oss-sec mailing list archives
Re: CVE Request -- amarok
From: Marcus Meissner <meissner () suse de>
Date: Mon, 19 Jan 2009 10:56:34 +0100
Steve, Ping? Ciao, Marcus On Wed, Jan 14, 2009 at 10:08:00AM +0100, Jan Lieskovsky wrote:
Hello Steve, multiple integer overflows (leading to heap-based overflows) and unchecked allocation vulnerabilities has been reported against Amarok multimedia player whep parsing malformed Audible digital audio files. Upstream has fixed these in latest 2.0.1.l release. References: http://www.trapkit.de/advisories/TKADV2009-002.txt http://amarok.kde.org/en/releases/2.0.1.1 (Fix possible buffer overflows when parsing Audible .aa files.) https://bugzilla.redhat.com/show_bug.cgi?id=479946 http://bugs.gentoo.org/show_bug.cgi?id=254896 Proposed solution: Upgrade to latest upstream version 2.0.1.1 Affected Amarok version: amarok-1.4.10-1.fc9 <= x < latest upstream 2.0.1.1 release Attaching also diff for audibletag.cpp file between latest F10 (amarok-2.0-2.fc10) and latest upstream 2.0.1.1 release (see attachment). Could you please allocate a new 2009 CVE id for it? Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
--- /root/rpmbuild/BUILD/amarok-2.0/src/metadata/audible/audibletag.cpp 2008-12-05 05:01:21.000000000 -0500
+++ /tmp/amarok/amarok-2.0.1.1/src/metadata/audible/audibletag.cpp 2009-01-09 13:29:30.000000000 -0500
@@ -139,13 +139,20 @@
bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
{
+ // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags
+ const quint32 maxtaglen = 100000;
+
quint32 nlen;
if ( fread(&nlen, sizeof(nlen), 1, fp) != 1 )
return false;
nlen = ntohl(nlen);
//fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
+ if(nlen > maxtaglen)
+ return false;
*name = new char[nlen+1];
+ if (!*name)
+ return false;
(*name)[nlen] = '\0';
quint32 vlen;
@@ -157,8 +164,13 @@
}
vlen = ntohl(vlen);
+ if (vlen > maxtaglen)
+ {
+ delete [] *name;
+ *name = 0;
+ return false;
+ }
//fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
-
if ( fread(*name, nlen, 1, fp) != 1 )
{
delete [] *name;
@@ -167,6 +179,12 @@
}
*value = new char[vlen+1];
+ if (!*value)
+ {
+ delete [] *name;
+ *name = 0;
+ return false;
+ }
(*value)[vlen] = '\0';
if ( fread(*value, vlen, 1, fp) != 1 )
-- Working, but not speaking, for the following german company: SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Current thread:
- CVE Request -- amarok Jan Lieskovsky (Jan 14)
- Re: CVE Request -- amarok Marcus Meissner (Jan 19)
- Re: CVE Request -- amarok Tomas Hoger (Jan 19)
- Re: CVE Request -- amarok Marcus Meissner (Jan 19)
- Re: CVE Request -- amarok Steven M. Christey (Jan 20)
- Re: CVE Request -- amarok Tomas Hoger (Jan 19)
- Re: CVE Request -- amarok Marcus Meissner (Jan 19)
