Bug 442688 - (CVE-2008-1771) CVE-2008-1771 mt-daapd: integer overflow allowing remote DoS and possibly arbitrary code execution
CVE-2008-1771 mt-daapd: integer overflow allowing remote DoS and possibly arb...
Status: CLOSED NEXTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=debian,reported=20080415,publi...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-16 06:04 EDT by Tomas Hoger
Modified: 2016-03-04 07:39 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-17 16:09:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-04-16 06:04:48 EDT
Nice Golde of Debian Testing Security Team discovered an integer overflow flaw
leading to a heap-based buffer overflow affecting mt-daapd daemon.  Further
details are available in Nico's bug in Debian BTS:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476241

This flaw can easily cause DoS (daemon crash) and can possibly allow remote code
execution with privileges of user running mt-daapd (nobody by default).

Simple reproducer is available in the bug:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476241#10

Issue was reported for version 0.9, which isn't currently in Fedora archive (but
some builds are already in Koji).  After a quick test and look at 0.2.4.1
currently in the archive, it seems that this version is not really affected,
even though underlying problem (integer overflow) exists there as well.

The difference seems to be in the implementation of readtimed() used by older
mt-daapd version.  Unlike implementation in 0.9, it exits immediately when
called with negative length argument.  Therefore ws_getpostvars() returns error
prior to attacker's payload can be written to a buffer of insufficient size.

So it seems Fedora is not affected at the moment, but this should be addressed
prior to pushing 0.9 to Fedora.  Mike, do you agree or have I possibly missed
anything?
Comment 1 Tomas Hoger 2008-04-16 11:15:00 EDT
Mitre CVE description for CVE-2008-1771:

Integer overflow in the ws_getpostvars function in Firefly Media
Server (formerly mt-daapd) 0.2.4.1 (0.9~r1696-1.2 on Debian) allows
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via an HTTP POST request with a large
Content-Length.
Comment 2 W. Michael Petullo 2008-04-17 16:09:08 EDT
I applied the patch from Debian, rebuilt and submitted to bodhi. I will rebuild
the package again once the upstream maintainer releases his fix.
Comment 3 Fedora Update System 2008-04-17 16:09:12 EDT
mt-daapd-0.9-0.4.1696.fc8 has been submitted as an update for Fedora 8
Comment 4 Tomas Hoger 2008-04-18 11:27:01 EDT
To correct my initial comment #0:

I've mis-spelled Nico's name, should be Nico Golde, of course.  Sorry Nico!

Also my claim that mt-daapd-0.2.4.1 may not be affected was not correct.  I have
managed to reproduce crash with unmodified Nico's reproducer with 0.2.4.1 on
i386.  My original test was on x86_64, where read fails with EFAULT prior to
reading user input.  This does not occur on i386 and may not occur on x86_64
with older kernels (pre-2.6.11, it seems).
Comment 5 Fedora Update System 2008-04-22 18:40:42 EDT
mt-daapd-0.9-0.4.1696.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Tomas Hoger 2008-05-14 08:47:36 EDT
Michael, please note that the fixed version only managed to get to F8, but is
not available in F9 and rawhide, which still have mt-daapd-0.2.4.1-6.fc9.
Comment 7 W. Michael Petullo 2008-05-14 22:52:02 EDT
0.2.4.2 has been build in Koji for F-8 and F-9:

http://koji.fedoraproject.org/koji/buildinfo?buildID=49118
http://koji.fedoraproject.org/koji/buildinfo?buildID=49115

I'm having trouble getting these build accepted into Bodhi because their version number is lower that a 
previously build SVN version.
Comment 8 Fedora Update System 2008-05-15 21:01:51 EDT
mt-daapd-0.2.4.2-2.fc9 has been submitted as an update for Fedora 9
Comment 9 W. Michael Petullo 2008-05-15 21:16:50 EDT
Okay, I've learned how to set the epoch to override version numbering issues. I have submitted new 
packages for F-9. F-8 and EL-5.
Comment 10 Fedora Update System 2008-05-17 18:28:52 EDT
mt-daapd-0.2.4.2-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.