Date: Fri, 21 Nov 2008 18:17:50 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/129050: [vuxml] [patch] audio/libcdaudio: fix CVE-2005-0706 and CVE-2008-5030 Message-ID: <20081121151750.A37A11AF41B@void.codelabs.ru> Resent-Message-ID: <200811211520.mALFK1qP035361@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129050 >Category: ports >Synopsis: [vuxml] [patch] audio/libcdaudio: fix CVE-2005-0706 and CVE-2008-5030 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 21 15:20:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: There are at least two issues with libcdaudio's CDDB stuff: http://www.securityfocus.com/bid/12770 http://www.securityfocus.com/bid/32122 ----- Heap-based buffer overflow in the cddb_read_disc_data function in cddb.c in libcdaudio 0.99.12p2 allows remote attackers to execute arbitrary code via long CDDB data. Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing the cddb lookup to return more matches than expected. ----- The latter programming error also lives inside libcdaudio's code. >How-To-Repeat: See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0706 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5030 >Fix: The following patch brings the fixes to the FreeBSD port: --- libcdaudio-0.99.12p2-fix-CVE-2008-5030.2005-0706.diff begins here --- diff -urN ./Makefile ../libcdaudio/Makefile --- ./Makefile 2008-11-21 17:04:39.000000000 +0300 +++ ../libcdaudio/Makefile 2008-11-21 17:04:52.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= libcdaudio PORTVERSION= 0.99.12p2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= audio MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} diff -urN ./files/patch-CVE-2008-5030.2005-0706 ../libcdaudio/files/patch-CVE-2008-5030.2005-0706 --- ./files/patch-CVE-2008-5030.2005-0706 1970-01-01 03:00:00.000000000 +0300 +++ ../libcdaudio/files/patch-CVE-2008-5030.2005-0706 2008-11-21 17:45:03.000000000 +0300 @@ -0,0 +1,58 @@ +CVE-2008-5030 fix +================= + +Fix contents: second hunk for src/cddb.c +Obtained from: http://sourceforge.net/tracker/download.php?group_id=27134&atid=389442&file_id=148743&aid=1288043 + + +CVE-2005-0706 fix +================= + +Fix contents: first hunk for src/cddb.c and complete diff for src/coverart.c +Based on: http://sourceforge.net/tracker/download.php?group_id=3714&atid=303714&file_id=124892&aid=1160134 + +--- src/cddb.c.orig 2004-09-09 05:26:39.000000000 +0400 ++++ src/cddb.c 2008-11-21 17:33:50.000000000 +0300 +@@ -1052,7 +1052,8 @@ + } + + query->query_matches = 0; +- while(!cddb_read_line(sock, inbuffer, 256)) { ++ while(query->query_matches < MAX_INEXACT_MATCHES && ++ !cddb_read_line(sock, inbuffer, 256)) { + slashed = 0; + if(strchr(inbuffer, '/') != NULL && parse_disc_artist) { + index = 0; +@@ -1601,7 +1602,7 @@ + return -1; + } + +- if((inbuffer = malloc(256)) == NULL) { ++ if((inbuffer = malloc(512)) == NULL) { + free(root_dir); + free(file); + return -1; +--- src/coverart.c.orig 2008-11-21 17:36:39.000000000 +0300 ++++ src/coverart.c 2008-11-21 17:39:41.000000000 +0300 +@@ -131,7 +131,9 @@ + } + } else if(strncmp(line, "Album", 5) == 0) { + long n = strtol((char *)line + 5, NULL, 10); +- if(parse_disc_artist && strchr(procbuffer, '/') != NULL) { ++ if(n >= MAX_INEXACT_MATCHES) { ++ // Too much data, can't store it ++ } else if(parse_disc_artist && strchr(procbuffer, '/') != NULL) { + strtok(procbuffer, "/"); + strncpy(query->query_list[n].list_artist, procbuffer, + (strlen(procbuffer) < 64) ? (strlen(procbuffer) - 1) : 64); +@@ -143,7 +145,9 @@ + } + } else if(strncmp(line, "Url", 3) == 0) { + long n = strtol((char *)line + 3, NULL, 10); +- cddb_process_url(&query->query_list[n].list_host, procbuffer); ++ if (n < MAX_INEXACT_MATCHES) { ++ cddb_process_url(&query->query_list[n].list_host, procbuffer); ++ } + } + + return; --- libcdaudio-0.99.12p2-fix-CVE-2008-5030.2005-0706.diff ends here --- The fix for CVE-2005-0706 was based on the Grip's original fix [1], but I had found that the same programming error exists in the coverart.c. Now I am trying to investigate if this error is known (with the Mandriva security officer, since I had initially found this issue via reading MDVSA-2008:233 [2]). Still, issue in coverart.c seem to be of a same kind as the cddb.c's one. [1] http://sourceforge.net/tracker/index.php?func=detail&aid=1160134&group_id=3714&atid=303714 [2] http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:233 The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid=""> <topic>libcdaudio -- remote buffer overflow and code execution</topic> <affects> <package> <name>libcdaudio</name> <range><lt>0.99.12p2_2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>SecurityFocus vulnerability database says:</p> <blockquote cite="http://www.securityfocus.com/bid/32122/discuss">; <p>The 'libcdaudio' library is prone to a remote heap buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer.</p> <p>Attackers can exploit this issue to execute arbitrary code in the context of an application that uses the library. Failed attacks will cause denial-of-service conditions.</p> <p>This issue affects libcdaudio 0.99.12p2; other versions may also be affected.</p> </blockquote> <blockquote cite="http://www.securityfocus.com/bid/12770/discuss">; <p>A buffer-overflow in Grip occurs when the software processes a response to a CDDB query that has more than 16 matches.</p> <p>To exploit this issue, an attacker must be able to influence the response to a CDDB query, either by controlling a malicious CDDB server or through some other means. Successful exploits will allow arbitrary code to run.</p> </blockquote> <p>The same code as for the Grip vulnerability was found in the libcdaudio library, so it is affected by the simular issues.</p> </body> </description> <references> <cvename>CVE-2008-5030</cvename> <cvename>CVE-2005-0706</cvename> <bid>32122</bid> <bid>12770</bid> <url>http://sourceforge.net/tracker/index.php?func=detail&aid=1288043&group_id=27134&atid=389442</url>; <url>http://sourceforge.net/tracker/index.php?func=detail&aid=834724&group_id=3714&atid=103714</url>; </references> <dates> <discovery>2008-11-05</discovery> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081121151750.A37A11AF41B>