Bug#866860: mpg123: CVE-2017-10683

Thomas Orgis thomas-forum at orgis.org
Sun Jul 2 10:30:46 UTC 2017 

Am Sun, 02 Jul 2017 11:12:36 +0200
schrieb Salvatore Bonaccorso <carnil at debian.org>: 

> CVE-2017-10683[0]:
> | In mpg123 1.25.0, there is a heap-based buffer over-read in the
> | convert_latin1 function in libmpg123/id3.c. A crafted input will lead
> | to a remote denial of service attack.

I don't oppose the creation of a CVE for that, although I wouldn't have
bothered myself and also the description seems overly dramatic. So far
I have only seen valgrind and an enabled AddressSanitizer complaining.
In practice, I did not see one crash because of this in normal builds.

This is one byte read too much, but to get denial of service, that
extra byte should be outside mpg123's address space. That does not
strike me as very likely in this context. Maybe one can construct such
a case, but the test bitstream I got doesn't do it. Even if that one
byte too much is successfully read and finds its way into a string
buffer, my paranoia had me explicitly append an (additional) zero after
it anyway.

I'd phrase the last CVE sentence as:

	A crafted input will lead to a remote denial of service attack
	if the user asked for it by enabling compiler instrumentation.

;-)

That being said, I won't claim that it is impossible to craft a file
that would trigger serious invalid reads (p.ex. by an strlen() in an
adjacent code path, _not_ in the text processing the triggered test
case covers), and possibly actual DoS instead of possibly just sligthly
bogus ID3 data from invalid input. I just havent's seen it yet.


Anyway, the officially fixed version 1.25.1 will be released
today/night. So you might want to just update to that one instead of
pulling out the single patch. I am still waiting for a complete report
for another issue that I'd like to fix in the release, too.


Alrighty then,

Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: Digitale Signatur von OpenPGP
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20170702/adbe3b65/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list