Bug 470552 - (CVE-2005-0706) CVE-2005-0706 grip,libcdaudio: buffer overflow caused by large amount of CDDB replies
CVE-2005-0706 grip,libcdaudio: buffer overflow caused by large amount of CDDB...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
impact=moderate,public=20050309,sourc...
: Security
Depends On: 150712 471050 471051 471052 471053
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-07 11:45 EST by Tomas Hoger
Modified: 2010-12-21 21:15 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-21 21:15:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch for grip from upstream bug (845 bytes, patch)
2008-11-07 11:52 EST, Tomas Hoger
no flags Details | Diff
Local copy of Gentoo's libcdaudio-0.99-CAN-2005-0706.patch (457 bytes, patch)
2008-11-07 12:30 EST, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-11-07 11:45:39 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2005-0706 to the following vulnerability:

Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause a denial
of service (crash) and possibly execute arbitrary code by causing the cddb
lookup to return more matches than expected. 

References:
http://sourceforge.net/tracker/index.php?func=detail&aid=834724&group_id=3714&atid=103714
http://sourceforge.net/tracker/index.php?func=detail&aid=1160134&group_id=3714&atid=303714
http://www.securityfocus.com/bid/12770
http://xforce.iss.net/xforce/xfdb/19648
Comment 1 Tomas Hoger 2008-11-07 11:51:25 EST
This issue was already fixed in grip as shipped in Red Hat Enterprise Linux 2.1:
  http://rhn.redhat.com/errata/RHSA-2005-304.html

However, even though the patch is attached to grip's SF.net bug tracker, it does not seem to be included in current Fedora grip packages (based on upstream 3.2.0).  Additionally, the same fix is needed for libcdaudio as well:

http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/libcdaudio/files/libcdaudio-0.99-CAN-2005-0706.patch

(The Gentoo's libcdaudio patch was the way how I came across this.)
Comment 3 Adrian Reber 2008-11-07 12:08:41 EST
Seems the patch got lost in Core/Extras merger. Somehow it has been only applied to the released branches. I will include it.
Comment 4 Tomas Hoger 2008-11-07 12:30:40 EST
Created attachment 322871 [details]
Local copy of Gentoo's libcdaudio-0.99-CAN-2005-0706.patch
Comment 5 Fedora Update System 2008-11-09 10:12:02 EST
grip-3.2.0-24.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/grip-3.2.0-24.fc10
Comment 6 Fedora Update System 2008-11-09 10:12:43 EST
grip-3.2.0-24.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/grip-3.2.0-24.fc9
Comment 7 Fedora Update System 2008-11-09 10:13:24 EST
grip-3.2.0-24.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/grip-3.2.0-24.fc8
Comment 8 Tomas Hoger 2008-11-11 05:09:10 EST
This also affects gnome-vfs* in Red Hat Enterprise Linux prior to version 5.
Comment 9 Jan Lieskovsky 2008-11-11 09:19:33 EST
The libcdaudio package as shipped with Fedora releases of 8, 9 and 10
(libcdaudio-0.99.12p2-8.fc7 and libcdaudio-0.99.12p2-9.fc9)
and as shipped with Extra Packages for Enterprise Linux for RHEL4 and RHEL5 (libcdaudio-0.99.12p2-8.el{4,5.1}) are still vulnerable to the CVE-2005-0706
issue.

Relevant part of the code (src/cddb.c -- please have a look
at c#4 for the Gentoo's libcdaudio-0.99-CAN-2005-0706.patch):

1054     query->query_matches = 0;
1055     while(!cddb_read_line(sock, inbuffer, 256)) {
1056       slashed = 0;
1057       if(strchr(inbuffer, '/') != NULL && parse_disc_artist) {
1058         index = 0;

Axel, could you please update the F{8,9,10} packages with this patch?
Comment 12 Jan Lieskovsky 2008-11-11 11:32:25 EST
This issue affects the version of the gnome-vfs and gnome-vfs2 package,
as shipped with Red Hat Enterprise Linux 2.1, 3 and 4.

This issue does NOT affect the versions of the gnome-vfs2 package, 
as shipped with Red Hat Enterprise Linux 5 and Fedora relesases of
8, 9 and 10.
Comment 13 Fedora Update System 2008-11-19 09:45:24 EST
grip-3.2.0-24.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2008-11-19 09:52:45 EST
grip-3.2.0-24.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-12-02 20:31:13 EST
grip-3.2.0-24.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2008-12-27 14:11:00 EST
libcdaudio-0.99.12p2-11.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libcdaudio-0.99.12p2-11.fc9
Comment 17 Fedora Update System 2008-12-27 14:11:05 EST
libcdaudio-0.99.12p2-11.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libcdaudio-0.99.12p2-11.fc10
Comment 18 Fedora Update System 2008-12-27 14:11:09 EST
libcdaudio-0.99.12p2-11.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/libcdaudio-0.99.12p2-11.fc8
Comment 19 Axel Thimm 2008-12-27 14:26:13 EST
(In reply to comment #9)
> Axel, could you please update the F{8,9,10} packages with this patch?

The packages are submitted for the testing repo. If you consider this more urgent feel free to push directly into stable. Thanks.
Comment 21 Fedora Update System 2009-02-04 21:14:28 EST
libcdaudio-0.99.12p2-11.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2009-02-04 21:22:46 EST
libcdaudio-0.99.12p2-11.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Vincent Danen 2010-12-21 21:15:40 EST
This was addressed via:

Red Hat Enterprise Linux version 2.1 (RHSA-2005:304)
Red Hat Enterprise Linux version 2.1 (RHSA-2009:0005)
Red Hat Enterprise Linux version 3 (RHSA-2009:0005)
Red Hat Enterprise Linux version 4 (RHSA-2009:0005)

Note You need to log in before you can comment on or make changes to this bug.