Bug#866860: mpg123: CVE-2017-10683

2017-07-02 Thread Thomas Orgis 
Am Sun, 02 Jul 2017 11:12:36 +0200
schrieb Salvatore Bonaccorso : 

> CVE-2017-10683[0]:
> | In mpg123 1.25.0, there is a heap-based buffer over-read in the
> | convert_latin1 function in libmpg123/id3.c. A crafted input will lead
> | to a remote denial of service attack.

I don't oppose the creation of a CVE for that, although I wouldn't have
bothered myself and also the description seems overly dramatic. So far
I have only seen valgrind and an enabled AddressSanitizer complaining.
In practice, I did not see one crash because of this in normal builds.

This is one byte read too much, but to get denial of service, that
extra byte should be outside mpg123's address space. That does not
strike me as very likely in this context. Maybe one can construct such
a case, but the test bitstream I got doesn't do it. Even if that one
byte too much is successfully read and finds its way into a string
buffer, my paranoia had me explicitly append an (additional) zero after
it anyway.

I'd phrase the last CVE sentence as:

A crafted input will lead to a remote denial of service attack
if the user asked for it by enabling compiler instrumentation.

;-)

That being said, I won't claim that it is impossible to craft a file
that would trigger serious invalid reads (p.ex. by an strlen() in an
adjacent code path, _not_ in the text processing the triggered test
case covers), and possibly actual DoS instead of possibly just sligthly
bogus ID3 data from invalid input. I just havent's seen it yet.


Anyway, the officially fixed version 1.25.1 will be released
today/night. So you might want to just update to that one instead of
pulling out the single patch. I am still waiting for a complete report
for another issue that I'd like to fix in the release, too.


Alrighty then,

Thomas


pgpD6zg0OaqBP.pgp
Description: Digitale Signatur von OpenPGP
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#866860: mpg123: CVE-2017-10683

2017-07-02 Thread Salvatore Bonaccorso 
Control: tags -1 + patch

On Sun, Jul 02, 2017 at 11:12:36AM +0200, Salvatore Bonaccorso wrote:
> Source: mpg123
> Version: 1.25.0-1
> Severity: important
> Tags: upstream security
> 
> Hi,
> 
> the following vulnerability was published for mpg123.
> 
> CVE-2017-10683[0]:
> | In mpg123 1.25.0, there is a heap-based buffer over-read in the
> | convert_latin1 function in libmpg123/id3.c. A crafted input will lead
> | to a remote denial of service attack.
> 
> This was reported at [1], but Hanno Boeck recently reported [2] as
> well.
> 
> Looking at both cases i think those should be the same issues, and
> upstream has a patch for the issue.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-10683
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10683
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465819
> [2] https://sourceforge.net/p/mpg123/bugs/252/

Attaching the extracted patch.

Regards,
Salvatore
Index: NEWS
===
--- NEWS	(revision 4251)
+++ NEWS	(revision 4252)
@@ -2,6 +2,9 @@
 ---
 - libmpg123:
 -- Avoid memset(NULL, 0, 0) to calm down the paranoid.
+-- Fix bug 252, invalid read of size 1 in ID3v2 parser due to forgotten
+   offset from the frame flag bytes (unnoticed in practice for a long
+   time).
 
 1.25.0: MP3 now patent-free worldwide!
 ---
Index: src/libmpg123/id3.c
===
--- src/libmpg123/id3.c	(revision 4251)
+++ src/libmpg123/id3.c	(revision 4252)
@@ -700,6 +700,8 @@
 
 	/* length-10 or length-20 (footer present); 4 synchsafe integers == 28 bit number  */
 	/* we have already read 10 bytes, so left are length or length+10 bytes belonging to tag */
+	/* Note: This is an 28 bit value in 32 bit storage, plenty of space for */
+	/* length+x for reasonable x. */
 	if(!synchsafe_to_long(buf+2,length))
 	{
 		if(NOQUIET) error4("Bad tag length (not synchsafe): 0x%02x%02x%02x%02x; You got a bad ID3 tag here.", buf[2],buf[3],buf[4],buf[5]);
@@ -764,13 +766,16 @@
 	char id[5];
 	unsigned long framesize;
 	unsigned long fflags; /* need 16 bits, actually */
+	/* bytes of frame title and of framesize value */
+	int head_part = fr->id3v2.version > 2 ? 4 : 3;
+	int flag_part = fr->id3v2.version > 2 ? 2 : 0;
 	id[4] = 0;
 	/* pos now advanced after ext head, now a frame has to follow */
-	while(tagpos < length-10) /* I want to read at least a full header */
+	/* I want to read at least one full header now. */
+	while(tagpos <= length-head_part-head_part-flag_part)
 	{
 		int i = 0;
 		unsigned long pos = tagpos;
-		int head_part = fr->id3v2.version == 2 ? 3 : 4; /* bytes of frame title and of framesize value */
 		/* level 1,2,3 - 0 is info from lame/info tag! */
 		/* rva tags with ascending significance, then general frames */
 		enum frame_types tt = unknown;
@@ -801,7 +806,7 @@
 			}
 			if(VERBOSE3) fprintf(stderr, "Note: ID3v2 %s frame of size %lu\n", id, framesize);
 			tagpos += head_part + framesize; /* the important advancement in whole tag */
-			if(tagpos > length)
+			if(tagpos > length-flag_part)
 			{
 if(NOQUIET) error("Whoa! ID3v2 frame claims to be larger than the whole rest of the tag.");
 break;
Index: .
===
--- .	(revision 4251)
+++ .	(revision 4252)

Property changes on: .
___
Modified: svn:mergeinfo
## -0,0 +0,1 ##
   Merged /trunk:r4249
___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Bug#866860: mpg123: CVE-2017-10683

2017-07-02 Thread Salvatore Bonaccorso 
Source: mpg123
Version: 1.25.0-1
Severity: important
Tags: upstream security

Hi,

the following vulnerability was published for mpg123.

CVE-2017-10683[0]:
| In mpg123 1.25.0, there is a heap-based buffer over-read in the
| convert_latin1 function in libmpg123/id3.c. A crafted input will lead
| to a remote denial of service attack.

This was reported at [1], but Hanno Boeck recently reported [2] as
well.

Looking at both cases i think those should be the same issues, and
upstream has a patch for the issue.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10683
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10683
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1465819
[2] https://sourceforge.net/p/mpg123/bugs/252/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

___
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers