Date: Mon, 26 Mar 2012 12:44:56 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Zubin Mithra <zubin.mithra@...il.com>, Ludwig Nussel <ludwig.nussel@...e.de>, Dhanesh k <dhanesh1428@...il.com> Subject: Re: CVE-Request taglib vulnerabilities On 03/21/2012 12:19 PM, Zubin Mithra wrote: > On Wed, Mar 21, 2012 at 10:49 PM, Kurt Seifried <kseifried@...hat.com>wrote: > >> On 03/21/2012 09:42 AM, Ludwig Nussel wrote: >>> Zubin Mithra wrote: >>>> [...] >>>> The issues which are present in the latest "release" but not in the >> current >>>> development head were :- >>>> >>>>  Lack of sanity checks of fields which were read, and were used for >>>> allocating memory; crafted files would lead of application crash. >>> >>> Not an issue according to upstream: >>> http://mail.kde.org/pipermail/taglib-devel/2012-March/002187.html >> >> Shouldn't it simply say "file to large" or "unable to allocate blah" >> something rather than crashing? I assume by "large" file the file >> doesn't actually need to be large, just the header information needs to >> claim it is large? >> > > Yes, the file does not need to be large, it just needs to have a crafted > header. > > On investigating the issue further, discussing with a developer Lukas > Laninsky and providing PoC's, we had confirmed that the root issue was an > Integer overflow - which would cause a large allocation and crash the > application. > > The changeset that corrects it can be found here => > https://github.com/taglib/taglib/commit/dcdf4fd954e3213c355746fa15b7480461972308 Please use CVE-2012-1584 for this issue. > > >> >>>>  A one bit change in a working ogg file would cause a thread to loop >>>> infinitely. >>> >>> http://mail.kde.org/pipermail/taglib-devel/2012-March/002191.html >>> >> https://github.com/taglib/taglib/commit/b3646a07348ffa276ea41a9dae03ddc63ea6c532 >> >> Has this been confirmed? Does the looping thread actually cause a DoS, >> simply slow down the application a bit, or? >> > > Yes, it just causes a thread to cause an infinite loop and does not cause > an application crash. Ok, not assigning a CVE then. Thanks! > > >> >>> cu >>> Ludwig >> >> >> >> -- >> Kurt Seifried Red Hat Security Response Team (SRT) >> > > > Regards, > Zubin Mithra > -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ