Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Mar 2012 23:49:32 +0530
From: Zubin Mithra <zubin.mithra@...il.com>
To: Kurt Seifried <kseifried@...hat.com>
Cc: Ludwig Nussel <ludwig.nussel@...e.de>, oss-security@...ts.openwall.com, 
	Dhanesh k <dhanesh1428@...il.com>
Subject: Re: CVE-Request taglib vulnerabilities

On Wed, Mar 21, 2012 at 10:49 PM, Kurt Seifried <kseifried@...hat.com>wrote:

> On 03/21/2012 09:42 AM, Ludwig Nussel wrote:
> > Zubin Mithra wrote:
> >> [...]
> >> The issues which are present in the latest "release" but not in the
> current
> >> development head were :-
> >>
> >> [3] Lack of sanity checks of fields which were read, and were used for
> >> allocating memory; crafted files would lead of application crash.
> >
> > Not an issue according to upstream:
> > http://mail.kde.org/pipermail/taglib-devel/2012-March/002187.html
>
> Shouldn't it simply say "file to large" or "unable to allocate blah"
> something rather than crashing? I assume by "large" file the file
> doesn't actually need to be large, just the header information needs to
> claim it is large?
>

Yes, the file does not need to be large, it just needs to have a crafted
header.

On investigating the issue further, discussing with a developer Lukas
Laninsky and providing PoC's, we had confirmed that the root issue was an
Integer overflow - which would cause a large allocation and crash the
application.

The changeset that corrects it can be found here =>
https://github.com/taglib/taglib/commit/dcdf4fd954e3213c355746fa15b7480461972308



>
> >> [4] A one bit change in a working ogg file would cause a thread to loop
> >> infinitely.
> >
> > http://mail.kde.org/pipermail/taglib-devel/2012-March/002191.html
> >
> https://github.com/taglib/taglib/commit/b3646a07348ffa276ea41a9dae03ddc63ea6c532
>
> Has this been confirmed? Does the looping thread actually cause a DoS,
> simply slow down the application a bit, or?
>

Yes, it just causes a thread to cause an infinite loop and does not cause
an application crash.



>
> > cu
> > Ludwig
>
>
>
> --
> Kurt Seifried Red Hat Security Response Team (SRT)
>


Regards,
Zubin Mithra

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ