I recently reported to Red Hat a remote buffer overflow vulnerability in
grip. I've since investigated the heritage of the code and found that 2
other packages (libcdaudio and the gnome-vfs2 cdda module) are likely
affected in the same way. I can't easily test the vulnerability in
those packages, but it seems likely that the vulnerability exists. I've
attached untested patches for both packages.
The vulnerability would be triggered when the CDDB server returns more
than MAX_INEXACT_MATCHES (ie 16) matches to a query. This overflows an
array in the client code. The potential exploit involves a
rogue/hijacked CDDB server or a CDDB server to which an attacker has
submitted multiple special constructed DB entries. Such a server could
return matches containing exploit code.
To avoid any confusion. The above is taken from Vendor-Sec, it is NOT my work.
The grip issue mentioned did not apply to our version, I haven't checked if this is also the case with libcdaudio and gnome-vfs.
Created attachment 53233 [details, diff]
Created attachment 53234 [details, diff]
GNOME team: please patch and bump gnome-vfs
gnome-vfs2.patch applies cleanly to 2.8.3-r1 or 2.8.4 so your choice for the fixed stable version.
max: please patch and bump libcdaudio
(note: max wasn't active since 14 weeks and package is no-herd... we might need another bumper. Masking that package would break :
If anyone in GNOME or sound feels like patching this one... )
Created attachment 55185 [details, diff]
To help whoever will patch libcdaudio:
Attached is a patch applying cleanly to libcdaudio-0.99.10. Tested as compiling
gnome-vfs fixed versions are:
gnome-vfs-2.8.4-r1 (KEYWORDS="x86 ~ppc ~alpha ~sparc ~hppa ~amd64 ~mips ~ia64 ~ppc64 ~arm")
Could archs please stabilise gnome-vfs-2.8.4-r1.
Applied the patch to libcdaudio-0.99.10-r1
libcdaudio-0.99.10-r1 (KEYWORDS="x86 ppc ~sparc ~alpha ~hppa ~mips ~amd64 ~ia64")
Could archs please stabilise this version.
Arches, please test and mark stable the 2 fixed ebuilds
TARGET KEYWORDS :
gnome-vfs-2.8.4-r1: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86
libcdaudio-0.99.10-r1: alpha amd64 ~hppa ia64 ~mips ppc ppc64 sparc x86
stable on ppc64
Stable on alpha.
amd64 is done... just waiting on ia64
eradicator/amd64: apparently gnome-vfs-2.8.4-r1 is still ~amd64...
arm ia64 hppa : mark stable to benefit from the GLSA
Stable on hppa.
GNOME team: shouldn't the patch also be applied to the gnome-vfs-1.0.5 ebuild ? Or should everyone remove that affected SLOT ?
Applied to gnome-vfs-1.0.5-r4, apologies for missing that one
gnome-vfs-1.0.5-r4 (KEYWORDS="~x86 ~ppc ~sparc ~alpha ~hppa ~amd64 ~ia64 ~mips ~ppc64 ~arm")
Koon - if only!
Arches, please test and mark gnome-vfs-1.0.5-r4 stable...
mips done (again)
sparc done again.
gnome-1.4 is not keyworded on amd64, so it seems that gnome-vfs-1.0.5-r4 shouldn't need to be marked stable for amd64 either.
Ready, GLSA should be updated to include *>=1.0.5-r4 as unaffected
Already stable on hppa