[pkg-mad-maintainers] Bug#480187: Bug#480187: libid3tag: CVE-2008-2109 infinite loop via crafted id3 tag
Nico Golde
nion at debian.org
Thu May 8 17:32:06 UTC 2008
Hi Kurt,
* Kurt Roeckx <kurt at roeckx.be> [2008-05-08 19:03]:
> On Thu, May 08, 2008 at 05:44:54PM +0200, Nico Golde wrote:
> > Package: libid3tag
> > Version: 0.15.1b-10
> > Severity: important
> > Tags: security patch
> >
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for libid3tag.
>
> I believe this is the same as #304913 and is fixed in version
> 0.15.1b-5. The diff is at a deeper level than what they did.
> They prevent calling id3_parse_string() again, while our
> id3_utf16_deserialize() called by id3_parse_string() just makes
> sure it's not called again by increasing ptr by one.
>
> The test.mp3 from the gentoo bug report atleast also shows the OOM
> behaviour with version 0.15.1b-4.1 and doesn't show the problem with
> 0.15.1b-10.
>
> Note that we changed the diff we used in 0.15.1b-5 because
> it could cause a segfault, and it was rewritten in 0.15.1b-8.
Thanks for pointing this out, you are right, this is the
same issue. ID3_FIELD_TYPE_STRINGLIST is a single-line
unicode string. There is also a duplicate bug of
http://bugzilla.gnome.org/show_bug.cgi?id=162647 which
describes exactly this: http://bugzilla.gnome.org/show_bug.cgi?id=300791
Going to mark 0.15.1b-8 as the fixed version, feel free to close the
bug.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-mad-maintainers/attachments/20080508/cf45ea96/attachment.pgp
More information about the pkg-mad-maintainers
mailing list