Tobias Klein from TrapKit found vulnerabilities in the Audible media format parser: [1]. Upstream had patched the source and confirmed the existence of the found holes: [2]. Fix: The following patch updates the port with upstream fixes. It was kindly tested by Martin Wilke: builds fine on i386 and amd64 for FreeBSD-6/7/8, new binary works fine. The following VuXML entry should be evaluated and added: <vuln vid="ae652ae3-0c1b-11de-b26a-001fc66e7203"> <topic>amarok -- multiple integer overflows and unchecked memory allocations</topic> <affects> <package> <name>amarok</name> <range><lt>1.4.10_3</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Tobias Klein reports:</p> <blockquote cite="http://trapkit.de/advisories/TKADV2009-002.txt"> <p>Amarok contains several integer overflows and unchecked allocation vulnerabilities while parsing malformed Audible digital audio files. The vulnerabilities may be exploited by a (remote) attacker to execute arbitrary code in the context of Amarok.</p> </blockquote> </body> </description> <references> <cvename>CVE-2009-0135</cvename> <cvename>CVE-2009-0136</cvename> <bid>33210</bid> <url>http://trapkit.de/advisories/TKADV2009-002.txt</url> </references> <dates> <discovery>2009-01-11</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here -----ZtteohNSHGxxjfDF6TklrQiHJ54NtzjKyzlyBgUYcOMQGT8H Content-Type: text/plain; name="amarok-fix-tkadv2009-004.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="amarok-fix-tkadv2009-004.diff" From f7a8abc13a671b4fc8d66b894ee4b0315dce5743 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sun, 8 Mar 2009 23:11:21 +0300 unchecked memory allocations Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- audio/amarok/Makefile | 2 +- audio/amarok/files/patch-tkadv2009-002 | 90 ++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+), 1 deletions(-) create mode 100644 audio/amarok/files/patch-tkadv2009-002 diff --git a/audio/amarok/Makefile b/audio/amarok/Makefile index feb3263..684fbdc 100644 --- a/audio/amarok/Makefile +++ b/audio/amarok/Makefile @@ -6,7 +6,7 @@ PORTNAME= amarok PORTVERSION= 1.4.10 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= audio kde MASTER_SITES= ${MASTER_SITE_KDE} MASTER_SITE_SUBDIR= stable/${PORTNAME}/${PORTVERSION}/src diff --git a/audio/amarok/files/patch-tkadv2009-002 b/audio/amarok/files/patch-tkadv2009-002 new file mode 100644 index 0000000..15f4dbb --- /dev/null +++ b/audio/amarok/files/patch-tkadv2009-002 @@ -0,0 +1,90 @@ +This is the patch for TKADV2009-002: multiple integer overflows +and unchecked allocation vulnerabilities in Audible files parser, + http://trapkit.de/advisories/TKADV2009-002.txt + +Obtained from: http://websvn.kde.org/branches/stable/extragear/multimedia/amarok/src/metadata/audible/audibletag.cpp?r1=908415&r2=908414&pathrev=908415&view=patch +--- amarok/src/metadata/audible/audibletag.cpp 2009/01/09 17:36:52 908414 ++++ amarok/src/metadata/audible/audibletag.cpp 2009/01/09 17:38:50 908415 +@@ -71,7 +71,8 @@ + { + char buf[1023]; + fseek(fp, OFF_PRODUCT_ID, SEEK_SET); +- fread(buf, strlen("product_id"), 1, fp); ++ if (fread(buf, strlen("product_id"), 1, fp) != 1) ++ return; + if(memcmp(buf, "product_id", strlen("product_id"))) + { + buf[20]='\0'; +@@ -130,24 +131,65 @@ + + bool Audible::Tag::readTag( FILE *fp, char **name, char **value) + { ++ // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags ++ const uint32_t maxtaglen = 100000; ++ + uint32_t nlen; +- fread(&nlen, sizeof(nlen), 1, fp); ++ if (fread(&nlen, sizeof(nlen), 1, fp) != 1) ++ return false; + nlen = ntohl(nlen); + //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen); +- *name = new char[nlen+1]; +- (*name)[nlen] = '\0'; ++ if (nlen > maxtaglen) ++ return false; + + uint32_t vlen; +- fread(&vlen, sizeof(vlen), 1, fp); ++ if (fread(&vlen, sizeof(vlen), 1, fp) != 1) ++ return false; + vlen = ntohl(vlen); + //fprintf(stderr, "tag len=%x\n", (unsigned)vlen); ++ if (vlen > maxtaglen) ++ return false; ++ ++ *name = new char[nlen+1]; ++ if (!*name) ++ return false; ++ + *value = new char[vlen+1]; ++ if (!*value) ++ { ++ delete[] *name; ++ *name = 0; ++ return false; ++ } ++ ++ (*name)[nlen] = '\0'; + (*value)[vlen] = '\0'; + +- fread(*name, nlen, 1, fp); +- fread(*value, vlen, 1, fp); ++ if (fread(*name, nlen, 1, fp) != 1) ++ { ++ delete[] *name; ++ *name = 0; ++ delete[] *value; ++ *value = 0; ++ return false; ++ } ++ if (fread(*value, vlen, 1, fp) != 1) ++ { ++ delete[] *name; ++ *name = 0; ++ delete[] *value; ++ *value = 0; ++ return false; ++ } + char lasttag; +- fread(&lasttag, 1, 1, fp); ++ if (fread(&lasttag, 1, 1, fp) != 1) ++ { ++ delete[] *name; ++ *name = 0; ++ delete[] *value; ++ *value = 0; ++ return false; ++ } + //fprintf(stderr, "%s: \"%s\"\n", *name, *value); + + m_tagsEndOffset += 2 * 4 + nlen + vlen + 1; -- 1.6.1.3 How-To-Repeat: [1] http://trapkit.de/advisories/TKADV2009-002.txt [2] http://websvn.kde.org/?view=rev&revision=908415
Responsible Changed From-To: freebsd-ports-bugs->makc Over to maintainer (via the GNATS Auto Assign Tool)
Responsible Changed From-To: makc->miwi I'll take it.
State Changed From-To: open->closed Committed. Thanks!
miwi 2009-03-23 14:17:47 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - Document amarok -- multiple vulnerabilitie PR: based on 132938 Revision Changes Path 1.1901 +40 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
miwi 2009-03-23 14:24:22 UTC FreeBSD ports repository Modified files: audio/amarok Makefile Added files: audio/amarok/files patch-tkadv2009-002 Log: - Fix multiple vulnerabilities - Bump PORTREVISION Note: Two integer overflow errors exist within the "Audible::Tag::readTag()" function in src/metadata/audible/audibletag.cpp. These can be exploited to cause heap-based buffer overflows via specially crafted Audible Audio files. Two errors within the "Audible::Tag::readTag()" function in src/metadata/audible/audibletag.cpp can be exploited to corrupt arbitrary memory via specially crafted Audible Audio files. PR: 132938 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Approved by: makc (maintainer) Security: http://www.vuxml.org/freebsd/6bb6188c-17b2-11de-ae4d-0030843d3802.html Revision Changes Path 1.92 +1 -1 ports/audio/amarok/Makefile 1.1 +85 -0 ports/audio/amarok/files/patch-tkadv2009-002 (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"