Bug 470552 (CVE-2005-0706) - CVE-2005-0706 grip,libcdaudio: buffer overflow caused by large amount of CDDB replies
Summary: CVE-2005-0706 grip,libcdaudio: buffer overflow caused by large amount of CDDB...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2005-0706
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard: impact=moderate,public=20050309,sourc...
Depends On: 150712 471050 471051 471052 471053
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-07 16:45 UTC by Tomas Hoger
Modified: 2019-06-08 12:37 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-22 02:15:40 UTC


Attachments (Terms of Use)
Patch for grip from upstream bug (845 bytes, patch)
2008-11-07 16:52 UTC, Tomas Hoger
no flags Details | Diff
Local copy of Gentoo's libcdaudio-0.99-CAN-2005-0706.patch (457 bytes, patch)
2008-11-07 17:30 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0005 normal SHIPPED_LIVE Moderate: gnome-vfs, gnome-vfs2 security update 2009-01-07 10:51:12 UTC

Description Tomas Hoger 2008-11-07 16:45:39 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2005-0706 to the following vulnerability:

Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause a denial
of service (crash) and possibly execute arbitrary code by causing the cddb
lookup to return more matches than expected. 

References:
http://sourceforge.net/tracker/index.php?func=detail&aid=834724&group_id=3714&atid=103714
http://sourceforge.net/tracker/index.php?func=detail&aid=1160134&group_id=3714&atid=303714
http://www.securityfocus.com/bid/12770
http://xforce.iss.net/xforce/xfdb/19648

Comment 1 Tomas Hoger 2008-11-07 16:51:25 UTC
This issue was already fixed in grip as shipped in Red Hat Enterprise Linux 2.1:
  http://rhn.redhat.com/errata/RHSA-2005-304.html

However, even though the patch is attached to grip's SF.net bug tracker, it does not seem to be included in current Fedora grip packages (based on upstream 3.2.0).  Additionally, the same fix is needed for libcdaudio as well:

http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/libcdaudio/files/libcdaudio-0.99-CAN-2005-0706.patch

(The Gentoo's libcdaudio patch was the way how I came across this.)

Comment 3 Adrian Reber 2008-11-07 17:08:41 UTC
Seems the patch got lost in Core/Extras merger. Somehow it has been only applied to the released branches. I will include it.

Comment 4 Tomas Hoger 2008-11-07 17:30:40 UTC
Created attachment 322871 [details]
Local copy of Gentoo's libcdaudio-0.99-CAN-2005-0706.patch

Comment 5 Fedora Update System 2008-11-09 15:12:02 UTC
grip-3.2.0-24.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/grip-3.2.0-24.fc10

Comment 6 Fedora Update System 2008-11-09 15:12:43 UTC
grip-3.2.0-24.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/grip-3.2.0-24.fc9

Comment 7 Fedora Update System 2008-11-09 15:13:24 UTC
grip-3.2.0-24.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/grip-3.2.0-24.fc8

Comment 8 Tomas Hoger 2008-11-11 10:09:10 UTC
This also affects gnome-vfs* in Red Hat Enterprise Linux prior to version 5.

Comment 9 Jan Lieskovsky 2008-11-11 14:19:33 UTC
The libcdaudio package as shipped with Fedora releases of 8, 9 and 10
(libcdaudio-0.99.12p2-8.fc7 and libcdaudio-0.99.12p2-9.fc9)
and as shipped with Extra Packages for Enterprise Linux for RHEL4 and RHEL5 (libcdaudio-0.99.12p2-8.el{4,5.1}) are still vulnerable to the CVE-2005-0706
issue.

Relevant part of the code (src/cddb.c -- please have a look
at c#4 for the Gentoo's libcdaudio-0.99-CAN-2005-0706.patch):

1054     query->query_matches = 0;
1055     while(!cddb_read_line(sock, inbuffer, 256)) {
1056       slashed = 0;
1057       if(strchr(inbuffer, '/') != NULL && parse_disc_artist) {
1058         index = 0;

Axel, could you please update the F{8,9,10} packages with this patch?

Comment 12 Jan Lieskovsky 2008-11-11 16:32:25 UTC
This issue affects the version of the gnome-vfs and gnome-vfs2 package,
as shipped with Red Hat Enterprise Linux 2.1, 3 and 4.

This issue does NOT affect the versions of the gnome-vfs2 package, 
as shipped with Red Hat Enterprise Linux 5 and Fedora relesases of
8, 9 and 10.

Comment 13 Fedora Update System 2008-11-19 14:45:24 UTC
grip-3.2.0-24.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2008-11-19 14:52:45 UTC
grip-3.2.0-24.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2008-12-03 01:31:13 UTC
grip-3.2.0-24.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2008-12-27 19:11:00 UTC
libcdaudio-0.99.12p2-11.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/libcdaudio-0.99.12p2-11.fc9

Comment 17 Fedora Update System 2008-12-27 19:11:05 UTC
libcdaudio-0.99.12p2-11.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/libcdaudio-0.99.12p2-11.fc10

Comment 18 Fedora Update System 2008-12-27 19:11:09 UTC
libcdaudio-0.99.12p2-11.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/libcdaudio-0.99.12p2-11.fc8

Comment 19 Axel Thimm 2008-12-27 19:26:13 UTC
(In reply to comment #9)
> Axel, could you please update the F{8,9,10} packages with this patch?

The packages are submitted for the testing repo. If you consider this more urgent feel free to push directly into stable. Thanks.

Comment 21 Fedora Update System 2009-02-05 02:14:28 UTC
libcdaudio-0.99.12p2-11.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2009-02-05 02:22:46 UTC
libcdaudio-0.99.12p2-11.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Vincent Danen 2010-12-22 02:15:40 UTC
This was addressed via:

Red Hat Enterprise Linux version 2.1 (RHSA-2005:304)
Red Hat Enterprise Linux version 2.1 (RHSA-2009:0005)
Red Hat Enterprise Linux version 3 (RHSA-2009:0005)
Red Hat Enterprise Linux version 4 (RHSA-2009:0005)


Note You need to log in before you can comment on or make changes to this bug.