CVE-2017-11552

Debian Bug report logs - #870406
CVE-2017-11552

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libmad: CVE-2017-11552

Date: Tue, 01 Aug 2017 19:24:56 +0200

Source: libmad
Version: 0.15.1b-7
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for libmad.

CVE-2017-11552[0]:
| The mad_decoder_run function in decoder.c in libmad 0.15.1b allows
| remote attackers to cause a denial of service (memory corruption) via a
| crafted MP3 file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11552
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11552
[1] http://seclists.org/fulldisclosure/2017/Jul/94

Regards,
Salvatore

Message #10 received at 870406@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: Salvatore Bonaccorso <carnil@debian.org>, 870406@bugs.debian.org

Subject: Re: [pkg-mad-maintainers] Bug#870406: libmad: CVE-2017-11552

Date: Tue, 1 Aug 2017 19:48:01 +0200

On Tue, Aug 01, 2017 at 07:24:56PM +0200, Salvatore Bonaccorso wrote:
> Source: libmad
> Version: 0.15.1b-7
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> the following vulnerability was published for libmad.
> 
> CVE-2017-11552[0]:
> | The mad_decoder_run function in decoder.c in libmad 0.15.1b allows
> | remote attackers to cause a denial of service (memory corruption) via a
> | crafted MP3 file.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

I guess you don't have any patch for this?


Kurt

Message #15 received at 870406@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Kurt Roeckx <kurt@roeckx.be>

Cc: 870406@bugs.debian.org

Subject: Re: [pkg-mad-maintainers] Bug#870406: libmad: CVE-2017-11552

Date: Wed, 2 Aug 2017 06:17:29 +0200

Hi Kurt

On Tue, Aug 01, 2017 at 07:48:01PM +0200, Kurt Roeckx wrote:
> On Tue, Aug 01, 2017 at 07:24:56PM +0200, Salvatore Bonaccorso wrote:
> > Source: libmad
> > Version: 0.15.1b-7
> > Severity: important
> > Tags: security upstream
> > 
> > Hi,
> > 
> > the following vulnerability was published for libmad.
> > 
> > CVE-2017-11552[0]:
> > | The mad_decoder_run function in decoder.c in libmad 0.15.1b allows
> > | remote attackers to cause a denial of service (memory corruption) via a
> > | crafted MP3 file.
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> I guess you don't have any patch for this?

No unfortunatley not. The report furthermore AFAIK is only found on
the fulldisclosure list, not sure it has been reported "upstream" (if
still active?).

Regards,
Salvatore

Message #20 received at 870406@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: Salvatore Bonaccorso <carnil@debian.org>, 870406@bugs.debian.org

Subject: Re: [pkg-mad-maintainers] Bug#870406: libmad: CVE-2017-11552

Date: Sun, 7 Jan 2018 14:43:43 +0100

On Tue, Aug 01, 2017 at 07:24:56PM +0200, Salvatore Bonaccorso wrote:
> 
> Hi,
> 
> the following vulnerability was published for libmad.
> 
> CVE-2017-11552[0]:
> | The mad_decoder_run function in decoder.c in libmad 0.15.1b allows
> | remote attackers to cause a denial of service (memory corruption) via a
> | crafted MP3 file.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

I can reproduce this using mpg321, but not using madplay. Madplay
just shows:
$ madplay libmad_0.15.1b_memory_corruption.mp3
MPEG Audio Decoder 0.15.2 (beta) - Copyright (C) 2000-2004 Robert Leslie et al.
          Title: ExifTool Test
       Composer: A Composer
         Artist: Phil Harvey
          Album: Phil's Greatest Hits
          Track: 1/5
           Year: 2005
          Genre: Testing
        Comment: My Comments
error: frame 0: bad big_values count
0 frames decoded (0:00:00.0), -inf dB peak amplitude, 0 clipped samples

Where "bad big_values count" is an error generated by libmad.


Kurt

Message #25 received at 870406@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: Salvatore Bonaccorso <carnil@debian.org>, 870406@bugs.debian.org

Subject: Re: [pkg-mad-maintainers] Bug#870406: Bug#870406: libmad: CVE-2017-11552

Date: Sun, 7 Jan 2018 18:47:12 +0100

reassign 870406 mpg321
thanks

On Sun, Jan 07, 2018 at 02:43:43PM +0100, Kurt Roeckx wrote:
> I can reproduce this using mpg321, but not using madplay.

Valgrind shows:
==4094== Invalid write of size 8
==4094==    at 0x10EFD0: read_header (mad.c:285)
==4094==    by 0x579EA11: run_sync (decoder.c:392)
==4094==    by 0x579EE16: mad_decoder_run (decoder.c:557)
==4094==    by 0x10C3BA: main (mpg321.c:1092)
==4094==  Address 0x66c3d38 is 0 bytes after a block of size 8 alloc'd
==4094==    at 0x4C2ABEF: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4094==    by 0x10CDDD: main (mpg321.c:990)
==4094==
==4094== Invalid write of size 8
==4094==    at 0x10EFDC: read_header (mad.c:287)
==4094==    by 0x579EA11: run_sync (decoder.c:392)
==4094==    by 0x579EE16: mad_decoder_run (decoder.c:557)
==4094==    by 0x10C3BA: main (mpg321.c:1092)
==4094==  Address 0x66c3d90 is 0 bytes after a block of size 16 alloc'd
==4094==    at 0x4C2ABEF: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4094==    by 0x10CDED: main (mpg321.c:991)
==4094==

That's this code in mpg321's mad.c:
    /* update cached table of frames & times */
    if (current_frame <= playbuf->num_frames) /* we only allocate enough for our estimate. */
    {
        playbuf->frames[current_frame] = playbuf->frames[current_frame-1] + (header->bitrate / 8 / 1000)
            * mad_timer_count(header->duration, MAD_UNITS_MILLISECONDS);
        playbuf->times[current_frame] = current_time;
    }

And later we crash when libmad tries to free() something it
allocated.

If I change mpg321 to allocate 1 more frame in mpg321.c:990 and 991,
the crash goes away. (Note that this is not a fix at all, it's
just showing that mpg321 is the source of the problem.)

It at least seems that mpg321 lost info about the amount of frames
it allocated somewhere. It might be related to the frames that
failed to decode.


Kurt

Message #44 received at 870406@bugs.debian.org (full text, mbox, reply):

From: Joachim Reichel <joachim.reichel@gmx.de>

To: 870406@bugs.debian.org, 887057@bugs.debian.org

Subject: Removal from testing

Date: Sat, 16 Feb 2019 10:54:45 +0100

Due to bugs 870406 and 887057 the following packages are scheduled for removal
from testing on 2019-03-11:

gjay, mp3cd, mp3roaster, mpg321, normalize-audio, ripit, terminatorx

Is anyone working on these bugs?

  Joachim

Message #49 received at 870406@bugs.debian.org (full text, mbox, reply):

From: Elimar Riesebieter <riesebie@lxtec.de>

To: 870608@bugs.debian.org

Cc: 870406@bugs.debian.org

Subject: There is a possible patch available

Date: Wed, 6 Mar 2019 03:15:40 +0100

[Message part 1 (text/plain, inline)]

Hi all,

did someone checked

https://git.xiph.org/?p=libao.git;a=commit;h=d5221655dfd1a2156aa6be83b5aadea7c1e0f5bd 

?

Elimar
-- 
  We all know Linux is great... it does infinite loops in 5 seconds.
        -Linus Torvalds

[signature.asc (application/pgp-signature, inline)]

Message #54 received at 870406@bugs.debian.org (full text, mbox, reply):

From: Ron <ron@debian.org>

To: Elimar Riesebieter <riesebie@lxtec.de>, 870608@bugs.debian.org

Cc: 870406@bugs.debian.org

Subject: Re: Bug#870608: There is a possible patch available

Date: Thu, 7 Mar 2019 15:49:40 +1030

On Wed, Mar 06, 2019 at 03:15:40AM +0100, Elimar Riesebieter wrote:
> Hi all,
> 
> did someone checked
> 
> https://git.xiph.org/?p=libao.git;a=commit;h=d5221655dfd1a2156aa6be83b5aadea7c1e0f5bd 

You mean the commit which has :?

 author    Ron <ron@debian.org>  Sat, 13 Jan 2018 09:49:20 +0000 (20:19 +1030)
 committer Ron <ron@debian.org>  Sat, 13 Jan 2018 15:19:59 +0000 (01:49 +1030)

It was a while ago now, but yeah, I *probably* looked at that one ...


For the people on the other bug(s), the analysis behind that is here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870608#14

And the tldr version is, you can't punt this back to libao, and that
patch doesn't fix your bug.  AFAICS there is no bug in libao detected
by this "CVE", its test case explodes in libmad, not libao - and the
patch above just fixes some other potential issues I saw by eye while
auditing libao enough to give the analysis above.


And since Kurt seems to have done the same for libmad in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870406#25

It looks like the ball is squarely in the court of whoever cares about
mpg321 to do some debugging next and find what it's doing wrong.  And
then _possibly_ push back if some flaw in a support library really is
exacerbating the mistake it makes.

  Cheers,
  Ron

Message #59 received at 870406@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <andreas@an3as.eu>

To: 870406@bugs.debian.org

Subject: Any news for this bug?

Date: Wed, 13 Mar 2019 11:02:56 +0100

Hi,

I just realised that several reverse dependencies of mpg321 are in
danger of getting autoremoved from testing.

Kind regards

     Andreas.

-- 
http://fam-tille.de

Message #64 received at 870406-close@bugs.debian.org (full text, mbox, reply):

From: Chrysostomos Nanakos <cnanakos@debian.org>

To: 870406-close@bugs.debian.org

Subject: Bug#870406: fixed in mpg321 0.3.2-2

Date: Wed, 13 Mar 2019 15:04:00 +0000

Source: mpg321
Source-Version: 0.3.2-2

We believe that the bug you reported is fixed in the latest version of
mpg321, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 870406@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chrysostomos Nanakos <cnanakos@debian.org> (supplier of updated mpg321 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 13 Mar 2019 16:34:47 +0200
Source: mpg321
Binary: mpg321
Architecture: source
Version: 0.3.2-2
Distribution: unstable
Urgency: medium
Maintainer: Nanakos Chrysostomos <nanakos@wired-net.gr>
Changed-By: Chrysostomos Nanakos <cnanakos@debian.org>
Description:
 mpg321     - Simple and lightweight command line MP3 player
Closes: 870406 887057
Changes:
 mpg321 (0.3.2-2) unstable; urgency=medium
 .
   * Handle illegal bitrate value (Closes: Bug#887057), (Closes: Bug#870406)
Checksums-Sha1:
 03655d0b91bbee79898f93210b865cffd3c92019 1819 mpg321_0.3.2-2.dsc
 bf1c22542c86af69267828e45f217fdeb49e5d43 151139 mpg321_0.3.2.orig.tar.gz
 390f8894d04dae52a12a04c964a1d1caf23a4e2e 13184 mpg321_0.3.2-2.debian.tar.xz
Checksums-Sha256:
 996a846693e089a19074bb08e2667e70f594842a891b5fab0842e18446559dea 1819 mpg321_0.3.2-2.dsc
 056fcc03e3f5c5021ec74bb5053d32c4a3b89b4086478dcf81adae650eac284e 151139 mpg321_0.3.2.orig.tar.gz
 6a39ff209d10786693ae23e401c911124da2c2d72fdba416637ffeed6705720b 13184 mpg321_0.3.2-2.debian.tar.xz
Files:
 5dcea234f6e001e0bc2c0a574f9ebecb 1819 sound optional mpg321_0.3.2-2.dsc
 d3c343d2183e239e4df56a4aae2466a6 151139 sound optional mpg321_0.3.2.orig.tar.gz
 3e8d82da769b748e04fe65666bb050a0 13184 sound optional mpg321_0.3.2-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJciRcGAAoJEIc96jCdE4B/oGoQAIwpxyTjyjfmCGfmXNCVlZLz
VAYT8694UYXAXXUeWUB0bNwq/MwvP9HFj5u//1KHpSqulUkhmeh447SZ4WJrbchT
f0OLLO70oOyUy3Fx+VQ/mtMc7KXwcyhX1AqxmQ5Z87Djwy94Jv65h0yhKsyMv7PC
CJMLINlyXqTkXKCxB0Xp7nPaEAF8DJZGKdNMQUpu6KGaC3nntPWUfbOmG7GqcaLF
7B+M72NTS2DmjEvmOL39XSYsckklqjUR9yU0FNBrIx02ePc9qp62AajsiB26LvLh
ujoyROl8cC36RtX7RhV9/ZKUqS1h43O4IaoPDUxw/Hwtbdj7wD6JQx50AvsBawE0
RjF2YxM2gFSZA40Gml1Ptavg0AeKyN8xgsPFIKgv9/7ol5A/Hl/Sdf6qoDXL7rFJ
d5yoecZw5mXKhAh/qQIiuyeVDnpif886nawxeKCWzRxrsokfMGXQv87L0fe1WPA0
GS4DgnWOvLo7RRl2z/dgONQbszYyHmdCcdx1IvIEbrWG+SI60tKeyQ4NhObtJ5DQ
E8beRRqMmBu4ini6ro4fprtzBnVZQU6ahu8BMGD5mwC9cnpP5Ps74hxX/6V89qBf
CRceIzlu9TOFOs6y5BGRMiZtod4gaGEvl/IrRt38tU9dbk4bAH9Nqv3RLq4BxRTB
t3J/AcCz6peGK0fWXd+/
=vA81
-----END PGP SIGNATURE-----

Message #69 received at 887057-close@bugs.debian.org (full text, mbox, reply):

From: Chrysostomos Nanakos <cnanakos@debian.org>

To: 887057-close@bugs.debian.org

Subject: Bug#887057: fixed in mpg321 0.3.2-2

Date: Wed, 13 Mar 2019 15:04:00 +0000

Source: mpg321
Source-Version: 0.3.2-2

We believe that the bug you reported is fixed in the latest version of
mpg321, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 887057@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chrysostomos Nanakos <cnanakos@debian.org> (supplier of updated mpg321 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 13 Mar 2019 16:34:47 +0200
Source: mpg321
Binary: mpg321
Architecture: source
Version: 0.3.2-2
Distribution: unstable
Urgency: medium
Maintainer: Nanakos Chrysostomos <nanakos@wired-net.gr>
Changed-By: Chrysostomos Nanakos <cnanakos@debian.org>
Description:
 mpg321     - Simple and lightweight command line MP3 player
Closes: 870406 887057
Changes:
 mpg321 (0.3.2-2) unstable; urgency=medium
 .
   * Handle illegal bitrate value (Closes: Bug#887057), (Closes: Bug#870406)
Checksums-Sha1:
 03655d0b91bbee79898f93210b865cffd3c92019 1819 mpg321_0.3.2-2.dsc
 bf1c22542c86af69267828e45f217fdeb49e5d43 151139 mpg321_0.3.2.orig.tar.gz
 390f8894d04dae52a12a04c964a1d1caf23a4e2e 13184 mpg321_0.3.2-2.debian.tar.xz
Checksums-Sha256:
 996a846693e089a19074bb08e2667e70f594842a891b5fab0842e18446559dea 1819 mpg321_0.3.2-2.dsc
 056fcc03e3f5c5021ec74bb5053d32c4a3b89b4086478dcf81adae650eac284e 151139 mpg321_0.3.2.orig.tar.gz
 6a39ff209d10786693ae23e401c911124da2c2d72fdba416637ffeed6705720b 13184 mpg321_0.3.2-2.debian.tar.xz
Files:
 5dcea234f6e001e0bc2c0a574f9ebecb 1819 sound optional mpg321_0.3.2-2.dsc
 d3c343d2183e239e4df56a4aae2466a6 151139 sound optional mpg321_0.3.2.orig.tar.gz
 3e8d82da769b748e04fe65666bb050a0 13184 sound optional mpg321_0.3.2-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJciRcGAAoJEIc96jCdE4B/oGoQAIwpxyTjyjfmCGfmXNCVlZLz
VAYT8694UYXAXXUeWUB0bNwq/MwvP9HFj5u//1KHpSqulUkhmeh447SZ4WJrbchT
f0OLLO70oOyUy3Fx+VQ/mtMc7KXwcyhX1AqxmQ5Z87Djwy94Jv65h0yhKsyMv7PC
CJMLINlyXqTkXKCxB0Xp7nPaEAF8DJZGKdNMQUpu6KGaC3nntPWUfbOmG7GqcaLF
7B+M72NTS2DmjEvmOL39XSYsckklqjUR9yU0FNBrIx02ePc9qp62AajsiB26LvLh
ujoyROl8cC36RtX7RhV9/ZKUqS1h43O4IaoPDUxw/Hwtbdj7wD6JQx50AvsBawE0
RjF2YxM2gFSZA40Gml1Ptavg0AeKyN8xgsPFIKgv9/7ol5A/Hl/Sdf6qoDXL7rFJ
d5yoecZw5mXKhAh/qQIiuyeVDnpif886nawxeKCWzRxrsokfMGXQv87L0fe1WPA0
GS4DgnWOvLo7RRl2z/dgONQbszYyHmdCcdx1IvIEbrWG+SI60tKeyQ4NhObtJ5DQ
E8beRRqMmBu4ini6ro4fprtzBnVZQU6ahu8BMGD5mwC9cnpP5Ps74hxX/6V89qBf
CRceIzlu9TOFOs6y5BGRMiZtod4gaGEvl/IrRt38tU9dbk4bAH9Nqv3RLq4BxRTB
t3J/AcCz6peGK0fWXd+/
=vA81
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.