Bug 614643 (CVE-2009-3995, CVE-2009-3996, CVE-2010-2546, CVE-2010-2971)

Summary:

CVE-2009-3995 CVE-2009-3996 libmikmod: arbitrary code execution via crafted Impulse Tracker or Ultratracker files

Product:

[Other] Security Response

Reporter:

Vincent Danen <vdanen>

Component:

vulnerability

Assignee:

Red Hat Product Security <security-response-team>

Status:

CLOSED ERRATA

QA Contact:

Severity:

medium

Docs Contact:

Priority:

medium

Version:

unspecified

CC:

hdegoede, jlieskov, jnovy

Target Milestone:

---

Keywords:

Security

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2010-09-28 15:11:53 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

614650, 617483, 617484, 617485, 617486, 617487, 833940

Bug Blocks:

Attachments:

Description	Flags
patch from Debian to correct the issues	none
Do checks in IT_LoadEnvelope	none

Description Vincent Danen 2010-07-14 21:41:55 UTC

Multiple heap-based buffer overflow vulnerabilities were found in libmikmod. These flaws could allow a remote attacker able to coerce a local user using an application linked against libmikmod, to open an Impulse Tracker, crafted samples, or an Ultratracker file, to execute arbitrary code with the privileges of the user running the application.

CVE-2009-3995:

Multiple heap-based buffer overflows in IN_MOD.DLL (aka the Module Decoder Plug-in) in Winamp before 5.57, and libmikmod 3.1.12, might allow remote attackers to execute arbitrary code via (1) crafted samples or (2) crafted instrument definitions in an Impulse Tracker file. NOTE: some of these details are obtained from third party information.

CVE-2009-3996:

Heap-based buffer overflow in IN_MOD.DLL (aka the Module Decoder Plug-in) in Winamp before 5.57, and libmikmod 3.1.12, might allow remote attackers to execute arbitrary code via an Ultratracker file.

References:

http://www.vupen.com/english/advisories/2009/3575
http://secunia.com/secunia_research/2009-55/

Comment 2 Vincent Danen 2010-07-14 21:46:09 UTC

Created attachment 431930 [details]
patch from Debian to correct the issues

This patch was pulled from libmikmod_3.1.11-6+lenny1.diff, which is from DSA 2071-1.

Comment 4 Vincent Danen 2010-07-14 21:53:45 UTC

Created libmikmod tracking bugs for this issue

Affects: fedora-all [bug 614650]

Comment 5 Tomas Hoger 2010-07-19 15:16:58 UTC

(In reply to comment #2)
> Created an attachment (id=431930) [details]
> patch from Debian to correct the issues
> 
> This patch was pulled from libmikmod_3.1.11-6+lenny1.diff, which is from DSA
> 2071-1.    

This seem to contain following two upstream CVS commits:

http://mikmod.cvs.sourceforge.net/viewvc/mikmod/libmikmod/loaders/load_it.c?r1=1.3&r2=1.4
http://mikmod.cvs.sourceforge.net/viewvc/mikmod/libmikmod/loaders/load_ult.c?r1=1.2&r2=1.3

However, load_it.c fix seems to be incomplete and possibly mis-placed too.  IT_ProcessEnvelope macro is used do common processing on volume, panning and pitch envelopes.  It writes to volenv/panenv/pitenv arrays with ENVPOINTS size using volpts/panpts/pitpts as an upper bound (those are unsigned char variables, with maximum value of 255), for loop following the check is hence not the first place where name##env arrays are written to.  I don't see why upstream fix only adds check for vol and not pan and pit, and why the check is not done in IT_LoadEnvelope already.

Reading the Secunia advisory, it seems they've treated all tree cases as issues:

"... when parsing an instrument containing a column, panning, or pitch envelope with more than ENVPOINTS (32) points ..."

(I guess this should say: containing a *volume*, panning, or pitch envelope)

Comment 6 Tomas Hoger 2010-07-19 15:44:23 UTC

(In reply to comment #5)
> It writes to volenv/panenv/pitenv arrays with ENVPOINTS size using
> volpts/panpts/pitpts as an upper bound (those are unsigned char variables,
> with maximum value of 255), for loop following the check is hence not the
> first place where name##env arrays are written to.

Additionally, values written to name##env are read from name##tick and name##node, which are of size ITENVCNT (25).

Comment 10 Tomas Hoger 2010-07-22 14:16:51 UTC

(In reply to comment #5)

> However, load_it.c fix seems to be incomplete and possibly mis-placed too. 
> IT_ProcessEnvelope macro is used do common processing on volume, panning and
> pitch envelopes.  It writes to volenv/panenv/pitenv arrays with ENVPOINTS size
> using volpts/panpts/pitpts as an upper bound (those are unsigned char
> variables, with maximum value of 255), for loop following the check is hence
> not the first place where name##env arrays are written to.  I don't see why
> upstream fix only adds check for vol and not pan and pit, and why the check is
> not done in IT_LoadEnvelope already.

Secunia reproducers crash libmikmod with upstream patch for CVE-2009-3995, so that fix is really bogus.

Comment 11 Tomas Hoger 2010-07-22 14:24:21 UTC

Created attachment 433716 [details]
Do checks in IT_LoadEnvelope

Moves name##pts check to IT_LoadEnvelope.  Uses ITENVCNT as an upper bound.  It is less than name##env size (ENVPOINTS), but only ITENVCNT items are read from file to name##node and name##tick, so trying to user higher upper bound should over-read buffer.  Please correct me if I'm missing something.

Comment 12 Tomas Hoger 2010-07-22 14:38:59 UTC

(In reply to comment #11)
> Created an attachment (id=433716) [details]
> Do checks in IT_LoadEnvelope

https://sourceforge.net/tracker/?func=detail&aid=3033086&group_id=40531&atid=428227

Comment 15 Tomas Hoger 2010-07-27 06:06:41 UTC

(In reply to comment #12)

> https://sourceforge.net/tracker/?func=detail&aid=3033086&group_id=40531&atid=428227    

CVE-2010-2546 was assigned to the incorrect CVE-2009-3995 fix.

As updates for Fedora or Red Hat Enterprise Linux mikmod packages were not released yet, updates containing complete fix will not need to mention CVE-2010-2546.

Comment 16 Vincent Danen 2010-08-05 15:15:28 UTC

The water is even muddier... MITRE also assigned CVE-2010-2971 due to the incomplete fix of CVE-2009-3995.  For clarification, MITRE's descriptions of the problems are as follows:

CVE-2010-2546:

Multiple heap-based buffer overflows in loaders/load_it.c in
libmikmod, possibly 3.1.12, might allow remote attackers to execute
arbitrary code via (1) crafted samples or (2) crafted instrument
definitions in an Impulse Tracker file, related to panpts, pitpts, and
IT_ProcessEnvelope.  NOTE: some of these details are obtained from
third party information.  NOTE: this vulnerability exists because of an
incomplete fix for CVE-2009-3995.

CVE-2010-2971:

loaders/load_it.c in libmikmod, possibly 3.1.12, does not properly
account for the larger size of name##env relative to name##tick and
name##node, which allows remote attackers to trigger a buffer
over-read and possibly have unspecified other impact via a crafted
Impulse Tracker file, a related issue to CVE-2010-2546.  NOTE: this
issue exists because of an incomplete fix for CVE-2009-3995.


Neither of these CVEs need to be mentioned due to the fact that we did not improperly fix CVE-2009-3995.

Comment 17 Tomas Hoger 2010-08-16 18:07:18 UTC

(In reply to comment #16)
> The water is even muddier... MITRE also assigned CVE-2010-2971 due to the
> incomplete fix of CVE-2009-3995.

Not really.  Mitre decided to give separate CVE CVE-2010-2971 to the over-read issue mentioned above in comment #6.  Though the over-read is rather limited and not too likely to have any real impact.

Comment 18 errata-xmlrpc 2010-09-28 12:36:54 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0720 https://rhn.redhat.com/errata/RHSA-2010-0720.html