ports/132938: [vuxml] [patch] audio/amarok: fix and document vulnerabilities in Audible parser
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Sun Mar 22 16:30:02 UTC 2009
>Number: 132938
>Category: ports
>Synopsis: [vuxml] [patch] audio/amarok: fix and document vulnerabilities in Audible parser
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Mar 22 16:30:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.2-PRERELEASE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.2-PRERELEASE amd64
>Description:
Tobias Klein from TrapKit found vulnerabilities in the Audible
media format parser: [1]. Upstream had patched the source and
confirmed the existence of the found holes: [2].
>How-To-Repeat:
[1] http://trapkit.de/advisories/TKADV2009-002.txt
[2] http://websvn.kde.org/?view=rev&revision=908415
>Fix:
The following patch updates the port with upstream fixes. It was kindly
tested by Martin Wilke: builds fine on i386 and amd64 for FreeBSD-6/7/8,
new binary works fine.
--- amarok-fix-tkadv2009-004.diff begins here ---
>From f7a8abc13a671b4fc8d66b894ee4b0315dce5743 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Sun, 8 Mar 2009 23:11:21 +0300
unchecked memory allocations
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
audio/amarok/Makefile | 2 +-
audio/amarok/files/patch-tkadv2009-002 | 90 ++++++++++++++++++++++++++++++++
2 files changed, 91 insertions(+), 1 deletions(-)
create mode 100644 audio/amarok/files/patch-tkadv2009-002
diff --git a/audio/amarok/Makefile b/audio/amarok/Makefile
index feb3263..684fbdc 100644
--- a/audio/amarok/Makefile
+++ b/audio/amarok/Makefile
@@ -6,7 +6,7 @@
PORTNAME= amarok
PORTVERSION= 1.4.10
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= audio kde
MASTER_SITES= ${MASTER_SITE_KDE}
MASTER_SITE_SUBDIR= stable/${PORTNAME}/${PORTVERSION}/src
diff --git a/audio/amarok/files/patch-tkadv2009-002 b/audio/amarok/files/patch-tkadv2009-002
new file mode 100644
index 0000000..15f4dbb
--- /dev/null
+++ b/audio/amarok/files/patch-tkadv2009-002
@@ -0,0 +1,90 @@
+This is the patch for TKADV2009-002: multiple integer overflows
+and unchecked allocation vulnerabilities in Audible files parser,
+ http://trapkit.de/advisories/TKADV2009-002.txt
+
+Obtained from: http://websvn.kde.org/branches/stable/extragear/multimedia/amarok/src/metadata/audible/audibletag.cpp?r1=908415&r2=908414&pathrev=908415&view=patch
+--- amarok/src/metadata/audible/audibletag.cpp 2009/01/09 17:36:52 908414
++++ amarok/src/metadata/audible/audibletag.cpp 2009/01/09 17:38:50 908415
+@@ -71,7 +71,8 @@
+ {
+ char buf[1023];
+ fseek(fp, OFF_PRODUCT_ID, SEEK_SET);
+- fread(buf, strlen("product_id"), 1, fp);
++ if (fread(buf, strlen("product_id"), 1, fp) != 1)
++ return;
+ if(memcmp(buf, "product_id", strlen("product_id")))
+ {
+ buf[20]='\0';
+@@ -130,24 +131,65 @@
+
+ bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
+ {
++ // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags
++ const uint32_t maxtaglen = 100000;
++
+ uint32_t nlen;
+- fread(&nlen, sizeof(nlen), 1, fp);
++ if (fread(&nlen, sizeof(nlen), 1, fp) != 1)
++ return false;
+ nlen = ntohl(nlen);
+ //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
+- *name = new char[nlen+1];
+- (*name)[nlen] = '\0';
++ if (nlen > maxtaglen)
++ return false;
+
+ uint32_t vlen;
+- fread(&vlen, sizeof(vlen), 1, fp);
++ if (fread(&vlen, sizeof(vlen), 1, fp) != 1)
++ return false;
+ vlen = ntohl(vlen);
+ //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
++ if (vlen > maxtaglen)
++ return false;
++
++ *name = new char[nlen+1];
++ if (!*name)
++ return false;
++
+ *value = new char[vlen+1];
++ if (!*value)
++ {
++ delete[] *name;
++ *name = 0;
++ return false;
++ }
++
++ (*name)[nlen] = '\0';
+ (*value)[vlen] = '\0';
+
+- fread(*name, nlen, 1, fp);
+- fread(*value, vlen, 1, fp);
++ if (fread(*name, nlen, 1, fp) != 1)
++ {
++ delete[] *name;
++ *name = 0;
++ delete[] *value;
++ *value = 0;
++ return false;
++ }
++ if (fread(*value, vlen, 1, fp) != 1)
++ {
++ delete[] *name;
++ *name = 0;
++ delete[] *value;
++ *value = 0;
++ return false;
++ }
+ char lasttag;
+- fread(&lasttag, 1, 1, fp);
++ if (fread(&lasttag, 1, 1, fp) != 1)
++ {
++ delete[] *name;
++ *name = 0;
++ delete[] *value;
++ *value = 0;
++ return false;
++ }
+ //fprintf(stderr, "%s: \"%s\"\n", *name, *value);
+
+ m_tagsEndOffset += 2 * 4 + nlen + vlen + 1;
--
1.6.1.3
--- amarok-fix-tkadv2009-004.diff ends here ---
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="ae652ae3-0c1b-11de-b26a-001fc66e7203">
<topic>amarok -- multiple integer overflows and unchecked memory allocations</topic>
<affects>
<package>
<name>amarok</name>
<range><lt>1.4.10_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Tobias Klein reports:</p>
<blockquote
cite="http://trapkit.de/advisories/TKADV2009-002.txt">
<p>Amarok contains several integer overflows and unchecked
allocation vulnerabilities while parsing malformed Audible
digital audio files. The vulnerabilities may be exploited by
a (remote) attacker to execute arbitrary code in the context
of Amarok.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-0135</cvename>
<cvename>CVE-2009-0136</cvename>
<bid>33210</bid>
<url>http://trapkit.de/advisories/TKADV2009-002.txt</url>
</references>
<dates>
<discovery>2009-01-11</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list