Nice Golde of Debian Testing Security Team discovered an integer overflow flaw leading to a heap-based buffer overflow affecting mt-daapd daemon. Further details are available in Nico's bug in Debian BTS: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476241 This flaw can easily cause DoS (daemon crash) and can possibly allow remote code execution with privileges of user running mt-daapd (nobody by default). Simple reproducer is available in the bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476241#10 Issue was reported for version 0.9, which isn't currently in Fedora archive (but some builds are already in Koji). After a quick test and look at 0.2.4.1 currently in the archive, it seems that this version is not really affected, even though underlying problem (integer overflow) exists there as well. The difference seems to be in the implementation of readtimed() used by older mt-daapd version. Unlike implementation in 0.9, it exits immediately when called with negative length argument. Therefore ws_getpostvars() returns error prior to attacker's payload can be written to a buffer of insufficient size. So it seems Fedora is not affected at the moment, but this should be addressed prior to pushing 0.9 to Fedora. Mike, do you agree or have I possibly missed anything?
Mitre CVE description for CVE-2008-1771: Integer overflow in the ws_getpostvars function in Firefly Media Server (formerly mt-daapd) 0.2.4.1 (0.9~r1696-1.2 on Debian) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP POST request with a large Content-Length.
I applied the patch from Debian, rebuilt and submitted to bodhi. I will rebuild the package again once the upstream maintainer releases his fix.
mt-daapd-0.9-0.4.1696.fc8 has been submitted as an update for Fedora 8
To correct my initial comment #0: I've mis-spelled Nico's name, should be Nico Golde, of course. Sorry Nico! Also my claim that mt-daapd-0.2.4.1 may not be affected was not correct. I have managed to reproduce crash with unmodified Nico's reproducer with 0.2.4.1 on i386. My original test was on x86_64, where read fails with EFAULT prior to reading user input. This does not occur on i386 and may not occur on x86_64 with older kernels (pre-2.6.11, it seems).
mt-daapd-0.9-0.4.1696.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Michael, please note that the fixed version only managed to get to F8, but is not available in F9 and rawhide, which still have mt-daapd-0.2.4.1-6.fc9.
0.2.4.2 has been build in Koji for F-8 and F-9: http://koji.fedoraproject.org/koji/buildinfo?buildID=49118 http://koji.fedoraproject.org/koji/buildinfo?buildID=49115 I'm having trouble getting these build accepted into Bodhi because their version number is lower that a previously build SVN version.
mt-daapd-0.2.4.2-2.fc9 has been submitted as an update for Fedora 9
Okay, I've learned how to set the epoch to override version numbering issues. I have submitted new packages for F-9. F-8 and EL-5.
mt-daapd-0.2.4.2-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.