Bug 470552 (CVE-2005-0706)

Summary: CVE-2005-0706 grip,libcdaudio: buffer overflow caused by large amount of CDDB replies
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adrian, jlieskov, karsten, kreilly, notting, tbzatek, vdanen, wolfy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-0706
Whiteboard: impact=moderate,public=20050309,source=secalert,reported=20050309
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-21 21:15:40 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 150712, 471050, 471051, 471052, 471053    
Bug Blocks:    
Attachments:
Description Flags
Patch for grip from upstream bug
none
Local copy of Gentoo's libcdaudio-0.99-CAN-2005-0706.patch none

Description Tomas Hoger 2008-11-07 11:45:39 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2005-0706 to the following vulnerability:

Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause a denial
of service (crash) and possibly execute arbitrary code by causing the cddb
lookup to return more matches than expected. 

References:
http://sourceforge.net/tracker/index.php?func=detail&aid=834724&group_id=3714&atid=103714
http://sourceforge.net/tracker/index.php?func=detail&aid=1160134&group_id=3714&atid=303714
http://www.securityfocus.com/bid/12770
http://xforce.iss.net/xforce/xfdb/19648
Comment 1 Tomas Hoger 2008-11-07 11:51:25 EST
This issue was already fixed in grip as shipped in Red Hat Enterprise Linux 2.1:
  http://rhn.redhat.com/errata/RHSA-2005-304.html

However, even though the patch is attached to grip's SF.net bug tracker, it does not seem to be included in current Fedora grip packages (based on upstream 3.2.0).  Additionally, the same fix is needed for libcdaudio as well:

http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/libcdaudio/files/libcdaudio-0.99-CAN-2005-0706.patch

(The Gentoo's libcdaudio patch was the way how I came across this.)
Comment 3 Adrian Reber 2008-11-07 12:08:41 EST
Seems the patch got lost in Core/Extras merger. Somehow it has been only applied to the released branches. I will include it.
Comment 4 Tomas Hoger 2008-11-07 12:30:40 EST
Created attachment 322871 [details]
Local copy of Gentoo's libcdaudio-0.99-CAN-2005-0706.patch
Comment 5 Fedora Update System 2008-11-09 10:12:02 EST
grip-3.2.0-24.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/grip-3.2.0-24.fc10
Comment 6 Fedora Update System 2008-11-09 10:12:43 EST
grip-3.2.0-24.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/grip-3.2.0-24.fc9
Comment 7 Fedora Update System 2008-11-09 10:13:24 EST
grip-3.2.0-24.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/grip-3.2.0-24.fc8
Comment 8 Tomas Hoger 2008-11-11 05:09:10 EST
This also affects gnome-vfs* in Red Hat Enterprise Linux prior to version 5.
Comment 9 Jan Lieskovsky 2008-11-11 09:19:33 EST
The libcdaudio package as shipped with Fedora releases of 8, 9 and 10
(libcdaudio-0.99.12p2-8.fc7 and libcdaudio-0.99.12p2-9.fc9)
and as shipped with Extra Packages for Enterprise Linux for RHEL4 and RHEL5 (libcdaudio-0.99.12p2-8.el{4,5.1}) are still vulnerable to the CVE-2005-0706
issue.

Relevant part of the code (src/cddb.c -- please have a look
at c#4 for the Gentoo's libcdaudio-0.99-CAN-2005-0706.patch):

1054     query->query_matches = 0;
1055     while(!cddb_read_line(sock, inbuffer, 256)) {
1056       slashed = 0;
1057       if(strchr(inbuffer, '/') != NULL && parse_disc_artist) {
1058         index = 0;

Axel, could you please update the F{8,9,10} packages with this patch?
Comment 12 Jan Lieskovsky 2008-11-11 11:32:25 EST
This issue affects the version of the gnome-vfs and gnome-vfs2 package,
as shipped with Red Hat Enterprise Linux 2.1, 3 and 4.

This issue does NOT affect the versions of the gnome-vfs2 package, 
as shipped with Red Hat Enterprise Linux 5 and Fedora relesases of
8, 9 and 10.
Comment 13 Fedora Update System 2008-11-19 09:45:24 EST
grip-3.2.0-24.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2008-11-19 09:52:45 EST
grip-3.2.0-24.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-12-02 20:31:13 EST
grip-3.2.0-24.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2008-12-27 14:11:00 EST
libcdaudio-0.99.12p2-11.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libcdaudio-0.99.12p2-11.fc9
Comment 17 Fedora Update System 2008-12-27 14:11:05 EST
libcdaudio-0.99.12p2-11.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libcdaudio-0.99.12p2-11.fc10
Comment 18 Fedora Update System 2008-12-27 14:11:09 EST
libcdaudio-0.99.12p2-11.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/libcdaudio-0.99.12p2-11.fc8
Comment 19 Axel Thimm 2008-12-27 14:26:13 EST
(In reply to comment #9)
> Axel, could you please update the F{8,9,10} packages with this patch?

The packages are submitted for the testing repo. If you consider this more urgent feel free to push directly into stable. Thanks.
Comment 21 Fedora Update System 2009-02-04 21:14:28 EST
libcdaudio-0.99.12p2-11.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2009-02-04 21:22:46 EST
libcdaudio-0.99.12p2-11.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Vincent Danen 2010-12-21 21:15:40 EST
This was addressed via:

Red Hat Enterprise Linux version 2.1 (RHSA-2005:304)
Red Hat Enterprise Linux version 2.1 (RHSA-2009:0005)
Red Hat Enterprise Linux version 3 (RHSA-2009:0005)
Red Hat Enterprise Linux version 4 (RHSA-2009:0005)