Bug 470544 - (CVE-2008-5030) CVE-2008-5030 libcdaudio: buffer overflow in cddb reply parsing
CVE-2008-5030 libcdaudio: buffer overflow in cddb reply parsing
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=osssecurity,reported=20081105,...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-07 11:28 EST by Tomas Hoger
Modified: 2008-11-11 03:49 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-11 03:49:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-11-07 11:28:17 EST
libcdaudio recently fixed a buffer overflow in the handling of CDDB replies.  Malicious CDDB server could use this flaw to trigger a heap based overflow for clients using libcdaudio.

Report from Thomas Biege:
  http://www.openwall.com/lists/oss-security/2008/11/05/1

--- src/cddb.c
+++ src/cddb.c
@@ -1679,7 +1679,7 @@ cddb_read_disc_data(int cd_desc, struct disc_data
*outdata)
       free(file);

       while(!feof(cddb_data)) {
-       fgets(inbuffer, 512, cddb_data);
+       fgets(inbuffer, 256, cddb_data);
        cddb_process_line(inbuffer, data);
       }
Comment 1 Tomas Hoger 2008-11-07 11:29:19 EST
This is mostly a heads-up bug report, as Fedora libcdaudio packages are not affected, as they have a patch for this flaw included for quite a long time.  Unlike current upstream patch, instead of using shorter fgets, it mallocs more space (see libcdaudio-0.99.12-buffovfl.patch).

http://cvs.fedoraproject.org/viewvc/rpms/libcdaudio/devel/libcdaudio-0.99.12-buffovfl.patch

Seems to be included as of:

* Tue Sep 13 2005 Axel Thimm <Axel.Thimm@ATrpms.net>
- Patch to fix buffer overflow by Brian C. Huffman
  <huffman@graze.net>.

I also checked grip, which has CDDB code similar to libcdaudio.  Version of grip as shipped in Red Hat Enterprise Linux 2.1 is not affected by this flaw, current grip version shipped in Fedora / EPEL does not seem to be affected by this either.
Comment 2 Tomas Hoger 2008-11-11 03:41:21 EST
CVE id CVE-2008-5030 was assigned to this issue:

Heap-based buffer overflow in the cddb_read_disc_data function in
cddb.c in libcdaudio 0.99.12p2 allows remote attackers to execute
arbitrary code via long CDDB data.
Comment 3 Tomas Hoger 2008-11-11 03:49:52 EST
libcdaudio packages shipped in Fedora already contain patch to address this issue.  CDDB handling in gnome-vfs2 and grip is not affected by this flaw.

Note You need to log in before you can comment on or make changes to this bug.