oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: rplay (Mark R. Boyns) potential security issues (unsanitized data, unchecked malloc...)

From: Fabio Degrigis <degrigis () gmail com>
Date: Sat, 18 Oct 2025 13:01:30 -0700
I can confirm I can trigger a SIGSEGV at
https://salsa.debian.org/alteholz/rplay/-/blob/master/librplay/rplay.c?ref_type=heads#L470
reachable from "rplay_unpack" with a simple harness.
This is indeed a bit concerning since these packets can potentially be
processed by the audio server with no authentication.

Fabio

Il giorno ven 17 ott 2025 alle ore 17:26 Vincent Lefevre <vincent () vinc17 net>
ha scritto:


On 2025-10-18 01:50:23 +0200, Solar Designer wrote:

On Sat, Oct 18, 2025 at 01:16:36AM +0200, Vincent Lefevre wrote:

Debian distributes Mark R. Boyns's rplay 3.3.2. I've had
a very quick look at the source and found at least:

* In rplay/rplay.c line 600, the use of atoi() on something that
  looks like unsanitized data from a remote server:

        remote_size = -1;
        p = rptp_parse(response, "size");
        if (p)
            remote_size = atoi(p);

* Various malloc() without a check of failure, such as:


These look like minor correctness and robustness issues.


Some of them may be minor, but ones in librplay may be a major
issue. For instance, in Debian, /usr/libexec/fvwm2/2.7.0/FvwmEvent
is linked against this library:

qaa:~> ldd /usr/libexec/fvwm2/2.7.0/FvwmEvent
[...]
        librplay.so.3 => /lib/librplay.so.3 (0x00007f25461f4000)
[...]

meaning that this could make the window manager crash (unless it
has some protection for modules).

--
Vincent Lefèvre <vincent () vinc17 net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
Previous By Date Next
Previous By Thread Next

Current thread: