Bug 56826 - security issues (MIDI lyrics format string / buffer overflow attacks)
security issues (MIDI lyrics format string / buffer overflow attacks)
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: timidity++ (Show other bugs)
7.2
athlon Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-11-28 08:58 EST by Miloslav Trmac
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-11-28 09:01:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
test file showing the format string attack (harmless AFAIK) (26.63 KB, application/octet-stream)
2001-11-28 09:00 EST, Miloslav Trmac
no flags Details
patch resolving the issues (sorry, maybe got CR+LF there) (2.98 KB, patch)
2001-11-28 09:01 EST, Miloslav Trmac
no flags Details | Diff

  None (edit)
Description Miloslav Trmac 2001-11-28 08:58:25 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Description of problem:
Hello,
I've come accross a format string bug in the slang inteface of TiMidity
when displaying lyrics, as demonstrated by the attached midi file
which contains contains for example %E in lyrics.

While chasing this one, I have found and hopefully fixed a few other bugs:
- Buffer overflow in XAW interface: please note that I don't now anything
  about MIDI format, so it may well be possible that this cannot happen
  (or that it is checked at some other place of TiMidity); however,
  the buffer length is enforced in all other parts of ctl_lyric ().
  [FIX TESTED ONLY TO COMPILE].
- The same in xskin, but this time the buffer length was never enforced.
  [FIX TESTED ONLY TO COMPILE].
- The dumb interface doesn't fflush () its output for lyrics not in
  ME_KARAOKE_LYRIC format (what's that?), so lyrics may appear only
  after whole line is completed.

For someone more knowledgeable to solve / dismiss:
make_temp_filename () in timidity/common.c and its usage seems
unsafe (a quite predictable file name is blindly unlinked
and then new file is written in its place using fopen (). 
(i. e. no O_EXCL flag)).


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. timidity -is quizas.mid

Actual Results:  Lyrics contains weird floating-point numbers

Expected Results:  Lyrics contains %E7 etc.

Additional info:
Comment 1 Miloslav Trmac 2001-11-28 09:00:38 EST
Created attachment 38904 [details]
test file showing the format string attack (harmless AFAIK)
Comment 2 Miloslav Trmac 2001-11-28 09:01:33 EST
Created attachment 38905 [details]
patch resolving the issues (sorry, maybe got CR+LF there)
Comment 3 Miloslav Trmac 2002-01-01 17:23:57 EST
OK, fixed upstream. Never mind that nobody from RH has even _noticed_...

Note You need to log in before you can comment on or make changes to this bug.