Bug 442688 (CVE-2008-1771)

Summary: CVE-2008-1771 mt-daapd: integer overflow allowing remote DoS and possibly arbitrary code execution
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: low    
Version: unspecifiedCC: redhat
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-17 20:09:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-04-16 10:04:48 UTC 
Nice Golde of Debian Testing Security Team discovered an integer overflow flaw
leading to a heap-based buffer overflow affecting mt-daapd daemon.  Further
details are available in Nico's bug in Debian BTS:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476241

This flaw can easily cause DoS (daemon crash) and can possibly allow remote code
execution with privileges of user running mt-daapd (nobody by default).

Simple reproducer is available in the bug:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476241#10

Issue was reported for version 0.9, which isn't currently in Fedora archive (but
some builds are already in Koji).  After a quick test and look at 0.2.4.1
currently in the archive, it seems that this version is not really affected,
even though underlying problem (integer overflow) exists there as well.

The difference seems to be in the implementation of readtimed() used by older
mt-daapd version.  Unlike implementation in 0.9, it exits immediately when
called with negative length argument.  Therefore ws_getpostvars() returns error
prior to attacker's payload can be written to a buffer of insufficient size.

So it seems Fedora is not affected at the moment, but this should be addressed
prior to pushing 0.9 to Fedora.  Mike, do you agree or have I possibly missed
anything?
Comment 1 Tomas Hoger 2008-04-16 15:15:00 UTC 
Mitre CVE description for CVE-2008-1771:

Integer overflow in the ws_getpostvars function in Firefly Media
Server (formerly mt-daapd) 0.2.4.1 (0.9~r1696-1.2 on Debian) allows
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via an HTTP POST request with a large
Content-Length.
Comment 2 W. Michael Petullo 2008-04-17 20:09:08 UTC 
I applied the patch from Debian, rebuilt and submitted to bodhi. I will rebuild
the package again once the upstream maintainer releases his fix.
Comment 3 Fedora Update System 2008-04-17 20:09:12 UTC 
mt-daapd-0.9-0.4.1696.fc8 has been submitted as an update for Fedora 8
Comment 4 Tomas Hoger 2008-04-18 15:27:01 UTC 
To correct my initial comment #0:

I've mis-spelled Nico's name, should be Nico Golde, of course.  Sorry Nico!

Also my claim that mt-daapd-0.2.4.1 may not be affected was not correct.  I have
managed to reproduce crash with unmodified Nico's reproducer with 0.2.4.1 on
i386.  My original test was on x86_64, where read fails with EFAULT prior to
reading user input.  This does not occur on i386 and may not occur on x86_64
with older kernels (pre-2.6.11, it seems).
Comment 5 Fedora Update System 2008-04-22 22:40:42 UTC 
mt-daapd-0.9-0.4.1696.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Tomas Hoger 2008-05-14 12:47:36 UTC 
Michael, please note that the fixed version only managed to get to F8, but is
not available in F9 and rawhide, which still have mt-daapd-0.2.4.1-6.fc9.
Comment 7 W. Michael Petullo 2008-05-15 02:52:02 UTC 
0.2.4.2 has been build in Koji for F-8 and F-9:

http://koji.fedoraproject.org/koji/buildinfo?buildID=49118
http://koji.fedoraproject.org/koji/buildinfo?buildID=49115

I'm having trouble getting these build accepted into Bodhi because their version number is lower that a 
previously build SVN version.
Comment 8 Fedora Update System 2008-05-16 01:01:51 UTC 
mt-daapd-0.2.4.2-2.fc9 has been submitted as an update for Fedora 9
Comment 9 W. Michael Petullo 2008-05-16 01:16:50 UTC 
Okay, I've learned how to set the epoch to override version numbering issues. I have submitted new 
packages for F-9. F-8 and EL-5.
Comment 10 Fedora Update System 2008-05-17 22:28:52 UTC 
mt-daapd-0.2.4.2-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.