Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 Jan 2009 10:08:00 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: oss-security@...ts.openwall.com
Subject: CVE Request -- amarok

Hello Steve,

  multiple integer overflows (leading to heap-based overflows)
and unchecked allocation vulnerabilities has been reported
against Amarok multimedia player whep parsing malformed
Audible digital audio files. Upstream has fixed
these in latest 2.0.1.l release.

References:
http://www.trapkit.de/advisories/TKADV2009-002.txt
http://amarok.kde.org/en/releases/2.0.1.1   (Fix possible buffer overflows when parsing Audible .aa files.)
https://bugzilla.redhat.com/show_bug.cgi?id=479946
http://bugs.gentoo.org/show_bug.cgi?id=254896

Proposed solution: Upgrade to latest upstream version 2.0.1.1

Affected Amarok version: amarok-1.4.10-1.fc9 <= x < latest upstream 2.0.1.1 release

Attaching also diff for audibletag.cpp file between latest F10 (amarok-2.0-2.fc10)
and latest upstream 2.0.1.1 release (see attachment).

Could you please allocate a new 2009 CVE id for it?

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

--- /root/rpmbuild/BUILD/amarok-2.0/src/metadata/audible/audibletag.cpp	2008-12-05 05:01:21.000000000 -0500
+++ /tmp/amarok/amarok-2.0.1.1/src/metadata/audible/audibletag.cpp	2009-01-09 13:29:30.000000000 -0500
@@ -139,13 +139,20 @@
 
 bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
 {
+    // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags
+    const quint32 maxtaglen = 100000;
+
     quint32 nlen;
     if ( fread(&nlen, sizeof(nlen), 1, fp) != 1 )
         return false;
 
     nlen = ntohl(nlen);
     //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
+    if(nlen > maxtaglen)
+        return false;
     *name = new char[nlen+1];
+    if (!*name)
+        return false;
     (*name)[nlen] = '\0';
 
     quint32 vlen;
@@ -157,8 +164,13 @@
     }
 
     vlen = ntohl(vlen);
+    if (vlen > maxtaglen)
+    {
+        delete [] *name;
+        *name = 0;
+        return false;
+    }
     //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
-
     if ( fread(*name, nlen, 1, fp) != 1 )
     {
         delete [] *name;
@@ -167,6 +179,12 @@
     }
 
     *value = new char[vlen+1];
+    if (!*value)
+    {
+        delete [] *name;
+        *name = 0;
+        return false;
+    }
     (*value)[vlen] = '\0';
 
     if ( fread(*value, vlen, 1, fp) != 1 )

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ