Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 26 Mar 2012 12:44:56 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Zubin Mithra <zubin.mithra@...il.com>,
        Ludwig Nussel <ludwig.nussel@...e.de>,
        Dhanesh k <dhanesh1428@...il.com>
Subject: Re: CVE-Request taglib vulnerabilities

On 03/21/2012 12:19 PM, Zubin Mithra wrote:
> On Wed, Mar 21, 2012 at 10:49 PM, Kurt Seifried <kseifried@...hat.com>wrote:
> 
>> On 03/21/2012 09:42 AM, Ludwig Nussel wrote:
>>> Zubin Mithra wrote:
>>>> [...]
>>>> The issues which are present in the latest "release" but not in the
>> current
>>>> development head were :-
>>>>
>>>> [3] Lack of sanity checks of fields which were read, and were used for
>>>> allocating memory; crafted files would lead of application crash.
>>>
>>> Not an issue according to upstream:
>>> http://mail.kde.org/pipermail/taglib-devel/2012-March/002187.html
>>
>> Shouldn't it simply say "file to large" or "unable to allocate blah"
>> something rather than crashing? I assume by "large" file the file
>> doesn't actually need to be large, just the header information needs to
>> claim it is large?
>>
> 
> Yes, the file does not need to be large, it just needs to have a crafted
> header.
> 
> On investigating the issue further, discussing with a developer Lukas
> Laninsky and providing PoC's, we had confirmed that the root issue was an
> Integer overflow - which would cause a large allocation and crash the
> application.
> 
> The changeset that corrects it can be found here =>
> https://github.com/taglib/taglib/commit/dcdf4fd954e3213c355746fa15b7480461972308

Please use CVE-2012-1584 for this issue.

> 
> 
>>
>>>> [4] A one bit change in a working ogg file would cause a thread to loop
>>>> infinitely.
>>>
>>> http://mail.kde.org/pipermail/taglib-devel/2012-March/002191.html
>>>
>> https://github.com/taglib/taglib/commit/b3646a07348ffa276ea41a9dae03ddc63ea6c532
>>
>> Has this been confirmed? Does the looping thread actually cause a DoS,
>> simply slow down the application a bit, or?
>>
> 
> Yes, it just causes a thread to cause an infinite loop and does not cause
> an application crash.

Ok, not assigning a CVE then. Thanks!

> 
> 
>>
>>> cu
>>> Ludwig
>>
>>
>>
>> --
>> Kurt Seifried Red Hat Security Response Team (SRT)
>>
> 
> 
> Regards,
> Zubin Mithra
> 


-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ