Bug 129050 - [vuxml] [patch] audio/libcdaudio: fix CVE-2005-0706 and CVE-2008-5030
Summary: [vuxml] [patch] audio/libcdaudio: fix CVE-2005-0706 and CVE-2008-5030
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Martin Wilke
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-21 15:20 UTC by Eygene Ryabinkin
Modified: 2009-01-11 13:30 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eygene Ryabinkin 2008-11-21 15:20:01 UTC
There are at least two issues with libcdaudio's CDDB stuff:
  http://www.securityfocus.com/bid/12770
  http://www.securityfocus.com/bid/32122

-----
Heap-based buffer overflow in the cddb_read_disc_data function in
cddb.c in libcdaudio 0.99.12p2 allows remote attackers to execute
arbitrary code via long CDDB data.

Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause
a denial of service (crash) and possibly execute arbitrary code by
causing the cddb lookup to return more matches than expected.
-----

The latter programming error also lives inside libcdaudio's code.

Fix: The following patch brings the fixes to the FreeBSD port:


The fix for CVE-2005-0706 was based on the Grip's original fix [1], but
I had found that the same programming error exists in the coverart.c.
Now I am trying to investigate if this error is known (with the Mandriva
security officer, since I had initially found this issue via reading
MDVSA-2008:233 [2]).  Still, issue in coverart.c seem to be of a same
kind as the cddb.c's one.

[1] http://sourceforge.net/tracker/index.php?func=detail&aid=1160134&group_id=3714&atid=303714
[2] http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:233

The following VuXML entry should be evaluated and added:
  <vuln vid="">
    <topic>libcdaudio -- remote buffer overflow and code execution</topic>
    <affects>
      <package>
	<name>libcdaudio</name>
	<range><lt>0.99.12p2_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>SecurityFocus vulnerability database says:</p>
	<blockquote cite="http://www.securityfocus.com/bid/32122/discuss">
	<p>The 'libcdaudio' library is prone to a remote heap
	buffer-overflow vulnerability because it fails to perform
	adequate boundary checks on user-supplied input before
	copying it to an insufficiently sized buffer.</p>
	<p>Attackers can exploit this issue to execute arbitrary
	code in the context of an application that uses the library.
	Failed attacks will cause denial-of-service conditions.</p>
	<p>This issue affects libcdaudio 0.99.12p2; other versions
	may also be affected.</p>
	</blockquote>
	<blockquote cite="http://www.securityfocus.com/bid/12770/discuss">
	<p>A buffer-overflow in Grip occurs when the software
	processes a response to a CDDB query that has more than 16
	matches.</p>
	<p>To exploit this issue, an attacker must be able to
	influence the response to a CDDB query, either by controlling
	a malicious CDDB server or through some other means.
	Successful exploits will allow arbitrary code to run.</p>
	</blockquote>
	<p>The same code as for the Grip vulnerability was found
	in the libcdaudio library, so it is affected by the simular
	issues.</p>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-5030</cvename>
      <cvename>CVE-2005-0706</cvename>
      <bid>32122</bid>
      <bid>12770</bid>
      <url>http://sourceforge.net/tracker/index.php?func=detail&aid=1288043&group_id=27134&atid=389442</url>
      <url>http://sourceforge.net/tracker/index.php?func=detail&aid=834724&group_id=3714&atid=103714</url>
    </references>
    <dates>
      <discovery>2008-11-05</discovery>
    </dates>
  </vuln>
--- vuln.xml ends here -----0ooK6eyTmWkiaRAKZbauGrPLEAaw9IKjUlsxDx4ntHTEQHpX
Content-Type: text/plain; name="libcdaudio-0.99.12p2-fix-CVE-2008-5030.2005-0706.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="libcdaudio-0.99.12p2-fix-CVE-2008-5030.2005-0706.diff"

diff -urN ./Makefile ../libcdaudio/Makefile
--- ./Makefile	2008-11-21 17:04:39.000000000 +0300
+++ ../libcdaudio/Makefile	2008-11-21 17:04:52.000000000 +0300
@@ -7,7 +7,7 @@
 
 PORTNAME=	libcdaudio
 PORTVERSION=	0.99.12p2
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	audio
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
diff -urN ./files/patch-CVE-2008-5030.2005-0706 ../libcdaudio/files/patch-CVE-2008-5030.2005-0706
--- ./files/patch-CVE-2008-5030.2005-0706	1970-01-01 03:00:00.000000000 +0300
+++ ../libcdaudio/files/patch-CVE-2008-5030.2005-0706	2008-11-21 17:45:03.000000000 +0300
@@ -0,0 +1,58 @@
+CVE-2008-5030 fix
+=================
+
+Fix contents: second hunk for src/cddb.c
+Obtained from: http://sourceforge.net/tracker/download.php?group_id=27134&atid=389442&file_id=148743&aid=1288043
+
+
+CVE-2005-0706 fix
+=================
+
+Fix contents: first hunk for src/cddb.c and complete diff for src/coverart.c
+Based on: http://sourceforge.net/tracker/download.php?group_id=3714&atid=303714&file_id=124892&aid=1160134
+
+--- src/cddb.c.orig	2004-09-09 05:26:39.000000000 +0400
++++ src/cddb.c	2008-11-21 17:33:50.000000000 +0300
+@@ -1052,7 +1052,8 @@
+     }
+ 	   
+     query->query_matches = 0;
+-    while(!cddb_read_line(sock, inbuffer, 256)) {
++    while(query->query_matches < MAX_INEXACT_MATCHES &&
++        !cddb_read_line(sock, inbuffer, 256)) {
+       slashed = 0;
+       if(strchr(inbuffer, '/') != NULL && parse_disc_artist) {
+ 	index = 0;
+@@ -1601,7 +1602,7 @@
+     return -1;
+   }
+    
+-  if((inbuffer = malloc(256)) == NULL) {
++  if((inbuffer = malloc(512)) == NULL) {
+     free(root_dir);
+     free(file);
+     return -1;
+--- src/coverart.c.orig	2008-11-21 17:36:39.000000000 +0300
++++ src/coverart.c	2008-11-21 17:39:41.000000000 +0300
+@@ -131,7 +131,9 @@
+     }
+   } else if(strncmp(line, "Album", 5) == 0) {
+     long n = strtol((char *)line + 5, NULL, 10);
+-    if(parse_disc_artist && strchr(procbuffer, '/') != NULL) {
++    if(n >= MAX_INEXACT_MATCHES) {
++      // Too much data, can't store it
++    } else if(parse_disc_artist && strchr(procbuffer, '/') != NULL) {
+       strtok(procbuffer, "/");
+       strncpy(query->query_list[n].list_artist, procbuffer,
+ 	      (strlen(procbuffer) < 64) ? (strlen(procbuffer) - 1) : 64); 
+@@ -143,7 +145,9 @@
+     }
+   } else if(strncmp(line, "Url", 3) == 0) {
+     long n = strtol((char *)line + 3, NULL, 10);
+-    cddb_process_url(&query->query_list[n].list_host, procbuffer);
++    if (n < MAX_INEXACT_MATCHES) {
++      cddb_process_url(&query->query_list[n].list_host, procbuffer);
++    }
+   }
+ 
+   return;
How-To-Repeat: 
See
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0706
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5030
Comment 1 Edwin Groothuis freebsd_committer 2008-11-21 15:20:17 UTC
Responsible Changed
From-To: freebsd-ports-bugs->novel

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Martin Wilke freebsd_committer 2008-12-07 19:42:16 UTC
Responsible Changed
From-To: novel->miwi

I will handle this.
Comment 3 dfilter service freebsd_committer 2009-01-11 13:22:50 UTC
miwi        2009-01-11 13:22:40 UTC

  FreeBSD ports repository

  Modified files:
    audio/libcdaudio     Makefile 
  Added files:
    audio/libcdaudio/files patch-CVE-2008-5030.2005-0706 
  Log:
  - Fix:
          Heap-based buffer overflow in the cddb_read_disc_data function in
          cddb.c in libcdaudio 0.99.12p2 allows remote attackers to execute
          arbitrary code via long CDDB data.
  
          Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause
          a denial of service (crash) and possibly execute arbitrary code by
          causing the cddb lookup to return more matches than expected.
  
  PR:             129050
  Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
  Approved by:    novel@ (maintainer)
  Security:       http://www.vuxml.org/freebsd/bd730827-dfe0-11dd-a765-0030843d3802.html
  
  Revision  Changes    Path
  1.28      +2 -2      ports/audio/libcdaudio/Makefile
  1.1       +45 -0     ports/audio/libcdaudio/files/patch-CVE-2008-5030.2005-0706 (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 Martin Wilke freebsd_committer 2009-01-11 13:22:54 UTC
State Changed
From-To: open->closed

Committed. Thanks!