Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 22 Mar 2009 19:27:02 +0300 (MSK)
From:      Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   ports/132938: [vuxml] [patch] audio/amarok: fix and document vulnerabilities in Audible parser
Message-ID:  <20090322162702.E1A3817121@amnesiac.at.no.dns>
Resent-Message-ID: <200903221630.n2MGU1bR065932@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         132938
>Category:       ports
>Synopsis:       [vuxml] [patch] audio/amarok: fix and document vulnerabilities in Audible parser
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 22 16:30:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.2-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.2-PRERELEASE amd64

>Description:

Tobias Klein from TrapKit found vulnerabilities in the Audible
media format parser: [1].  Upstream had patched the source and
confirmed the existence of the found holes: [2].

>How-To-Repeat:

[1] http://trapkit.de/advisories/TKADV2009-002.txt
[2] http://websvn.kde.org/?view=rev&revision=908415

>Fix:

The following patch updates the port with upstream fixes.  It was kindly
tested by Martin Wilke: builds fine on i386 and amd64 for FreeBSD-6/7/8,
new binary works fine.

--- amarok-fix-tkadv2009-004.diff begins here ---
>From f7a8abc13a671b4fc8d66b894ee4b0315dce5743 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sun, 8 Mar 2009 23:11:21 +0300
 unchecked memory allocations

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 audio/amarok/Makefile                  |    2 +-
 audio/amarok/files/patch-tkadv2009-002 |   90 ++++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+), 1 deletions(-)
 create mode 100644 audio/amarok/files/patch-tkadv2009-002

diff --git a/audio/amarok/Makefile b/audio/amarok/Makefile
index feb3263..684fbdc 100644
--- a/audio/amarok/Makefile
+++ b/audio/amarok/Makefile
@@ -6,7 +6,7 @@
 
 PORTNAME=	amarok
 PORTVERSION=	1.4.10
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	audio kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTNAME}/${PORTVERSION}/src
diff --git a/audio/amarok/files/patch-tkadv2009-002 b/audio/amarok/files/patch-tkadv2009-002
new file mode 100644
index 0000000..15f4dbb
--- /dev/null
+++ b/audio/amarok/files/patch-tkadv2009-002
@@ -0,0 +1,90 @@
+This is the patch for TKADV2009-002: multiple integer overflows
+and unchecked allocation vulnerabilities in Audible files parser,
+  http://trapkit.de/advisories/TKADV2009-002.txt
+
+Obtained from: http://websvn.kde.org/branches/stable/extragear/multimedia/amarok/src/metadata/audible/audibletag.cpp?r1=908415&r2=908414&pathrev=908415&view=patch
+--- amarok/src/metadata/audible/audibletag.cpp	2009/01/09 17:36:52	908414
++++ amarok/src/metadata/audible/audibletag.cpp	2009/01/09 17:38:50	908415
+@@ -71,7 +71,8 @@
+ {
+     char buf[1023];
+     fseek(fp, OFF_PRODUCT_ID, SEEK_SET);
+-    fread(buf, strlen("product_id"), 1, fp);
++    if (fread(buf, strlen("product_id"), 1, fp) != 1)
++        return;
+     if(memcmp(buf, "product_id", strlen("product_id")))
+     {
+         buf[20]='\0';
+@@ -130,24 +131,65 @@
+ 
+ bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
+ {
++    // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags                                                                                         
++    const uint32_t maxtaglen = 100000;    
++
+     uint32_t nlen;
+-    fread(&nlen, sizeof(nlen), 1, fp);
++    if (fread(&nlen, sizeof(nlen), 1, fp) != 1)
++        return false;
+     nlen = ntohl(nlen);
+     //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
+-    *name = new char[nlen+1];
+-    (*name)[nlen] = '\0';
++    if (nlen > maxtaglen)
++        return false;
+ 
+     uint32_t vlen;
+-    fread(&vlen, sizeof(vlen), 1, fp);
++    if (fread(&vlen, sizeof(vlen), 1, fp) != 1)
++        return false;
+     vlen = ntohl(vlen);
+     //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
++    if (vlen > maxtaglen)
++        return false;
++
++    *name = new char[nlen+1];
++    if (!*name)
++        return false;
++        
+     *value = new char[vlen+1];
++    if (!*value)
++    {
++        delete[] *name;
++        *name = 0;
++        return false;
++    }
++
++    (*name)[nlen] = '\0';
+     (*value)[vlen] = '\0';
+ 
+-    fread(*name, nlen, 1, fp);
+-    fread(*value, vlen, 1, fp);
++    if (fread(*name, nlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
++    if (fread(*value, vlen, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     char lasttag;
+-    fread(&lasttag, 1, 1, fp);
++    if (fread(&lasttag, 1, 1, fp) != 1)
++    {
++        delete[] *name;
++        *name = 0;
++        delete[] *value;
++        *value = 0;
++        return false;
++    }
+     //fprintf(stderr, "%s: \"%s\"\n", *name, *value);
+ 
+     m_tagsEndOffset += 2 * 4 + nlen + vlen + 1;
-- 
1.6.1.3
--- amarok-fix-tkadv2009-004.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="ae652ae3-0c1b-11de-b26a-001fc66e7203">
    <topic>amarok -- multiple integer overflows and unchecked memory allocations</topic>
    <affects>
      <package>
        <name>amarok</name>
        <range><lt>1.4.10_3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">;
        <p>Tobias Klein reports:</p>
        <blockquote
          cite="http://trapkit.de/advisories/TKADV2009-002.txt">;
          <p>Amarok contains several integer overflows and unchecked
          allocation vulnerabilities while parsing malformed Audible
          digital audio files.  The vulnerabilities may be exploited by
          a (remote) attacker to execute arbitrary code in the context
          of Amarok.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2009-0135</cvename>
      <cvename>CVE-2009-0136</cvename>
      <bid>33210</bid>
      <url>http://trapkit.de/advisories/TKADV2009-002.txt</url>;
    </references>
    <dates>
      <discovery>2009-01-11</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090322162702.E1A3817121>