Red Hat Bugzilla – Bug 442688
CVE-2008-1771 mt-daapd: integer overflow allowing remote DoS and possibly arbitrary code execution
Last modified: 2016-03-04 07:39:43 EST
Nice Golde of Debian Testing Security Team discovered an integer overflow flaw
leading to a heap-based buffer overflow affecting mt-daapd daemon. Further
details are available in Nico's bug in Debian BTS:
This flaw can easily cause DoS (daemon crash) and can possibly allow remote code
execution with privileges of user running mt-daapd (nobody by default).
Simple reproducer is available in the bug:
Issue was reported for version 0.9, which isn't currently in Fedora archive (but
some builds are already in Koji). After a quick test and look at 0.2.4.1
currently in the archive, it seems that this version is not really affected,
even though underlying problem (integer overflow) exists there as well.
The difference seems to be in the implementation of readtimed() used by older
mt-daapd version. Unlike implementation in 0.9, it exits immediately when
called with negative length argument. Therefore ws_getpostvars() returns error
prior to attacker's payload can be written to a buffer of insufficient size.
So it seems Fedora is not affected at the moment, but this should be addressed
prior to pushing 0.9 to Fedora. Mike, do you agree or have I possibly missed
Mitre CVE description for CVE-2008-1771:
Integer overflow in the ws_getpostvars function in Firefly Media
Server (formerly mt-daapd) 0.2.4.1 (0.9~r1696-1.2 on Debian) allows
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via an HTTP POST request with a large
I applied the patch from Debian, rebuilt and submitted to bodhi. I will rebuild
the package again once the upstream maintainer releases his fix.
mt-daapd-0.9-0.4.1696.fc8 has been submitted as an update for Fedora 8
To correct my initial comment #0:
I've mis-spelled Nico's name, should be Nico Golde, of course. Sorry Nico!
Also my claim that mt-daapd-0.2.4.1 may not be affected was not correct. I have
managed to reproduce crash with unmodified Nico's reproducer with 0.2.4.1 on
i386. My original test was on x86_64, where read fails with EFAULT prior to
reading user input. This does not occur on i386 and may not occur on x86_64
with older kernels (pre-2.6.11, it seems).
mt-daapd-0.9-0.4.1696.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Michael, please note that the fixed version only managed to get to F8, but is
not available in F9 and rawhide, which still have mt-daapd-0.2.4.1-6.fc9.
0.2.4.2 has been build in Koji for F-8 and F-9:
I'm having trouble getting these build accepted into Bodhi because their version number is lower that a
previously build SVN version.
mt-daapd-0.2.4.2-2.fc9 has been submitted as an update for Fedora 9
Okay, I've learned how to set the epoch to override version numbering issues. I have submitted new
packages for F-9. F-8 and EL-5.
mt-daapd-0.2.4.2-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.