multiple security vulnerabilities in taglib
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
taglib (Debian) |
Fix Released
|
Unknown
|
|||
taglib (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
Dhanesh K. and myself had performed a vulnerability assessment of the taglib library(http://
- Sanity checks are not performed for fields read from a media file, which are used to allocate memory later on. Causes DoS due to application crash at the very least, exploitability is unconfirmed.
An example :-
apeitem.cpp
APE::
d->key = String(data.mid(8), String::UTF8);
- ogg/xiphcomment
Control over "vendorLength" and can cause a string allocation with that size. Control over "commentFields" which is the number of times, "commentLength" is read and a string of size "commandLength" is allocated. Causes DoS due to application crash at the very least, exploitability is unconfirmed.
- ape/apeproperti
Specially crafted ape media files with sampleRate being "0" could lead to application crash, division by zero error.
d->sampleRate = header.mid(20, 4).toUInt(false);
d->length = totalBlocks / d->sampleRate;
- crafted ogg file with a 1 bit change(0=>1) at 0x0000007f leads to an infinite loop in the thread processing the tags. Please find the file attached.
visibility: | private → public |
visibility: | private → public |
Changed in taglib (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Low |
Changed in taglib (Debian): | |
status: | Unknown → New |
Changed in taglib (Debian): | |
status: | New → Fix Released |
With consent from the taglib author, the vulnerability has been reported upstream in the mailing list. You can view it here.
http:// mail.kde. org/pipermail/ taglib- devel/2012- March/002186. html