From owner-freebsd-ports-bugs@FreeBSD.ORG  Fri Nov 21 15:20:02 2008
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 50BCA1065670;
	Fri, 21 Nov 2008 15:20:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 2F7BD8FC1C;
	Fri, 21 Nov 2008 15:20:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mALFK1N9035362;
	Fri, 21 Nov 2008 15:20:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mALFK1qP035361;
	Fri, 21 Nov 2008 15:20:01 GMT (envelope-from gnats)
Resent-Date: Fri, 21 Nov 2008 15:20:01 GMT
Resent-Message-Id: <200811211520.mALFK1qP035361@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Cc: freebsd-security@freebsd.org, novel@freebsd.org
Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org,
	Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 36AFB1065670
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 21 Nov 2008 15:17:53 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id C40B68FC14
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 21 Nov 2008 15:17:52 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25])
	by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1L3XlW-000INx-Qg for FreeBSD-gnats-submit@freebsd.org;
	Fri, 21 Nov 2008 18:17:50 +0300
Message-Id: <20081121151750.A37A11AF41B@void.codelabs.ru>
Date: Fri, 21 Nov 2008 18:17:50 +0300 (MSK)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
X-GNATS-Notify: freebsd-security@freebsd.org, novel@freebsd.org
Cc: 
Subject: ports/129050: [vuxml] [patch] audio/libcdaudio: fix CVE-2005-0706
	and CVE-2008-5030
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Nov 2008 15:20:02 -0000


>Number:         129050
>Category:       ports
>Synopsis:       [vuxml] [patch] audio/libcdaudio: fix CVE-2005-0706 and CVE-2008-5030
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 21 15:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE i386
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE i386

>Description:

There are at least two issues with libcdaudio's CDDB stuff:
  http://www.securityfocus.com/bid/12770
  http://www.securityfocus.com/bid/32122

-----
Heap-based buffer overflow in the cddb_read_disc_data function in
cddb.c in libcdaudio 0.99.12p2 allows remote attackers to execute
arbitrary code via long CDDB data.

Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause
a denial of service (crash) and possibly execute arbitrary code by
causing the cddb lookup to return more matches than expected.
-----

The latter programming error also lives inside libcdaudio's code.

>How-To-Repeat:

See
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0706
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5030

>Fix:

The following patch brings the fixes to the FreeBSD port:
--- libcdaudio-0.99.12p2-fix-CVE-2008-5030.2005-0706.diff begins here ---
diff -urN ./Makefile ../libcdaudio/Makefile
--- ./Makefile	2008-11-21 17:04:39.000000000 +0300
+++ ../libcdaudio/Makefile	2008-11-21 17:04:52.000000000 +0300
@@ -7,7 +7,7 @@
 
 PORTNAME=	libcdaudio
 PORTVERSION=	0.99.12p2
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	audio
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
diff -urN ./files/patch-CVE-2008-5030.2005-0706 ../libcdaudio/files/patch-CVE-2008-5030.2005-0706
--- ./files/patch-CVE-2008-5030.2005-0706	1970-01-01 03:00:00.000000000 +0300
+++ ../libcdaudio/files/patch-CVE-2008-5030.2005-0706	2008-11-21 17:45:03.000000000 +0300
@@ -0,0 +1,58 @@
+CVE-2008-5030 fix
+=================
+
+Fix contents: second hunk for src/cddb.c
+Obtained from: http://sourceforge.net/tracker/download.php?group_id=27134&atid=389442&file_id=148743&aid=1288043
+
+
+CVE-2005-0706 fix
+=================
+
+Fix contents: first hunk for src/cddb.c and complete diff for src/coverart.c
+Based on: http://sourceforge.net/tracker/download.php?group_id=3714&atid=303714&file_id=124892&aid=1160134
+
+--- src/cddb.c.orig	2004-09-09 05:26:39.000000000 +0400
++++ src/cddb.c	2008-11-21 17:33:50.000000000 +0300
+@@ -1052,7 +1052,8 @@
+     }
+ 	   
+     query->query_matches = 0;
+-    while(!cddb_read_line(sock, inbuffer, 256)) {
++    while(query->query_matches < MAX_INEXACT_MATCHES &&
++        !cddb_read_line(sock, inbuffer, 256)) {
+       slashed = 0;
+       if(strchr(inbuffer, '/') != NULL && parse_disc_artist) {
+ 	index = 0;
+@@ -1601,7 +1602,7 @@
+     return -1;
+   }
+    
+-  if((inbuffer = malloc(256)) == NULL) {
++  if((inbuffer = malloc(512)) == NULL) {
+     free(root_dir);
+     free(file);
+     return -1;
+--- src/coverart.c.orig	2008-11-21 17:36:39.000000000 +0300
++++ src/coverart.c	2008-11-21 17:39:41.000000000 +0300
+@@ -131,7 +131,9 @@
+     }
+   } else if(strncmp(line, "Album", 5) == 0) {
+     long n = strtol((char *)line + 5, NULL, 10);
+-    if(parse_disc_artist && strchr(procbuffer, '/') != NULL) {
++    if(n >= MAX_INEXACT_MATCHES) {
++      // Too much data, can't store it
++    } else if(parse_disc_artist && strchr(procbuffer, '/') != NULL) {
+       strtok(procbuffer, "/");
+       strncpy(query->query_list[n].list_artist, procbuffer,
+ 	      (strlen(procbuffer) < 64) ? (strlen(procbuffer) - 1) : 64); 
+@@ -143,7 +145,9 @@
+     }
+   } else if(strncmp(line, "Url", 3) == 0) {
+     long n = strtol((char *)line + 3, NULL, 10);
+-    cddb_process_url(&query->query_list[n].list_host, procbuffer);
++    if (n < MAX_INEXACT_MATCHES) {
++      cddb_process_url(&query->query_list[n].list_host, procbuffer);
++    }
+   }
+ 
+   return;
--- libcdaudio-0.99.12p2-fix-CVE-2008-5030.2005-0706.diff ends here ---

The fix for CVE-2005-0706 was based on the Grip's original fix [1], but
I had found that the same programming error exists in the coverart.c.
Now I am trying to investigate if this error is known (with the Mandriva
security officer, since I had initially found this issue via reading
MDVSA-2008:233 [2]).  Still, issue in coverart.c seem to be of a same
kind as the cddb.c's one.

[1] http://sourceforge.net/tracker/index.php?func=detail&aid=1160134&group_id=3714&atid=303714
[2] http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:233

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="">
    <topic>libcdaudio -- remote buffer overflow and code execution</topic>
    <affects>
      <package>
	<name>libcdaudio</name>
	<range><lt>0.99.12p2_2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>SecurityFocus vulnerability database says:</p>
	<blockquote cite="http://www.securityfocus.com/bid/32122/discuss">
	<p>The 'libcdaudio' library is prone to a remote heap
	buffer-overflow vulnerability because it fails to perform
	adequate boundary checks on user-supplied input before
	copying it to an insufficiently sized buffer.</p>
	<p>Attackers can exploit this issue to execute arbitrary
	code in the context of an application that uses the library.
	Failed attacks will cause denial-of-service conditions.</p>
	<p>This issue affects libcdaudio 0.99.12p2; other versions
	may also be affected.</p>
	</blockquote>
	<blockquote cite="http://www.securityfocus.com/bid/12770/discuss">
	<p>A buffer-overflow in Grip occurs when the software
	processes a response to a CDDB query that has more than 16
	matches.</p>
	<p>To exploit this issue, an attacker must be able to
	influence the response to a CDDB query, either by controlling
	a malicious CDDB server or through some other means.
	Successful exploits will allow arbitrary code to run.</p>
	</blockquote>
	<p>The same code as for the Grip vulnerability was found
	in the libcdaudio library, so it is affected by the simular
	issues.</p>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-5030</cvename>
      <cvename>CVE-2005-0706</cvename>
      <bid>32122</bid>
      <bid>12770</bid>
      <url>http://sourceforge.net/tracker/index.php?func=detail&aid=1288043&group_id=27134&atid=389442</url>
      <url>http://sourceforge.net/tracker/index.php?func=detail&aid=834724&group_id=3714&atid=103714</url>
    </references>
    <dates>
      <discovery>2008-11-05</discovery>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted: