Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Jan 2009 10:56:34 +0100
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com, coley@...us.mitre.org
Subject: Re: CVE Request -- amarok

Steve,

Ping?

Ciao, Marcus

On Wed, Jan 14, 2009 at 10:08:00AM +0100, Jan Lieskovsky wrote:
> Hello Steve,
> 
>   multiple integer overflows (leading to heap-based overflows)
> and unchecked allocation vulnerabilities has been reported
> against Amarok multimedia player whep parsing malformed
> Audible digital audio files. Upstream has fixed
> these in latest 2.0.1.l release.
> 
> References:
> http://www.trapkit.de/advisories/TKADV2009-002.txt
> http://amarok.kde.org/en/releases/2.0.1.1   (Fix possible buffer overflows when parsing Audible .aa files.)
> https://bugzilla.redhat.com/show_bug.cgi?id=479946
> http://bugs.gentoo.org/show_bug.cgi?id=254896
> 
> Proposed solution: Upgrade to latest upstream version 2.0.1.1
> 
> Affected Amarok version: amarok-1.4.10-1.fc9 <= x < latest upstream 2.0.1.1 release
> 
> Attaching also diff for audibletag.cpp file between latest F10 (amarok-2.0-2.fc10)
> and latest upstream 2.0.1.1 release (see attachment).
> 
> Could you please allocate a new 2009 CVE id for it?
> 
> Thanks, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team

> --- /root/rpmbuild/BUILD/amarok-2.0/src/metadata/audible/audibletag.cpp	2008-12-05 05:01:21.000000000 -0500
> +++ /tmp/amarok/amarok-2.0.1.1/src/metadata/audible/audibletag.cpp	2009-01-09 13:29:30.000000000 -0500
> @@ -139,13 +139,20 @@
>  
>  bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
>  {
> +    // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags
> +    const quint32 maxtaglen = 100000;
> +
>      quint32 nlen;
>      if ( fread(&nlen, sizeof(nlen), 1, fp) != 1 )
>          return false;
>  
>      nlen = ntohl(nlen);
>      //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
> +    if(nlen > maxtaglen)
> +        return false;
>      *name = new char[nlen+1];
> +    if (!*name)
> +        return false;
>      (*name)[nlen] = '\0';
>  
>      quint32 vlen;
> @@ -157,8 +164,13 @@
>      }
>  
>      vlen = ntohl(vlen);
> +    if (vlen > maxtaglen)
> +    {
> +        delete [] *name;
> +        *name = 0;
> +        return false;
> +    }
>      //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
> -
>      if ( fread(*name, nlen, 1, fp) != 1 )
>      {
>          delete [] *name;
> @@ -167,6 +179,12 @@
>      }
>  
>      *value = new char[vlen+1];
> +    if (!*value)
> +    {
> +        delete [] *name;
> +        *name = 0;
> +        return false;
> +    }
>      (*value)[vlen] = '\0';
>  
>      if ( fread(*value, vlen, 1, fp) != 1 )


-- 
Working, but not speaking, for the following german company:
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.