Integer signedness error in the store_id3_text function in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code

Bug #370031 reported by Stefan Lesicnik on 2009-04-30
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mpg123 (Ubuntu)
Undecided
Stefan Lesicnik
Dapper
Undecided
Unassigned
Hardy
Undecided
Stefan Lesicnik
Intrepid
Undecided
Stefan Lesicnik
Jaunty
Undecided
Stefan Lesicnik
Karmic
Undecided
Stefan Lesicnik

Bug Description

Integer signedness error in the store_id3_text function in the ID3v2 code
in mpg123 before 1.7.2 allows remote attackers to cause a denial of service
(out-of-bounds memory access) and possibly execute arbitrary code via an
ID3 tag with a negative encoding value. NOTE: some of these details are
obtained from third party information.

References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1301

CVE References

Stefan Lesicnik (stefanlsd) wrote :

CVE-2009-1301

visibility: private → public
Changed in mpg123 (Ubuntu):
assignee: nobody → Stefan Lesicnik (stefanlsd)
status: New → In Progress
Changed in mpg123 (Ubuntu Dapper):
status: New → Confirmed
assignee: nobody → Stefan Lesicnik (stefanlsd)
Changed in mpg123 (Ubuntu Hardy):
status: New → Confirmed
assignee: nobody → Stefan Lesicnik (stefanlsd)
Changed in mpg123 (Ubuntu Intrepid):
status: New → Confirmed
assignee: nobody → Stefan Lesicnik (stefanlsd)
Changed in mpg123 (Ubuntu Jaunty):
status: New → Confirmed
assignee: nobody → Stefan Lesicnik (stefanlsd)
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Changed in mpg123 (Ubuntu Dapper):
assignee: Stefan Lesicnik (stefanlsd) → nobody
status: Confirmed → Invalid

Stefan Lesicnik wrote:
> ** Changed in: mpg123 (Ubuntu Dapper)
> Status: Confirmed => Invalid
>
> ** Changed in: mpg123 (Ubuntu Dapper)
> Assignee: Stefan Lesicnik (stefanlsd) => (unassigned)
>
>

Jamie Strandboge (jdstrand) wrote :

Marking 'In Progress' as per https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Submission

Thanks for the debdiffs Stefan! :) Can you indicate the testing performed?

Changed in mpg123 (Ubuntu Hardy):
status: Confirmed → In Progress
Changed in mpg123 (Ubuntu Intrepid):
status: Confirmed → In Progress
Changed in mpg123 (Ubuntu Jaunty):
status: Confirmed → In Progress
Stefan Lesicnik (stefanlsd) wrote :

Dapper code seems to not be affected. There is no id3.c and grepping for the strings also return no results.

There is no released POC for this exploit and no inbuilt tests. The resulting .dsc was built on all releases and builds ok.

Testing was done to ensure that mpg123 still works as expected by playing random mp3 files and checking the id3 tag information was displayed.

The patch itself is of low impact as it introduces no ABI / API changes but just convers an integer to unsigned integer.

Stefan Lesicnik (stefanlsd) wrote :

I ran mpg123 -v --rva-album --long-tag file.mp3 (all the related id3 tag functions from the manpage). These function as expected.

Jamie Strandboge (jdstrand) wrote :

The patches themselves look good. I've uploaded hardy-jaunty to the security PPA. I can publish these and karmic once I get feedback on testing.

BTW-- the Dapper task was mark 'Invalid', does this issue not affect Dapper?

Changed in mpg123 (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in mpg123 (Ubuntu Intrepid):
status: In Progress → Fix Committed
Changed in mpg123 (Ubuntu Jaunty):
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

This was fixed in 1.7.2-1, and Karmic now has 1.7.2-3ubuntu1.

Changed in mpg123 (Ubuntu Karmic):
status: In Progress → Fix Released
Jamie Strandboge (jdstrand) wrote :

Stefan, what is the status of your testing?

Stefan Lesicnik (stefanlsd) wrote :

Hey Jamie,

Dapper was marked invalid as the code seems to not be affected. There is no id3.c and grepping for the strings for the fix also return no results.

I have tested as much as I am able too.

mpg123 -v --rva-album file.mp3
mpg123 -v --long-tag file.mp3

Functions as expected. (These are all the related id3 tag functions from the manpage that could possibly trigger the function).

I played random files to determine that the id3 information is still displayed correctly and can find no errors.

Jamie Strandboge (jdstrand) wrote :

mpg123 (1.4.3-4ubuntu1.1) jaunty-security; urgency=low

  * SECURITY UPDATE: Integer signedness error in the store_id3_text function
    in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause
    a denial of service (out-of-bounds memory access) and possibly execute
    arbitrary code via an ID3 tag with a negative encoding value. (LP: 370031).
   - src/libmpg123/id3.c: Inline patch from upstream SVN rev 1920.
   - http://www.mpg123.org/cgi-bin/viewvc.cgi/tags/1.7.2/?view=log
   - CVE-2009-1301

Changed in mpg123 (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

mpg123 (1.4.3-3ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: Integer signedness error in the store_id3_text function
    in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause
    a denial of service (out-of-bounds memory access) and possibly execute
    arbitrary code via an ID3 tag with a negative encoding value. (LP: 370031).
   - src/libmpg123/id3.c: Inline patch from upstream SVN rev 1920.
   - http://www.mpg123.org/cgi-bin/viewvc.cgi/tags/1.7.2/?view=log
   - CVE-2009-1301

Changed in mpg123 (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

mpg123 (0.67-1ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: Integer signedness error in the store_id3_text function
    in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause
    a denial of service (out-of-bounds memory access) and possibly execute
    arbitrary code via an ID3 tag with a negative encoding value. (LP: 370031).
   - src/id3.c: Inline patch from upstream SVN rev 1920.
   - http://www.mpg123.org/cgi-bin/viewvc.cgi/tags/1.7.2/?view=log
   - CVE-2009-1301

Changed in mpg123 (Ubuntu Hardy):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Stefan, thanks for the update and testing! :)

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers