Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626698 (CVE-2017-11550, CVE-2017-11551) - media-libs/libid3tag :multiple vulnerabilites
Summary: media-libs/libid3tag :multiple vulnerabilites
Status: IN_PROGRESS
Alias: CVE-2017-11550, CVE-2017-11551
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/fulldisclosure/20...
Whiteboard: B3 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-31 13:07 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2019-04-27 18:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-31 13:07:57 UTC
From URL:

libid3tag multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
Libid3tag is an ID3 tag manipulation library.


Affected version:
=====
0.15.1b


Vulnerability Description:
==========================
1.
the id3_ucs4_length function in ucs4.c in libid3tag 0.15.1b can cause a denial of service(NULL Pointer Dereference and 
application crash) via a crafted mp3 file.


I found this bug when I test mpg321 0.3.2 which used the libid3tag library.


./mpg321 libid3tag_0.15.1b_null_pointer_dereference.mp3


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
id3_ucs4_length (ucs4=ucs4@entry=0x0) at ucs4.c:46
46  while (*ptr)
(gdb) bt
#0  id3_ucs4_length (ucs4=ucs4@entry=0x0) at ucs4.c:46
#1  0x00007ffff76be311 in id3_compat_fixup (tag=tag@entry=0x60400000ce50)
    at compat.gperf:240
#2  0x00007ffff76c069f in v2_parse (ptr=0x61200000b9a1 "") at tag.c:613
#3  id3_tag_parse (data=data@entry=0x61200000b8c0 "ID3\002", 
    length=length@entry=263) at tag.c:665
#4  0x00007ffff76c1504 in read_tag (size=263, iofile=<optimized out>)
    at file.c:103
#5  add_tag (file=file@entry=0x60600000eba0, length=263) at file.c:228
#6  0x00007ffff76c16cb in search_tags (file=0x60600000eba0) at file.c:307
#7  new_file (iofile=iofile@entry=0x61600000de80, 
    mode=mode@entry=ID3_FILE_MODE_READONLY, 
    path=path@entry=0x60400000dfd0 "/home/a/Documents/file") at file.c:407
#8  0x00007ffff76c1890 in id3_file_open (
    path=0x60400000dfd0 "/home/a/Documents/file", 
    mode=ID3_FILE_MODE_READONLY) at file.c:439
#9  0x0000000000485f24 in get_id3_info (fname=<optimized out>, 
    id3struct=<optimized out>, id3tag=<optimized out>) at mpg321.c:485
#10 main (argc=<optimized out>, argv=<optimized out>) at mpg321.c:790
(gdb) 


-------------------
Breakpoint 2, id3_ucs4_length (ucs4=ucs4@entry=0x0) at ucs4.c:46
46  while (*ptr)
(gdb) disassemble 
Dump of assembler code for function id3_ucs4_length:
=> 0x00007ffff76baee0 <+0>:cmpq   $0x0,(%rdi)
   0x00007ffff76baee4 <+4>:je     0x7ffff76baf02 <id3_ucs4_length+34>
   0x00007ffff76baee6 <+6>:mov    %rdi,%rax
   0x00007ffff76baee9 <+9>:nopl   0x0(%rax)
   0x00007ffff76baef0 <+16>:add    $0x8,%rax
   0x00007ffff76baef4 <+20>:cmpq   $0x0,(%rax)
   0x00007ffff76baef8 <+24>:jne    0x7ffff76baef0 <id3_ucs4_length+16>
   0x00007ffff76baefa <+26>:sub    %rdi,%rax
   0x00007ffff76baefd <+29>:sar    $0x3,%rax
   0x00007ffff76baf01 <+33>:retq   
   0x00007ffff76baf02 <+34>:xor    %eax,%eax
   0x00007ffff76baf04 <+36>:retq   
End of assembler dump.
(gdb) i r
rax            0x00
rbx            0x55
rcx            0x00
rdx            0x1016
rsi            0x55
rdi            0x00
rbp            0x7ffff76c329c0x7ffff76c329c
rsp            0x7fffffffb9980x7fffffffb998
r8             0x00
r9             0x7ffff6f7f7b8140737336833976
r10            0x7fffffffb760140737488336736
r11            0x7ffff76bde80140737344429696
r12            0x22
r13            0x6236d06436560
r14            0x6254bc6444220
r15            0x00
rip            0x7ffff76baee00x7ffff76baee0 <id3_ucs4_length>
eflags         0x246[ PF ZF IF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---
gs             0x00
(gdb) ni


Program received signal SIGSEGV, Segmentation fault.
id3_ucs4_length (ucs4=ucs4@entry=0x0) at ucs4.c:46
46  while (*ptr)
(gdb) 
--------------------
id3_length_t id3_ucs4_length(id3_ucs4_t const *ucs4)
{
  id3_ucs4_t const *ptr = ucs4;


  while (*ptr)
    ++ptr;


  return ptr - ucs4;
}


POC:
libid3tag_0.15.1b_null_pointer_dereference.mp3
CVE:
CVE-2017-11550


2.
the id3_field_parse function in field.c in libid3tag 0.15.1b can cause a denial of service(OOM) via a crafted mp3 file.


I found this bug when I test mpg321 0.3.2 which used the libid3tag library.


./mpg321 libid3tag_0.15.1b_OOM.mp3


----debug info:----
(gdb) bt
#0  id3_field_parse (field=0x625180, ptr=ptr@entry=0x7fffffffba48, 
    length=<optimized out>, encoding=encoding@entry=0x7fffffffba3c)
    at field.c:306
#1  0x00007ffff76bf10b in parse_data (frame=0x625120, frame=0x625120, 
    length=<optimized out>, data=0x623352 "") at frame.c:252
#2  id3_frame_parse (ptr=ptr@entry=0x7fffffffbad8, length=length@entry=96, 
    version=<optimized out>) at frame.c:464
#3  0x00007ffff76c03c4 in v2_parse (ptr=0x623353 "TT1") at tag.c:607
#4  id3_tag_parse (data=data@entry=0x623290 "ID3\002", length=length@entry=263)
    at tag.c:665
#5  0x00007ffff76c1504 in read_tag (size=263, iofile=<optimized out>)
    at file.c:103
#6  add_tag (file=file@entry=0x62b7f0, length=263) at file.c:228
#7  0x00007ffff76c16cb in search_tags (file=0x62b7f0) at file.c:307
#8  new_file (iofile=iofile@entry=0x623450, 
    mode=mode@entry=ID3_FILE_MODE_READONLY, 
    path=path@entry=0x623040 "/home/a/Documents/file")
    at file.c:407
#9  0x00007ffff76c1890 in id3_file_open (
    path=path@entry=0x623040 "/home/a/Documents/file", 
    mode=mode@entry=ID3_FILE_MODE_READONLY) at file.c:439
#10 0x00000000004053c9 in get_id3_info (
    fname=fname@entry=0x623040 "/home/a/Documents/file",
    ---Type <return> to continue, or q <return> to quit---
 id3struct=id3struct@entry=0x7fffffffbd08, id3tag=id3tag@entry=0x7fffffffbd10)
    at mpg321.c:485
#11 0x0000000000403eae in main (argc=<optimized out>, argv=<optimized out>)
    at mpg321.c:790
(gdb) r
Program terminated with signal SIGKILL, Killed.


----------------
##in field.c id3_field_parse function line:294 ==> line:308
      while (end - *ptr > 0) {
ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0);
if (ucs4 == 0)
  goto fail;


strings = realloc(field->stringlist.strings,
 (field->stringlist.nstrings + 1) * sizeof(*strings));
if (strings == 0) {
  free(ucs4);
  goto fail;
}


field->stringlist.strings = strings;
field->stringlist.strings[field->stringlist.nstrings++] = ucs4;
}
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2019-04-27 18:32:38 UTC
RedHat has this as will not fix: https://access.redhat.com/security/cve/cve-2017-11550
Maintainer(s) please advise on this.