Tobias Klein discovered multiple buffer overflows in amarok in the Audible .aa files parser. Fixed upstream in: 2.0.1.1 Upstream SVN commits: http://websvn.kde.org/?view=rev&revision=908391 (trunk) http://websvn.kde.org/?view=rev&revision=908401 (2.0.x) http://websvn.kde.org/?view=rev&revision=908415 (1.4.x)
Keeping this bug restricted for now, as upstream only plan to announce it later today. Will add bug to already submitted update request once this is public.
Public now via: http://amarok.kde.org/en/releases/2.0.1.1 http://www.trapkit.de/advisories/TKADV2009-002.txt
*** Bug 479946 has been marked as a duplicate of this bug. ***
amarok-2.0.1.1-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Related CVE assignments: CVE-2009-0135: Multiple integer overflows in the Audible::Tag::readTag function in metadata/audible/audibletag.cpp in Amarok 1.4.10 through 2.0.1 allow remote attackers to execute arbitrary code via an Audible Audio (.aa) file with a large (1) nlen or (2) vlen Tag value, each of which triggers a heap-based buffer overflow. CVE-2009-0136: Multiple array index errors in the Audible::Tag::readTag function in metadata/audible/audibletag.cpp in Amarok 1.4.10 through 2.0.1 allow remote attackers to cause a denial of service (application crash) or execute arbitrary code via an Audible Audio (.aa) file with a crafted (1) nlen or (2) vlen Tag value, each of which can lead to an invalid pointer dereference, or the writing of a 0x00 byte to an arbitrary memory location, after an allocation failure.
amarok-1.4.10-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This has also been corrected in EPEL5: * Mon Jan 12 2009 Rex Dieter <rdieter> - 1.4.10-2 - backport security patch