Date: Wed, 21 Mar 2012 23:49:32 +0530 From: Zubin Mithra <zubin.mithra@...il.com> To: Kurt Seifried <kseifried@...hat.com> Cc: Ludwig Nussel <ludwig.nussel@...e.de>, oss-security@...ts.openwall.com, Dhanesh k <dhanesh1428@...il.com> Subject: Re: CVE-Request taglib vulnerabilities On Wed, Mar 21, 2012 at 10:49 PM, Kurt Seifried <kseifried@...hat.com>wrote: > On 03/21/2012 09:42 AM, Ludwig Nussel wrote: > > Zubin Mithra wrote: > >> [...] > >> The issues which are present in the latest "release" but not in the > current > >> development head were :- > >> > >>  Lack of sanity checks of fields which were read, and were used for > >> allocating memory; crafted files would lead of application crash. > > > > Not an issue according to upstream: > > http://mail.kde.org/pipermail/taglib-devel/2012-March/002187.html > > Shouldn't it simply say "file to large" or "unable to allocate blah" > something rather than crashing? I assume by "large" file the file > doesn't actually need to be large, just the header information needs to > claim it is large? > Yes, the file does not need to be large, it just needs to have a crafted header. On investigating the issue further, discussing with a developer Lukas Laninsky and providing PoC's, we had confirmed that the root issue was an Integer overflow - which would cause a large allocation and crash the application. The changeset that corrects it can be found here => https://github.com/taglib/taglib/commit/dcdf4fd954e3213c355746fa15b7480461972308 > > >>  A one bit change in a working ogg file would cause a thread to loop > >> infinitely. > > > > http://mail.kde.org/pipermail/taglib-devel/2012-March/002191.html > > > https://github.com/taglib/taglib/commit/b3646a07348ffa276ea41a9dae03ddc63ea6c532 > > Has this been confirmed? Does the looping thread actually cause a DoS, > simply slow down the application a bit, or? > Yes, it just causes a thread to cause an infinite loop and does not cause an application crash. > > > cu > > Ludwig > > > > -- > Kurt Seifried Red Hat Security Response Team (SRT) > Regards, Zubin Mithra
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ