From owner-freebsd-ports-bugs@FreeBSD.ORG Sun Mar 22 16:30:01 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CEACC106566C; Sun, 22 Mar 2009 16:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A2DD08FC1E; Sun, 22 Mar 2009 16:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2MGU1eR065935; Sun, 22 Mar 2009 16:30:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2MGU1bR065932; Sun, 22 Mar 2009 16:30:01 GMT (envelope-from gnats) Resent-Date: Sun, 22 Mar 2009 16:30:01 GMT Resent-Message-Id: <200903221630.n2MGU1bR065932@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: miwi@freebsd.org, makc@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1296F1065670 for ; Sun, 22 Mar 2009 16:27:06 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 707BB8FC1D for ; Sun, 22 Mar 2009 16:27:05 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from amnesiac.at.no.dns (ppp91-77-10-97.pppoe.mtu-net.ru [91.77.10.97]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1LlQVs-000HRX-9K for FreeBSD-gnats-submit@freebsd.org; Sun, 22 Mar 2009 19:27:04 +0300 Received: by amnesiac.at.no.dns (Postfix, from userid 1001) id E1A3817121; Sun, 22 Mar 2009 19:27:02 +0300 (MSK) Message-Id: <20090322162702.E1A3817121@amnesiac.at.no.dns> Date: Sun, 22 Mar 2009 19:27:02 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: miwi@freebsd.org, makc@freebsd.org Cc: Subject: ports/132938: [vuxml] [patch] audio/amarok: fix and document vulnerabilities in Audible parser X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Mar 2009 16:30:02 -0000 >Number: 132938 >Category: ports >Synopsis: [vuxml] [patch] audio/amarok: fix and document vulnerabilities in Audible parser >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 22 16:30:00 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.2-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.2-PRERELEASE amd64 >Description: Tobias Klein from TrapKit found vulnerabilities in the Audible media format parser: [1]. Upstream had patched the source and confirmed the existence of the found holes: [2]. >How-To-Repeat: [1] http://trapkit.de/advisories/TKADV2009-002.txt [2] http://websvn.kde.org/?view=rev&revision=908415 >Fix: The following patch updates the port with upstream fixes. It was kindly tested by Martin Wilke: builds fine on i386 and amd64 for FreeBSD-6/7/8, new binary works fine. --- amarok-fix-tkadv2009-004.diff begins here --- >From f7a8abc13a671b4fc8d66b894ee4b0315dce5743 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Sun, 8 Mar 2009 23:11:21 +0300 unchecked memory allocations Signed-off-by: Eygene Ryabinkin --- audio/amarok/Makefile | 2 +- audio/amarok/files/patch-tkadv2009-002 | 90 ++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+), 1 deletions(-) create mode 100644 audio/amarok/files/patch-tkadv2009-002 diff --git a/audio/amarok/Makefile b/audio/amarok/Makefile index feb3263..684fbdc 100644 --- a/audio/amarok/Makefile +++ b/audio/amarok/Makefile @@ -6,7 +6,7 @@ PORTNAME= amarok PORTVERSION= 1.4.10 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= audio kde MASTER_SITES= ${MASTER_SITE_KDE} MASTER_SITE_SUBDIR= stable/${PORTNAME}/${PORTVERSION}/src diff --git a/audio/amarok/files/patch-tkadv2009-002 b/audio/amarok/files/patch-tkadv2009-002 new file mode 100644 index 0000000..15f4dbb --- /dev/null +++ b/audio/amarok/files/patch-tkadv2009-002 @@ -0,0 +1,90 @@ +This is the patch for TKADV2009-002: multiple integer overflows +and unchecked allocation vulnerabilities in Audible files parser, + http://trapkit.de/advisories/TKADV2009-002.txt + +Obtained from: http://websvn.kde.org/branches/stable/extragear/multimedia/amarok/src/metadata/audible/audibletag.cpp?r1=908415&r2=908414&pathrev=908415&view=patch +--- amarok/src/metadata/audible/audibletag.cpp 2009/01/09 17:36:52 908414 ++++ amarok/src/metadata/audible/audibletag.cpp 2009/01/09 17:38:50 908415 +@@ -71,7 +71,8 @@ + { + char buf[1023]; + fseek(fp, OFF_PRODUCT_ID, SEEK_SET); +- fread(buf, strlen("product_id"), 1, fp); ++ if (fread(buf, strlen("product_id"), 1, fp) != 1) ++ return; + if(memcmp(buf, "product_id", strlen("product_id"))) + { + buf[20]='\0'; +@@ -130,24 +131,65 @@ + + bool Audible::Tag::readTag( FILE *fp, char **name, char **value) + { ++ // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags ++ const uint32_t maxtaglen = 100000; ++ + uint32_t nlen; +- fread(&nlen, sizeof(nlen), 1, fp); ++ if (fread(&nlen, sizeof(nlen), 1, fp) != 1) ++ return false; + nlen = ntohl(nlen); + //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen); +- *name = new char[nlen+1]; +- (*name)[nlen] = '\0'; ++ if (nlen > maxtaglen) ++ return false; + + uint32_t vlen; +- fread(&vlen, sizeof(vlen), 1, fp); ++ if (fread(&vlen, sizeof(vlen), 1, fp) != 1) ++ return false; + vlen = ntohl(vlen); + //fprintf(stderr, "tag len=%x\n", (unsigned)vlen); ++ if (vlen > maxtaglen) ++ return false; ++ ++ *name = new char[nlen+1]; ++ if (!*name) ++ return false; ++ + *value = new char[vlen+1]; ++ if (!*value) ++ { ++ delete[] *name; ++ *name = 0; ++ return false; ++ } ++ ++ (*name)[nlen] = '\0'; + (*value)[vlen] = '\0'; + +- fread(*name, nlen, 1, fp); +- fread(*value, vlen, 1, fp); ++ if (fread(*name, nlen, 1, fp) != 1) ++ { ++ delete[] *name; ++ *name = 0; ++ delete[] *value; ++ *value = 0; ++ return false; ++ } ++ if (fread(*value, vlen, 1, fp) != 1) ++ { ++ delete[] *name; ++ *name = 0; ++ delete[] *value; ++ *value = 0; ++ return false; ++ } + char lasttag; +- fread(&lasttag, 1, 1, fp); ++ if (fread(&lasttag, 1, 1, fp) != 1) ++ { ++ delete[] *name; ++ *name = 0; ++ delete[] *value; ++ *value = 0; ++ return false; ++ } + //fprintf(stderr, "%s: \"%s\"\n", *name, *value); + + m_tagsEndOffset += 2 * 4 + nlen + vlen + 1; -- 1.6.1.3 --- amarok-fix-tkadv2009-004.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- amarok -- multiple integer overflows and unchecked memory allocations amarok 1.4.10_3

Tobias Klein reports:

Amarok contains several integer overflows and unchecked allocation vulnerabilities while parsing malformed Audible digital audio files. The vulnerabilities may be exploited by a (remote) attacker to execute arbitrary code in the context of Amarok.

 CVE-2009-0135 CVE-2009-0136 33210 http://trapkit.de/advisories/TKADV2009-002.txt 2009-01-11 TODAY --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: