Date: Sun, 22 Mar 2009 19:27:02 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/132938: [vuxml] [patch] audio/amarok: fix and document vulnerabilities in Audible parser Message-ID: <20090322162702.E1A3817121@amnesiac.at.no.dns> Resent-Message-ID: <200903221630.n2MGU1bR065932@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 132938 >Category: ports >Synopsis: [vuxml] [patch] audio/amarok: fix and document vulnerabilities in Audible parser >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 22 16:30:00 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.2-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.2-PRERELEASE amd64 >Description: Tobias Klein from TrapKit found vulnerabilities in the Audible media format parser: [1]. Upstream had patched the source and confirmed the existence of the found holes: [2]. >How-To-Repeat: [1] http://trapkit.de/advisories/TKADV2009-002.txt [2] http://websvn.kde.org/?view=rev&revision=908415 >Fix: The following patch updates the port with upstream fixes. It was kindly tested by Martin Wilke: builds fine on i386 and amd64 for FreeBSD-6/7/8, new binary works fine. --- amarok-fix-tkadv2009-004.diff begins here --- >From f7a8abc13a671b4fc8d66b894ee4b0315dce5743 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sun, 8 Mar 2009 23:11:21 +0300 unchecked memory allocations Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- audio/amarok/Makefile | 2 +- audio/amarok/files/patch-tkadv2009-002 | 90 ++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+), 1 deletions(-) create mode 100644 audio/amarok/files/patch-tkadv2009-002 diff --git a/audio/amarok/Makefile b/audio/amarok/Makefile index feb3263..684fbdc 100644 --- a/audio/amarok/Makefile +++ b/audio/amarok/Makefile @@ -6,7 +6,7 @@ PORTNAME= amarok PORTVERSION= 1.4.10 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= audio kde MASTER_SITES= ${MASTER_SITE_KDE} MASTER_SITE_SUBDIR= stable/${PORTNAME}/${PORTVERSION}/src diff --git a/audio/amarok/files/patch-tkadv2009-002 b/audio/amarok/files/patch-tkadv2009-002 new file mode 100644 index 0000000..15f4dbb --- /dev/null +++ b/audio/amarok/files/patch-tkadv2009-002 @@ -0,0 +1,90 @@ +This is the patch for TKADV2009-002: multiple integer overflows +and unchecked allocation vulnerabilities in Audible files parser, + http://trapkit.de/advisories/TKADV2009-002.txt + +Obtained from: http://websvn.kde.org/branches/stable/extragear/multimedia/amarok/src/metadata/audible/audibletag.cpp?r1=908415&r2=908414&pathrev=908415&view=patch +--- amarok/src/metadata/audible/audibletag.cpp 2009/01/09 17:36:52 908414 ++++ amarok/src/metadata/audible/audibletag.cpp 2009/01/09 17:38:50 908415 +@@ -71,7 +71,8 @@ + { + char buf[1023]; + fseek(fp, OFF_PRODUCT_ID, SEEK_SET); +- fread(buf, strlen("product_id"), 1, fp); ++ if (fread(buf, strlen("product_id"), 1, fp) != 1) ++ return; + if(memcmp(buf, "product_id", strlen("product_id"))) + { + buf[20]='\0'; +@@ -130,24 +131,65 @@ + + bool Audible::Tag::readTag( FILE *fp, char **name, char **value) + { ++ // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags ++ const uint32_t maxtaglen = 100000; ++ + uint32_t nlen; +- fread(&nlen, sizeof(nlen), 1, fp); ++ if (fread(&nlen, sizeof(nlen), 1, fp) != 1) ++ return false; + nlen = ntohl(nlen); + //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen); +- *name = new char[nlen+1]; +- (*name)[nlen] = '\0'; ++ if (nlen > maxtaglen) ++ return false; + + uint32_t vlen; +- fread(&vlen, sizeof(vlen), 1, fp); ++ if (fread(&vlen, sizeof(vlen), 1, fp) != 1) ++ return false; + vlen = ntohl(vlen); + //fprintf(stderr, "tag len=%x\n", (unsigned)vlen); ++ if (vlen > maxtaglen) ++ return false; ++ ++ *name = new char[nlen+1]; ++ if (!*name) ++ return false; ++ + *value = new char[vlen+1]; ++ if (!*value) ++ { ++ delete[] *name; ++ *name = 0; ++ return false; ++ } ++ ++ (*name)[nlen] = '\0'; + (*value)[vlen] = '\0'; + +- fread(*name, nlen, 1, fp); +- fread(*value, vlen, 1, fp); ++ if (fread(*name, nlen, 1, fp) != 1) ++ { ++ delete[] *name; ++ *name = 0; ++ delete[] *value; ++ *value = 0; ++ return false; ++ } ++ if (fread(*value, vlen, 1, fp) != 1) ++ { ++ delete[] *name; ++ *name = 0; ++ delete[] *value; ++ *value = 0; ++ return false; ++ } + char lasttag; +- fread(&lasttag, 1, 1, fp); ++ if (fread(&lasttag, 1, 1, fp) != 1) ++ { ++ delete[] *name; ++ *name = 0; ++ delete[] *value; ++ *value = 0; ++ return false; ++ } + //fprintf(stderr, "%s: \"%s\"\n", *name, *value); + + m_tagsEndOffset += 2 * 4 + nlen + vlen + 1; -- 1.6.1.3 --- amarok-fix-tkadv2009-004.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="ae652ae3-0c1b-11de-b26a-001fc66e7203"> <topic>amarok -- multiple integer overflows and unchecked memory allocations</topic> <affects> <package> <name>amarok</name> <range><lt>1.4.10_3</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Tobias Klein reports:</p> <blockquote cite="http://trapkit.de/advisories/TKADV2009-002.txt">; <p>Amarok contains several integer overflows and unchecked allocation vulnerabilities while parsing malformed Audible digital audio files. The vulnerabilities may be exploited by a (remote) attacker to execute arbitrary code in the context of Amarok.</p> </blockquote> </body> </description> <references> <cvename>CVE-2009-0135</cvename> <cvename>CVE-2009-0136</cvename> <bid>33210</bid> <url>http://trapkit.de/advisories/TKADV2009-002.txt</url>; </references> <dates> <discovery>2009-01-11</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090322162702.E1A3817121>