Bug 132938 - [vuxml] [patch] audio/amarok: fix and document vulnerabilities in Audible parser
Summary: [vuxml] [patch] audio/amarok: fix and document vulnerabilities in Audible parser
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Martin Wilke
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-22 16:30 UTC by Eygene Ryabinkin
Modified: 2009-03-23 14:30 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eygene Ryabinkin 2009-03-22 16:30:00 UTC
Tobias Klein from TrapKit found vulnerabilities in the Audible
media format parser: [1].  Upstream had patched the source and
confirmed the existence of the found holes: [2].

Fix: The following patch updates the port with upstream fixes.  It was kindly
tested by Martin Wilke: builds fine on i386 and amd64 for FreeBSD-6/7/8,
new binary works fine.



The following VuXML entry should be evaluated and added:
  <vuln vid="ae652ae3-0c1b-11de-b26a-001fc66e7203">
    <topic>amarok -- multiple integer overflows and unchecked memory allocations</topic>
    <affects>
      <package>
        <name>amarok</name>
        <range><lt>1.4.10_3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Tobias Klein reports:</p>
        <blockquote
          cite="http://trapkit.de/advisories/TKADV2009-002.txt">
          <p>Amarok contains several integer overflows and unchecked
          allocation vulnerabilities while parsing malformed Audible
          digital audio files.  The vulnerabilities may be exploited by
          a (remote) attacker to execute arbitrary code in the context
          of Amarok.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2009-0135</cvename>
      <cvename>CVE-2009-0136</cvename>
      <bid>33210</bid>
      <url>http://trapkit.de/advisories/TKADV2009-002.txt</url>
    </references>
    <dates>
      <discovery>2009-01-11</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here -----ZtteohNSHGxxjfDF6TklrQiHJ54NtzjKyzlyBgUYcOMQGT8H
Content-Type: text/plain; name="amarok-fix-tkadv2009-004.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="amarok-fix-tkadv2009-004.diff"

From f7a8abc13a671b4fc8d66b894ee4b0315dce5743 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sun, 8 Mar 2009 23:11:21 +0300
 unchecked memory allocations

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 audio/amarok/Makefile                  |    2 +-
 audio/amarok/files/patch-tkadv2009-002 |   90 ++++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+), 1 deletions(-)
 create mode 100644 audio/amarok/files/patch-tkadv2009-002

diff --git a/audio/amarok/Makefile b/audio/amarok/Makefile
index feb3263..684fbdc 100644
--- a/audio/amarok/Makefile
+++ b/audio/amarok/Makefile
@@ -6,7 +6,7 @@
 
 PORTNAME=	amarok
 PORTVERSION=	1.4.10
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	audio kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTNAME}/${PORTVERSION}/src
diff --git a/audio/amarok/files/patch-tkadv2009-002 b/audio/amarok/files/patch-tkadv2009-002
new file mode 100644
index 0000000..15f4dbb
--- /dev/null
+++ b/audio/amarok/files/patch-tkadv2009-002
@@ -0,0 +1,90 @@
+This is the patch for TKADV2009-002: multiple integer overflows
+and unchecked allocation vulnerabilities in Audible files parser,
+  http://trapkit.de/advisories/TKADV2009-002.txt
+
+Obtained from: http://websvn.kde.org/branches/stable/extragear/multimedia/amarok/src/metadata/audible/audibletag.cpp?r1=908415&r2=908414&pathrev=908415&view=patch
+--- amarok/src/metadata/audible/audibletag.cpp	2009/01/09 17:36:52	908414
++++ amarok/src/metadata/audible/audibletag.cpp	2009/01/09 17:38:50	908415
+@@ -71,7 +71,8 @@
+ {
+     char buf[1023];
+     fseek(fp, OFF_PRODUCT_ID, SEEK_SET);
+-    fread(buf, strlen("product_id"), 1, fp);
++    if (fread(buf, strlen("product_id"), 1, fp) != 1)
++        return;
+     if(memcmp(buf, "product_id", strlen("product_id")))
+     {
+         buf[20]='\0';
+@@ -130,24 +131,65 @@
+ 
+ bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
+ {
++    // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags                                                                                         
++    const uint32_t maxtaglen = 100000;    
++
+     uint32_t nlen;
+-    fread(&nlen, sizeof(nlen), 1, fp);
++    if (fread(&nlen, sizeof(nlen), 1, fp) != 1)
++        return false;
+     nlen = ntohl(nlen);
+     //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
+-    *name = new char[nlen+1];
+-    (*name)[nlen] = '\0';
++    if (nlen > maxtaglen)
++        return false;
+ 
+     uint32_t vlen;
+-    fread(&vlen, sizeof(vlen), 1, fp);
++    if (fread(&vlen, sizeof(vlen), 1, fp) != 1)
++        return false;
+     vlen = ntohl(vlen);
+     //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
++    if (vlen > maxtaglen)
++        return false;
++
++    *name = new char[nlen+1];
++    if (!*name)
++        return false;
++        
+     *value = new char[vlen+1];
++    if (!*value)
++    {
++        delete[] *name;
++        *name = 0;
++        return false;
++    }
++
++    (*name)[nlen] = '\0';
+     (*value)[vlen] = '\0';
+ 
+-    fread(*name, nlen, 1, fp);
+-    fread(*value, vlen, 1, fp);
++    if (fread(*name, nlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
++    if (fread(*value, vlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     char lasttag;
+-    fread(&lasttag, 1, 1, fp);
++    if (fread(&lasttag, 1, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     //fprintf(stderr, "%s: \"%s\"\n", *name, *value);
+ 
+     m_tagsEndOffset += 2 * 4 + nlen + vlen + 1;
-- 
1.6.1.3
How-To-Repeat: 
[1] http://trapkit.de/advisories/TKADV2009-002.txt
[2] http://websvn.kde.org/?view=rev&revision=908415
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2009-03-22 16:30:13 UTC
Responsible Changed
From-To: freebsd-ports-bugs->makc

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Martin Wilke freebsd_committer freebsd_triage 2009-03-22 20:50:34 UTC
Responsible Changed
From-To: makc->miwi

I'll take it.
Comment 3 Martin Wilke freebsd_committer freebsd_triage 2009-03-23 14:17:31 UTC
State Changed
From-To: open->closed

Committed. Thanks!
Comment 4 dfilter service freebsd_committer freebsd_triage 2009-03-23 14:17:56 UTC
miwi        2009-03-23 14:17:47 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  - Document amarok -- multiple vulnerabilitie
  
  PR:             based on 132938
  
  Revision  Changes    Path
  1.1901    +40 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 5 dfilter service freebsd_committer freebsd_triage 2009-03-23 14:24:31 UTC
miwi        2009-03-23 14:24:22 UTC

  FreeBSD ports repository

  Modified files:
    audio/amarok         Makefile 
  Added files:
    audio/amarok/files   patch-tkadv2009-002 
  Log:
  - Fix multiple vulnerabilities
  - Bump PORTREVISION
  
  Note:
          Two integer overflow errors exist within the "Audible::Tag::readTag()"
          function in src/metadata/audible/audibletag.cpp. These can be exploited
          to cause heap-based buffer overflows via specially crafted Audible Audio
          files.
  
          Two errors within the "Audible::Tag::readTag()" function in
          src/metadata/audible/audibletag.cpp can be exploited to corrupt
          arbitrary memory via specially crafted Audible Audio files.
  
  PR:             132938
  Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
  Approved by:    makc (maintainer)
  Security:       http://www.vuxml.org/freebsd/6bb6188c-17b2-11de-ae4d-0030843d3802.html
  
  Revision  Changes    Path
  1.92      +1 -1      ports/audio/amarok/Makefile
  1.1       +85 -0     ports/audio/amarok/files/patch-tkadv2009-002 (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"