Bug 152919

Summary: CAN-2005-0706 grip Buffer overflow
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: gripAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/beta/show_bug.cgi?id=150712
Whiteboard: 1, LEGACY, rh73, rh90, needsrelease
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-19 05:39:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:32:08 UTC 
This issue was discovered by Dean Brettle

While investigating a crash of grip on my FC3 system, I've come across
what appears to be a long-standing remote buffer overflow vulnerability.
Specifically, if the CDDB server (eg freedb.org) returns more than 16
matches (exact or inexact) for a CD, grip will write past the end of a
stack-based array.  I think that means that a hostile server or a
hostile 3rd party submitter to the CDDB server could exploit the bug (by
embedding exploit code in the overflowing matches).

https://bugzilla.redhat.com/beta/show_bug.cgi?id=150712



------- Bug moved to this database by dkl 2005-03-30 18:32 -------

This bug previously known as bug 2450 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2450
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Comment 1 Marc Deslauriers 2005-06-12 04:24:39 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA for rh73, rh9 and fc1:
fc2 is already fixed.

Changelog:
* Sat Jun 11 2005 Marc Deslauriers <marcdeslauriers> 2.96-2.1.legacy
- - Added patch for CAN-2005-0706

rh73:
0ffc979a64170a9052dea93f58b2133e947e6f41  grip-2.96-2.1.legacy.i386.rpm
db8e4637d633c45791afddffb8bd269669bca153  grip-2.96-2.1.legacy.src.rpm

7.3 Source:
http://www.infostrategique.com/linuxrpms/legacy/7.3/grip-2.96-2.1.legacy.src.rpm
7.3 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/7.3/grip-2.96-2.1.legacy.i386.rpm

rh9:
7b4a6f463c2aba2d97b03bdf209e6ccef0b9e78f  grip-3.0.4-5.1.legacy.i386.rpm
e4aa970f770a9ae3940b3125f09d01198f880f02  grip-3.0.4-5.1.legacy.src.rpm

9 Source:
http://www.infostrategique.com/linuxrpms/legacy/9/grip-3.0.4-5.1.legacy.src.rpm
9 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/9/grip-3.0.4-5.1.legacy.i386.rpm

fc1:
4ae54021ebaa8489377db700b78ebe3bdc5e0735  grip-3.0.7-3.1.legacy.i386.rpm
ab849cc102e3e9cf4a2a1b7163fc0190a1030ff8  grip-3.0.7-3.1.legacy.src.rpm

fc1 Source:
http://www.infostrategique.com/linuxrpms/legacy/1/grip-3.0.7-3.1.legacy.src.rpm
fc1 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/1/grip-3.0.7-3.1.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCq7j4LMAs/0C4zNoRAixQAJ4y9okDumsLnELdrWyufUFtLLbLQACfT8d2
NMttliGwGw63HczRhy2NA/c=
=gSj4
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2005-06-13 12:20:58 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - spec file changes minimal
 - source integrity good
 - patches verified to be very close to from RHEL3 / FC CVS
 
+PUBLISH RHL73,RHL9,FC1
 
db8e4637d633c45791afddffb8bd269669bca153  grip-2.96-2.1.legacy.src.rpm
e4aa970f770a9ae3940b3125f09d01198f880f02  grip-3.0.4-5.1.legacy.src.rpm
ab849cc102e3e9cf4a2a1b7163fc0190a1030ff8  grip-3.0.7-3.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCrXoUGHbTkzxSL7QRAte7AKCZVSpB3PYca9oLPAJtw7EFeBa2RACeLJeV
qly6LOKLdeF02bi2Em41MJg=
=4L0W
-----END PGP SIGNATURE-----
Comment 3 Marc Deslauriers 2005-06-20 10:42:30 UTC 
Packages were pushed to updates-testing
Comment 4 Eric Jon Rostetter 2005-08-08 19:07:55 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 9
 
RHL 9 Packages: grip-3.0.4-5.2.legacy.i386.rpm
SHA1 checksum matches.  Signatures verify okay.
 
I ripped a song from a cd-rom using the original RH9 version.
I then upgraded to the FL updates-testing version with no problems.
I re-ripped the same song, no problems, and it is the same size as
the original.  Both play back fine.  Did various things with the
program (normal use, visit menus, etc) and encountered no problems.
 
I did not test the exact security problem fixed; I just tested basic
functionality and usage.
 
Vote for release for RHL 9. ++VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFC960R4jZRbknHoPIRAhGpAKCgxfvyjGQRpXLP/iI7elntanj2iwCeL7cJ
mToYK7ZQFOMfN0fehsiW3Lg=
=BNis
-----END PGP SIGNATURE-----
Comment 5 Pekka Savola 2005-08-09 03:49:41 UTC 
Thanks -- timeout in 4 weeks.
Comment 6 Pekka Savola 2005-09-10 18:44:52 UTC 
Timeout over.
Comment 7 Pekka Savola 2005-09-19 05:39:38 UTC 
This update was released.