multiple security vulnerabilities in taglib

Bug #945415 reported by Zubin Mithra
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
taglib (Debian)
Fix Released
Unknown
taglib (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Dhanesh K. and myself had performed a vulnerability assessment of the taglib library(http://developer.kde.org/~wheeler/taglib.html) used by various media players. Tested out with the latest version of vlc. Comparing the "head" libtag version at github shows that these issues have not be addressed before/patched.

- Sanity checks are not performed for fields read from a media file, which are used to allocate memory later on. Causes DoS due to application crash at the very least, exploitability is unconfirmed.

An example :-
apeitem.cpp
  APE::Item::parse(const ByteVector &data)
    d->key = String(data.mid(8), String::UTF8);

- ogg/xiphcomment.cpp, Ogg::XiphComment::parse(const ByteVector &data)
    Control over "vendorLength" and can cause a string allocation with that size. Control over "commentFields" which is the number of times, "commentLength" is read and a string of size "commandLength" is allocated. Causes DoS due to application crash at the very least, exploitability is unconfirmed.

- ape/apeproperties.cpp, APE::Properties::analyzeCurrent()
    Specially crafted ape media files with sampleRate being "0" could lead to application crash, division by zero error.

    d->sampleRate = header.mid(20, 4).toUInt(false);
    d->length = totalBlocks / d->sampleRate;

- crafted ogg file with a 1 bit change(0=>1) at 0x0000007f leads to an infinite loop in the thread processing the tags. Please find the file attached.

CVE References

Revision history for this message
Zubin Mithra (zubin-mithra) wrote :
Revision history for this message
Zubin Mithra (zubin-mithra) wrote :

With consent from the taglib author, the vulnerability has been reported upstream in the mailing list. You can view it here.

http://mail.kde.org/pipermail/taglib-devel/2012-March/002186.html

Revision history for this message
Zubin Mithra (zubin-mithra) wrote :

Bug reported an patched upstream - mailing list discussion at http://mail.kde.org/pipermail/taglib-devel/2012-March/002186.html

visibility: private → public
visibility: private → public
Changed in taglib (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Changed in taglib (Debian):
status: Unknown → New
Changed in taglib (Debian):
status: New → Fix Released
Revision history for this message
Logan Rosen (logan) wrote :

This bug was fixed in version 1.7.1-1.

Changed in taglib (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.