Bug 614643 - (CVE-2009-3995, CVE-2009-3996, CVE-2010-2546, CVE-2010-2971) CVE-2009-3995 CVE-2009-3996 libmikmod: arbitrary code execution via crafted Impulse Tracker or Ultratracker files
CVE-2009-3995 CVE-2009-3996 libmikmod: arbitrary code execution via crafted I...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20100205,reported=20100328,sou...
: Security
Depends On: 614650 617483 617484 617485 617486 617487 833940
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-14 17:41 EDT by Vincent Danen
Modified: 2012-06-20 10:23 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-28 11:11:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch from Debian to correct the issues (1.32 KB, patch)
2010-07-14 17:46 EDT, Vincent Danen
no flags Details | Diff
Do checks in IT_LoadEnvelope (1.29 KB, patch)
2010-07-22 10:24 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Vincent Danen 2010-07-14 17:41:55 EDT
Multiple heap-based buffer overflow vulnerabilities were found in libmikmod. These flaws could allow a remote attacker able to coerce a local user using an application linked against libmikmod, to open an Impulse Tracker, crafted samples, or an Ultratracker file, to execute arbitrary code with the privileges of the user running the application.

CVE-2009-3995:

Multiple heap-based buffer overflows in IN_MOD.DLL (aka the Module Decoder Plug-in) in Winamp before 5.57, and libmikmod 3.1.12, might allow remote attackers to execute arbitrary code via (1) crafted samples or (2) crafted instrument definitions in an Impulse Tracker file. NOTE: some of these details are obtained from third party information.

CVE-2009-3996:

Heap-based buffer overflow in IN_MOD.DLL (aka the Module Decoder Plug-in) in Winamp before 5.57, and libmikmod 3.1.12, might allow remote attackers to execute arbitrary code via an Ultratracker file.

References:

http://www.vupen.com/english/advisories/2009/3575
http://secunia.com/secunia_research/2009-55/
Comment 2 Vincent Danen 2010-07-14 17:46:09 EDT
Created attachment 431930 [details]
patch from Debian to correct the issues

This patch was pulled from libmikmod_3.1.11-6+lenny1.diff, which is from DSA 2071-1.
Comment 4 Vincent Danen 2010-07-14 17:53:45 EDT
Created libmikmod tracking bugs for this issue

Affects: fedora-all [bug 614650]
Comment 5 Tomas Hoger 2010-07-19 11:16:58 EDT
(In reply to comment #2)
> Created an attachment (id=431930) [details]
> patch from Debian to correct the issues
> 
> This patch was pulled from libmikmod_3.1.11-6+lenny1.diff, which is from DSA
> 2071-1.    

This seem to contain following two upstream CVS commits:

http://mikmod.cvs.sourceforge.net/viewvc/mikmod/libmikmod/loaders/load_it.c?r1=1.3&r2=1.4
http://mikmod.cvs.sourceforge.net/viewvc/mikmod/libmikmod/loaders/load_ult.c?r1=1.2&r2=1.3

However, load_it.c fix seems to be incomplete and possibly mis-placed too.  IT_ProcessEnvelope macro is used do common processing on volume, panning and pitch envelopes.  It writes to volenv/panenv/pitenv arrays with ENVPOINTS size using volpts/panpts/pitpts as an upper bound (those are unsigned char variables, with maximum value of 255), for loop following the check is hence not the first place where name##env arrays are written to.  I don't see why upstream fix only adds check for vol and not pan and pit, and why the check is not done in IT_LoadEnvelope already.

Reading the Secunia advisory, it seems they've treated all tree cases as issues:

"... when parsing an instrument containing a column, panning, or pitch envelope with more than ENVPOINTS (32) points ..."

(I guess this should say: containing a *volume*, panning, or pitch envelope)
Comment 6 Tomas Hoger 2010-07-19 11:44:23 EDT
(In reply to comment #5)
> It writes to volenv/panenv/pitenv arrays with ENVPOINTS size using
> volpts/panpts/pitpts as an upper bound (those are unsigned char variables,
> with maximum value of 255), for loop following the check is hence not the
> first place where name##env arrays are written to.

Additionally, values written to name##env are read from name##tick and name##node, which are of size ITENVCNT (25).
Comment 10 Tomas Hoger 2010-07-22 10:16:51 EDT
(In reply to comment #5)

> However, load_it.c fix seems to be incomplete and possibly mis-placed too. 
> IT_ProcessEnvelope macro is used do common processing on volume, panning and
> pitch envelopes.  It writes to volenv/panenv/pitenv arrays with ENVPOINTS size
> using volpts/panpts/pitpts as an upper bound (those are unsigned char
> variables, with maximum value of 255), for loop following the check is hence
> not the first place where name##env arrays are written to.  I don't see why
> upstream fix only adds check for vol and not pan and pit, and why the check is
> not done in IT_LoadEnvelope already.

Secunia reproducers crash libmikmod with upstream patch for CVE-2009-3995, so that fix is really bogus.
Comment 11 Tomas Hoger 2010-07-22 10:24:21 EDT
Created attachment 433716 [details]
Do checks in IT_LoadEnvelope

Moves name##pts check to IT_LoadEnvelope.  Uses ITENVCNT as an upper bound.  It is less than name##env size (ENVPOINTS), but only ITENVCNT items are read from file to name##node and name##tick, so trying to user higher upper bound should over-read buffer.  Please correct me if I'm missing something.
Comment 12 Tomas Hoger 2010-07-22 10:38:59 EDT
(In reply to comment #11)
> Created an attachment (id=433716) [details]
> Do checks in IT_LoadEnvelope

https://sourceforge.net/tracker/?func=detail&aid=3033086&group_id=40531&atid=428227
Comment 15 Tomas Hoger 2010-07-27 02:06:41 EDT
(In reply to comment #12)

> https://sourceforge.net/tracker/?func=detail&aid=3033086&group_id=40531&atid=428227    

CVE-2010-2546 was assigned to the incorrect CVE-2009-3995 fix.

As updates for Fedora or Red Hat Enterprise Linux mikmod packages were not released yet, updates containing complete fix will not need to mention CVE-2010-2546.
Comment 16 Vincent Danen 2010-08-05 11:15:28 EDT
The water is even muddier... MITRE also assigned CVE-2010-2971 due to the incomplete fix of CVE-2009-3995.  For clarification, MITRE's descriptions of the problems are as follows:

CVE-2010-2546:

Multiple heap-based buffer overflows in loaders/load_it.c in
libmikmod, possibly 3.1.12, might allow remote attackers to execute
arbitrary code via (1) crafted samples or (2) crafted instrument
definitions in an Impulse Tracker file, related to panpts, pitpts, and
IT_ProcessEnvelope.  NOTE: some of these details are obtained from
third party information.  NOTE: this vulnerability exists because of an
incomplete fix for CVE-2009-3995.

CVE-2010-2971:

loaders/load_it.c in libmikmod, possibly 3.1.12, does not properly
account for the larger size of name##env relative to name##tick and
name##node, which allows remote attackers to trigger a buffer
over-read and possibly have unspecified other impact via a crafted
Impulse Tracker file, a related issue to CVE-2010-2546.  NOTE: this
issue exists because of an incomplete fix for CVE-2009-3995.


Neither of these CVEs need to be mentioned due to the fact that we did not improperly fix CVE-2009-3995.
Comment 17 Tomas Hoger 2010-08-16 14:07:18 EDT
(In reply to comment #16)
> The water is even muddier... MITRE also assigned CVE-2010-2971 due to the
> incomplete fix of CVE-2009-3995.

Not really.  Mitre decided to give separate CVE CVE-2010-2971 to the over-read issue mentioned above in comment #6.  Though the over-read is rather limited and not too likely to have any real impact.
Comment 18 errata-xmlrpc 2010-09-28 08:36:54 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0720 https://rhn.redhat.com/errata/RHSA-2010-0720.html

Note You need to log in before you can comment on or make changes to this bug.