Bug 470544 (CVE-2008-5030)

Summary: CVE-2008-5030 libcdaudio: buffer overflow in cddb reply parsing
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adrian, axel.thimm, karsten, manuel.wolfshant
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-11 08:49:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-11-07 16:28:17 UTC
libcdaudio recently fixed a buffer overflow in the handling of CDDB replies.  Malicious CDDB server could use this flaw to trigger a heap based overflow for clients using libcdaudio.

Report from Thomas Biege:
  http://www.openwall.com/lists/oss-security/2008/11/05/1

--- src/cddb.c
+++ src/cddb.c
@@ -1679,7 +1679,7 @@ cddb_read_disc_data(int cd_desc, struct disc_data
*outdata)
       free(file);

       while(!feof(cddb_data)) {
-       fgets(inbuffer, 512, cddb_data);
+       fgets(inbuffer, 256, cddb_data);
        cddb_process_line(inbuffer, data);
       }

Comment 1 Tomas Hoger 2008-11-07 16:29:19 UTC
This is mostly a heads-up bug report, as Fedora libcdaudio packages are not affected, as they have a patch for this flaw included for quite a long time.  Unlike current upstream patch, instead of using shorter fgets, it mallocs more space (see libcdaudio-0.99.12-buffovfl.patch).

http://cvs.fedoraproject.org/viewvc/rpms/libcdaudio/devel/libcdaudio-0.99.12-buffovfl.patch

Seems to be included as of:

* Tue Sep 13 2005 Axel Thimm <Axel.Thimm>
- Patch to fix buffer overflow by Brian C. Huffman
  <huffman>.

I also checked grip, which has CDDB code similar to libcdaudio.  Version of grip as shipped in Red Hat Enterprise Linux 2.1 is not affected by this flaw, current grip version shipped in Fedora / EPEL does not seem to be affected by this either.

Comment 2 Tomas Hoger 2008-11-11 08:41:21 UTC
CVE id CVE-2008-5030 was assigned to this issue:

Heap-based buffer overflow in the cddb_read_disc_data function in
cddb.c in libcdaudio 0.99.12p2 allows remote attackers to execute
arbitrary code via long CDDB data.

Comment 3 Tomas Hoger 2008-11-11 08:49:52 UTC
libcdaudio packages shipped in Fedora already contain patch to address this issue.  CDDB handling in gnome-vfs2 and grip is not affected by this flaw.