Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Mon, 19 Jan 2009 10:56:34 +0100
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com, coley@...us.mitre.org
Subject: Re: CVE Request -- amarok

Steve,

Ping?

Ciao, Marcus

On Wed, Jan 14, 2009 at 10:08:00AM +0100, Jan Lieskovsky wrote:
> Hello Steve,
> 
>   multiple integer overflows (leading to heap-based overflows)
> and unchecked allocation vulnerabilities has been reported
> against Amarok multimedia player whep parsing malformed
> Audible digital audio files. Upstream has fixed
> these in latest 2.0.1.l release.
> 
> References:
> http://www.trapkit.de/advisories/TKADV2009-002.txt
> http://amarok.kde.org/en/releases/2.0.1.1   (Fix possible buffer overflows when parsing Audible .aa files.)
> https://bugzilla.redhat.com/show_bug.cgi?id=479946
> http://bugs.gentoo.org/show_bug.cgi?id=254896
> 
> Proposed solution: Upgrade to latest upstream version 2.0.1.1
> 
> Affected Amarok version: amarok-1.4.10-1.fc9 <= x < latest upstream 2.0.1.1 release
> 
> Attaching also diff for audibletag.cpp file between latest F10 (amarok-2.0-2.fc10)
> and latest upstream 2.0.1.1 release (see attachment).
> 
> Could you please allocate a new 2009 CVE id for it?
> 
> Thanks, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team

> --- /root/rpmbuild/BUILD/amarok-2.0/src/metadata/audible/audibletag.cpp	2008-12-05 05:01:21.000000000 -0500
> +++ /tmp/amarok/amarok-2.0.1.1/src/metadata/audible/audibletag.cpp	2009-01-09 13:29:30.000000000 -0500
> @@ -139,13 +139,20 @@
>  
>  bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
>  {
> +    // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags
> +    const quint32 maxtaglen = 100000;
> +
>      quint32 nlen;
>      if ( fread(&nlen, sizeof(nlen), 1, fp) != 1 )
>          return false;
>  
>      nlen = ntohl(nlen);
>      //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
> +    if(nlen > maxtaglen)
> +        return false;
>      *name = new char[nlen+1];
> +    if (!*name)
> +        return false;
>      (*name)[nlen] = '\0';
>  
>      quint32 vlen;
> @@ -157,8 +164,13 @@
>      }
>  
>      vlen = ntohl(vlen);
> +    if (vlen > maxtaglen)
> +    {
> +        delete [] *name;
> +        *name = 0;
> +        return false;
> +    }
>      //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
> -
>      if ( fread(*name, nlen, 1, fp) != 1 )
>      {
>          delete [] *name;
> @@ -167,6 +179,12 @@
>      }
>  
>      *value = new char[vlen+1];
> +    if (!*value)
> +    {
> +        delete [] *name;
> +        *name = 0;
> +        return false;
> +    }
>      (*value)[vlen] = '\0';
>  
>      if ( fread(*value, vlen, 1, fp) != 1 )


-- 
Working, but not speaking, for the following german company:
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux