: alpha amd64 ~hppa ia64 ~mips ppc ppc64 sparc x86 

Comment 10 Markus Rothe (RETIRED) gentoo-dev 2005-04-05 07:52:56 UTC
stable on ppc64
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2005-04-05 10:27:22 UTC
sparc done.
Comment 12 Stephen Becker (RETIRED) gentoo-dev 2005-04-05 17:26:51 UTC
mips done
Comment 13 Bryan Østergaard (RETIRED) gentoo-dev 2005-04-06 00:08:47 UTC
Stable on alpha.
Comment 14 Jeremy Huddleston (RETIRED) gentoo-dev 2005-04-07 14:54:37 UTC
amd64 is done... just waiting on ia64
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-04-08 02:24:26 UTC
eradicator/amd64: apparently gnome-vfs-2.8.4-r1 is still ~amd64...
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-04-08 04:31:08 UTC
GLSA 200504-07
arm ia64 hppa : mark stable to benefit from the GLSA
Comment 17 Guy Martin (RETIRED) gentoo-dev 2005-04-08 11:49:28 UTC
Stable on hppa.
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-04-10 10:00:54 UTC
GNOME team: shouldn't the patch also be applied to the gnome-vfs-1.0.5 ebuild ? Or should everyone remove that affected SLOT ?
Comment 19 Mike Gardiner (RETIRED) gentoo-dev 2005-04-11 01:29:52 UTC
Applied to gnome-vfs-1.0.5-r4, apologies for missing that one

gnome-vfs-1.0.5-r4 (KEYWORDS="~x86 ~ppc ~sparc ~alpha ~hppa ~amd64 ~ia64 ~mips ~ppc64 ~arm")

Koon - if only!
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2005-04-11 01:33:54 UTC
Arches, please test and mark gnome-vfs-1.0.5-r4 stable...
Comment 21 Mike Gardiner (RETIRED) gentoo-dev 2005-04-11 01:42:47 UTC
x86/ppc done.
Comment 22 Stephen Becker (RETIRED) gentoo-dev 2005-04-11 11:05:36 UTC
mips done (again)
Comment 23 Markus Rothe (RETIRED) gentoo-dev 2005-04-11 11:40:23 UTC
stable on ppc64
Comment 24 Gustavo Zacarias (RETIRED) gentoo-dev 2005-04-11 12:54:10 UTC
sparc done again.
Comment 25 Bryan Østergaard (RETIRED) gentoo-dev 2005-04-11 14:15:42 UTC
Alpha done.
Comment 26 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-04-11 15:28:59 UTC
gnome-1.4 is not keyworded on amd64, so it seems that gnome-vfs-1.0.5-r4  shouldn't need to be marked stable for amd64 either.
Comment 27 Simon Stelling (RETIRED) gentoo-dev 2005-04-12 10:00:58 UTC
amd64 stable
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2005-04-12 11:35:09 UTC
Ready, GLSA should be updated to include *>=1.0.5-r4 as unaffected
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2005-04-13 01:48:48 UTC
update committed.
Comment 30 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 06:34:45 UTC
Already stable on hppa