Red Hat Bugzilla – Bug 470544
CVE-2008-5030 libcdaudio: buffer overflow in cddb reply parsing
Last modified: 2008-11-11 03:49:52 EST
libcdaudio recently fixed a buffer overflow in the handling of CDDB replies. Malicious CDDB server could use this flaw to trigger a heap based overflow for clients using libcdaudio.
Report from Thomas Biege:
@@ -1679,7 +1679,7 @@ cddb_read_disc_data(int cd_desc, struct disc_data
- fgets(inbuffer, 512, cddb_data);
+ fgets(inbuffer, 256, cddb_data);
This is mostly a heads-up bug report, as Fedora libcdaudio packages are not affected, as they have a patch for this flaw included for quite a long time. Unlike current upstream patch, instead of using shorter fgets, it mallocs more space (see libcdaudio-0.99.12-buffovfl.patch).
Seems to be included as of:
* Tue Sep 13 2005 Axel Thimm <Axel.Thimm@ATrpms.net>
- Patch to fix buffer overflow by Brian C. Huffman
I also checked grip, which has CDDB code similar to libcdaudio. Version of grip as shipped in Red Hat Enterprise Linux 2.1 is not affected by this flaw, current grip version shipped in Fedora / EPEL does not seem to be affected by this either.
CVE id CVE-2008-5030 was assigned to this issue:
Heap-based buffer overflow in the cddb_read_disc_data function in
cddb.c in libcdaudio 0.99.12p2 allows remote attackers to execute
arbitrary code via long CDDB data.
libcdaudio packages shipped in Fedora already contain patch to address this issue. CDDB handling in gnome-vfs2 and grip is not affected by this flaw.