There are at least two issues with libcdaudio's CDDB stuff: http://www.securityfocus.com/bid/12770 http://www.securityfocus.com/bid/32122 ----- Heap-based buffer overflow in the cddb_read_disc_data function in cddb.c in libcdaudio 0.99.12p2 allows remote attackers to execute arbitrary code via long CDDB data. Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing the cddb lookup to return more matches than expected. ----- The latter programming error also lives inside libcdaudio's code. Fix: The following patch brings the fixes to the FreeBSD port: The fix for CVE-2005-0706 was based on the Grip's original fix [1], but I had found that the same programming error exists in the coverart.c. Now I am trying to investigate if this error is known (with the Mandriva security officer, since I had initially found this issue via reading MDVSA-2008:233 [2]). Still, issue in coverart.c seem to be of a same kind as the cddb.c's one. [1] http://sourceforge.net/tracker/index.php?func=detail&aid=1160134&group_id=3714&atid=303714 [2] http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:233 The following VuXML entry should be evaluated and added: <vuln vid=""> <topic>libcdaudio -- remote buffer overflow and code execution</topic> <affects> <package> <name>libcdaudio</name> <range><lt>0.99.12p2_2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>SecurityFocus vulnerability database says:</p> <blockquote cite="http://www.securityfocus.com/bid/32122/discuss"> <p>The 'libcdaudio' library is prone to a remote heap buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer.</p> <p>Attackers can exploit this issue to execute arbitrary code in the context of an application that uses the library. Failed attacks will cause denial-of-service conditions.</p> <p>This issue affects libcdaudio 0.99.12p2; other versions may also be affected.</p> </blockquote> <blockquote cite="http://www.securityfocus.com/bid/12770/discuss"> <p>A buffer-overflow in Grip occurs when the software processes a response to a CDDB query that has more than 16 matches.</p> <p>To exploit this issue, an attacker must be able to influence the response to a CDDB query, either by controlling a malicious CDDB server or through some other means. Successful exploits will allow arbitrary code to run.</p> </blockquote> <p>The same code as for the Grip vulnerability was found in the libcdaudio library, so it is affected by the simular issues.</p> </body> </description> <references> <cvename>CVE-2008-5030</cvename> <cvename>CVE-2005-0706</cvename> <bid>32122</bid> <bid>12770</bid> <url>http://sourceforge.net/tracker/index.php?func=detail&aid=1288043&group_id=27134&atid=389442</url> <url>http://sourceforge.net/tracker/index.php?func=detail&aid=834724&group_id=3714&atid=103714</url> </references> <dates> <discovery>2008-11-05</discovery> </dates> </vuln> --- vuln.xml ends here -----0ooK6eyTmWkiaRAKZbauGrPLEAaw9IKjUlsxDx4ntHTEQHpX Content-Type: text/plain; name="libcdaudio-0.99.12p2-fix-CVE-2008-5030.2005-0706.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="libcdaudio-0.99.12p2-fix-CVE-2008-5030.2005-0706.diff" diff -urN ./Makefile ../libcdaudio/Makefile --- ./Makefile 2008-11-21 17:04:39.000000000 +0300 +++ ../libcdaudio/Makefile 2008-11-21 17:04:52.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= libcdaudio PORTVERSION= 0.99.12p2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= audio MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} diff -urN ./files/patch-CVE-2008-5030.2005-0706 ../libcdaudio/files/patch-CVE-2008-5030.2005-0706 --- ./files/patch-CVE-2008-5030.2005-0706 1970-01-01 03:00:00.000000000 +0300 +++ ../libcdaudio/files/patch-CVE-2008-5030.2005-0706 2008-11-21 17:45:03.000000000 +0300 @@ -0,0 +1,58 @@ +CVE-2008-5030 fix +================= + +Fix contents: second hunk for src/cddb.c +Obtained from: http://sourceforge.net/tracker/download.php?group_id=27134&atid=389442&file_id=148743&aid=1288043 + + +CVE-2005-0706 fix +================= + +Fix contents: first hunk for src/cddb.c and complete diff for src/coverart.c +Based on: http://sourceforge.net/tracker/download.php?group_id=3714&atid=303714&file_id=124892&aid=1160134 + +--- src/cddb.c.orig 2004-09-09 05:26:39.000000000 +0400 ++++ src/cddb.c 2008-11-21 17:33:50.000000000 +0300 +@@ -1052,7 +1052,8 @@ + } + + query->query_matches = 0; +- while(!cddb_read_line(sock, inbuffer, 256)) { ++ while(query->query_matches < MAX_INEXACT_MATCHES && ++ !cddb_read_line(sock, inbuffer, 256)) { + slashed = 0; + if(strchr(inbuffer, '/') != NULL && parse_disc_artist) { + index = 0; +@@ -1601,7 +1602,7 @@ + return -1; + } + +- if((inbuffer = malloc(256)) == NULL) { ++ if((inbuffer = malloc(512)) == NULL) { + free(root_dir); + free(file); + return -1; +--- src/coverart.c.orig 2008-11-21 17:36:39.000000000 +0300 ++++ src/coverart.c 2008-11-21 17:39:41.000000000 +0300 +@@ -131,7 +131,9 @@ + } + } else if(strncmp(line, "Album", 5) == 0) { + long n = strtol((char *)line + 5, NULL, 10); +- if(parse_disc_artist && strchr(procbuffer, '/') != NULL) { ++ if(n >= MAX_INEXACT_MATCHES) { ++ // Too much data, can't store it ++ } else if(parse_disc_artist && strchr(procbuffer, '/') != NULL) { + strtok(procbuffer, "/"); + strncpy(query->query_list[n].list_artist, procbuffer, + (strlen(procbuffer) < 64) ? (strlen(procbuffer) - 1) : 64); +@@ -143,7 +145,9 @@ + } + } else if(strncmp(line, "Url", 3) == 0) { + long n = strtol((char *)line + 3, NULL, 10); +- cddb_process_url(&query->query_list[n].list_host, procbuffer); ++ if (n < MAX_INEXACT_MATCHES) { ++ cddb_process_url(&query->query_list[n].list_host, procbuffer); ++ } + } + + return; How-To-Repeat: See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0706 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5030
Responsible Changed From-To: freebsd-ports-bugs->novel Over to maintainer (via the GNATS Auto Assign Tool)
Responsible Changed From-To: novel->miwi I will handle this.
miwi 2009-01-11 13:22:40 UTC FreeBSD ports repository Modified files: audio/libcdaudio Makefile Added files: audio/libcdaudio/files patch-CVE-2008-5030.2005-0706 Log: - Fix: Heap-based buffer overflow in the cddb_read_disc_data function in cddb.c in libcdaudio 0.99.12p2 allows remote attackers to execute arbitrary code via long CDDB data. Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing the cddb lookup to return more matches than expected. PR: 129050 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Approved by: novel@ (maintainer) Security: http://www.vuxml.org/freebsd/bd730827-dfe0-11dd-a765-0030843d3802.html Revision Changes Path 1.28 +2 -2 ports/audio/libcdaudio/Makefile 1.1 +45 -0 ports/audio/libcdaudio/files/patch-CVE-2008-5030.2005-0706 (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed. Thanks!