Amarok - integer overflows and unchecked allocation vulnerabilities

Bug #318555 reported by Harald Sitter on 2009-01-18
252
Affects Status Importance Assigned to Milestone
The Dell Mini Project
Undecided
Unassigned
amarok (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Gutsy
Undecided
Marc Deslauriers
Hardy
Undecided
Unassigned
Intrepid
Undecided
Unassigned
Jaunty
Undecided
Unassigned

Bug Description

Binary package hint: amarok

Amarok contains several integer overflows and unchecked allocation
vulnerabilities while parsing malformed Audible digital audio files.
The vulnerabilities may be exploited by a (remote) attacker to execute
arbitrary code in the context of Amarok.

http://www.trapkit.de/advisories/TKADV2009-002.txt
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0135
http://lists.grok.org.uk/pipermail/full-disclosure/2009-January/067330.html
http://www.debian.org/security/2009/dsa-1706

Harald Sitter (apachelogger) wrote :

Jaunty fixed via 2.0.1.1

Changed in amarok:
status: New → Fix Released
Harald Sitter (apachelogger) wrote :

Built in pbuilder. Tested in updated Intrepid VM (VirtualBox).

Harald Sitter (apachelogger) wrote :

Only built in pbuilder, no runtime testing done.

Please also note that at least Gutsy seems to be affected as well, but something is very weird about it's patches, there seem to be quite some naming problems... no clue how that ever built.

I didn't check the dapper package yet.

Changed in amarok:
status: New → In Progress
status: New → In Progress
Kees Cook (kees) on 2009-03-10
Changed in amarok:
status: New → Triaged
status: New → Triaged
Marc Deslauriers (mdeslaur) wrote :

code not present in Dapper's version

Changed in amarok:
status: Triaged → Invalid
assignee: nobody → mdeslaur
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package amarok - 2:1.4.7-0ubuntu3.2

---------------
amarok (2:1.4.7-0ubuntu3.2) gutsy-security; urgency=low

  * SECURITY UPDATE: Code execution via multiple integer overflows and array
    index errors in the metadata parser for audible files. (LP: #318555)
    - debian/patches/100_security_CVE-2009-0135-0136.patch: improve error handling
      and set a maximum tag size in amarok/src/metadata/audible/audibletag.cpp.
    - CVE-2009-0135
    - CVE-2009-0136

 -- Marc Deslauriers <email address hidden> Thu, 12 Mar 2009 11:16:08 -0400

Changed in amarok:
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package amarok - 2:1.4.9.1-0ubuntu3.2

---------------
amarok (2:1.4.9.1-0ubuntu3.2) hardy-security; urgency=low

  * SECURITY UPDATE: integer overflows allow remote attackers to execute
    arbitrary code via an Audible Audio (.aa) file (LP: #318555)
    - debian/patches/security_audible_tags.diff fix integer overflow while
      reading audible aa file tags. Based on upstream patch.
    - http://websvn.kde.org/?view=rev&revision=908415
    - http://www.trapkit.de/advisories/TKADV2009-002.txt
    - CVE-2009-0135
    - CVE-2009-0136

 -- Harald Sitter <email address hidden> Mon, 19 Jan 2009 22:13:53 +0100

Changed in amarok:
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package amarok - 2:1.4.10-0ubuntu3.1

---------------
amarok (2:1.4.10-0ubuntu3.1) intrepid-security; urgency=low

  * SECURITY UPDATE: integer overflows allow remote attackers to execute
    arbitrary code via an Audible Audio (.aa) file (LP: #318555)
    - debian/patches/security_audible_tags.diff fix integer overflow while
      reading audible aa file tags. Based on upstream patch.
    - http://websvn.kde.org/?view=rev&revision=908415
    - http://www.trapkit.de/advisories/TKADV2009-002.txt
    - CVE-2009-0135
    - CVE-2009-0136

 -- Harald Sitter <email address hidden> Mon, 19 Jan 2009 22:05:24 +0100

Changed in amarok:
status: In Progress → Fix Released
Changed in dell-mini:
status: New → Confirmed
Nicola Ferralis (feranick) wrote :

This bug is fixed in amarok (2:1.4.9.1-0ubuntu3.2) - generic hardy. Hardy for the mini is still in version 2:1.4.9.1-0ubuntu3.1

 amarok (2:1.4.9.1-0ubuntu3.2) hardy-security; urgency=low

  * SECURITY UPDATE: integer overflows allow remote attackers to execute
    arbitrary code via an Audible Audio (.aa) file (LP: #318555)
    - debian/patches/security_audible_tags.diff fix integer overflow while
      reading audible aa file tags. Based on upstream patch.
    - http://websvn.kde.org/?view=rev&revision=908415
    - http://www.trapkit.de/advisories/TKADV2009-002.txt
    - CVE-2009-0135
    - CVE-2009-0136

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers