Bug 56826

Summary: security issues (MIDI lyrics format string / buffer overflow attacks)
Product: [Retired] Red Hat Linux Reporter: Miloslav Trmac <mitr>
Component: timidity++Assignee: Bernhard Rosenkraenzer <bero>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: athlon   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-11-28 14:01:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
test file showing the format string attack (harmless AFAIK)
none
patch resolving the issues (sorry, maybe got CR+LF there) none

Description Miloslav Trmac 2001-11-28 13:58:25 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Description of problem:
Hello,
I've come accross a format string bug in the slang inteface of TiMidity
when displaying lyrics, as demonstrated by the attached midi file
which contains contains for example %E in lyrics.

While chasing this one, I have found and hopefully fixed a few other bugs:
- Buffer overflow in XAW interface: please note that I don't now anything
  about MIDI format, so it may well be possible that this cannot happen
  (or that it is checked at some other place of TiMidity); however,
  the buffer length is enforced in all other parts of ctl_lyric ().
  [FIX TESTED ONLY TO COMPILE].
- The same in xskin, but this time the buffer length was never enforced.
  [FIX TESTED ONLY TO COMPILE].
- The dumb interface doesn't fflush () its output for lyrics not in
  ME_KARAOKE_LYRIC format (what's that?), so lyrics may appear only
  after whole line is completed.

For someone more knowledgeable to solve / dismiss:
make_temp_filename () in timidity/common.c and its usage seems
unsafe (a quite predictable file name is blindly unlinked
and then new file is written in its place using fopen (). 
(i. e. no O_EXCL flag)).


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. timidity -is quizas.mid

Actual Results:  Lyrics contains weird floating-point numbers

Expected Results:  Lyrics contains %E7 etc.

Additional info:
Comment 1 Miloslav Trmac 2001-11-28 14:00:38 UTC 
Created attachment 38904 [details]
test file showing the format string attack (harmless AFAIK)
Comment 2 Miloslav Trmac 2001-11-28 14:01:33 UTC 
Created attachment 38905 [details]
patch resolving the issues (sorry, maybe got CR+LF there)
Comment 3 Miloslav Trmac 2002-01-01 22:23:57 UTC 
OK, fixed upstream. Never mind that nobody from RH has even _noticed_...