mpg123: CVE-2017-10683

Debian Bug report logs - #866860
mpg123: CVE-2017-10683

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mpg123: CVE-2017-10683

Date: Sun, 02 Jul 2017 11:12:36 +0200

Source: mpg123
Version: 1.25.0-1
Severity: important
Tags: upstream security

Hi,

the following vulnerability was published for mpg123.

CVE-2017-10683[0]:
| In mpg123 1.25.0, there is a heap-based buffer over-read in the
| convert_latin1 function in libmpg123/id3.c. A crafted input will lead
| to a remote denial of service attack.

This was reported at [1], but Hanno Boeck recently reported [2] as
well.

Looking at both cases i think those should be the same issues, and
upstream has a patch for the issue.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10683
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10683
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1465819
[2] https://sourceforge.net/p/mpg123/bugs/252/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 866860@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 866860@bugs.debian.org

Subject: Re: Bug#866860: mpg123: CVE-2017-10683

Date: Sun, 2 Jul 2017 11:27:30 +0200

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

On Sun, Jul 02, 2017 at 11:12:36AM +0200, Salvatore Bonaccorso wrote:
> Source: mpg123
> Version: 1.25.0-1
> Severity: important
> Tags: upstream security
> 
> Hi,
> 
> the following vulnerability was published for mpg123.
> 
> CVE-2017-10683[0]:
> | In mpg123 1.25.0, there is a heap-based buffer over-read in the
> | convert_latin1 function in libmpg123/id3.c. A crafted input will lead
> | to a remote denial of service attack.
> 
> This was reported at [1], but Hanno Boeck recently reported [2] as
> well.
> 
> Looking at both cases i think those should be the same issues, and
> upstream has a patch for the issue.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2017-10683
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10683
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465819
> [2] https://sourceforge.net/p/mpg123/bugs/252/

Attaching the extracted patch.

Regards,
Salvatore

[252.patch (text/x-diff, attachment)]

Message #17 received at 866860@bugs.debian.org (full text, mbox, reply):

From: Thomas Orgis <thomas-forum@orgis.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 866860@bugs.debian.org

Subject: Re: Bug#866860: mpg123: CVE-2017-10683

Date: Sun, 2 Jul 2017 12:30:46 +0200

[Message part 1 (text/plain, inline)]

Am Sun, 02 Jul 2017 11:12:36 +0200
schrieb Salvatore Bonaccorso <carnil@debian.org>: 

> CVE-2017-10683[0]:
> | In mpg123 1.25.0, there is a heap-based buffer over-read in the
> | convert_latin1 function in libmpg123/id3.c. A crafted input will lead
> | to a remote denial of service attack.

I don't oppose the creation of a CVE for that, although I wouldn't have
bothered myself and also the description seems overly dramatic. So far
I have only seen valgrind and an enabled AddressSanitizer complaining.
In practice, I did not see one crash because of this in normal builds.

This is one byte read too much, but to get denial of service, that
extra byte should be outside mpg123's address space. That does not
strike me as very likely in this context. Maybe one can construct such
a case, but the test bitstream I got doesn't do it. Even if that one
byte too much is successfully read and finds its way into a string
buffer, my paranoia had me explicitly append an (additional) zero after
it anyway.

I'd phrase the last CVE sentence as:

	A crafted input will lead to a remote denial of service attack
	if the user asked for it by enabling compiler instrumentation.

;-)

That being said, I won't claim that it is impossible to craft a file
that would trigger serious invalid reads (p.ex. by an strlen() in an
adjacent code path, _not_ in the text processing the triggered test
case covers), and possibly actual DoS instead of possibly just sligthly
bogus ID3 data from invalid input. I just havent's seen it yet.


Anyway, the officially fixed version 1.25.1 will be released
today/night. So you might want to just update to that one instead of
pulling out the single patch. I am still waiting for a complete report
for another issue that I'd like to fix in the release, too.


Alrighty then,

Thomas

[Message part 2 (application/pgp-signature, inline)]

Message #24 received at 866860-submitter@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: 866860-submitter@bugs.debian.org

Subject: Bug#866860 marked as pending

Date: Mon, 03 Jul 2017 19:16:46 +0000

tag 866860 pending
thanks

Hello,

Bug #866860 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://anonscm.debian.org/git/pkg-multimedia/mpg123.git/commit/?id=eddc301

---
commit eddc301c76abd0c10f6f0b53d8da48d1fff0393f
Author: Sebastian Ramacher <sramacher@debian.org>
Date:   Mon Jul 3 21:16:31 2017 +0200

    Finalize changelog

diff --git a/debian/changelog b/debian/changelog
index 0475b33..a09debe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,11 @@
-mpg123 (1.25.1-1) UNRELEASED; urgency=medium
+mpg123 (1.25.1-1) unstable; urgency=medium
 
+  * Team upload.
   * New upstream release.
+    - Fix heap-based buffer over-read (CVE-2017-10683) (Closes: #866860)
+  * debian/control: Bump Standards-Version.
 
- -- Sebastian Ramacher <sramacher@debian.org>  Mon, 03 Jul 2017 21:12:35 +0200
+ -- Sebastian Ramacher <sramacher@debian.org>  Mon, 03 Jul 2017 21:13:06 +0200
 
 mpg123 (1.25.0-1) unstable; urgency=medium
 

Message #29 received at 866860-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: 866860-close@bugs.debian.org

Subject: Bug#866860: fixed in mpg123 1.25.1-1

Date: Mon, 03 Jul 2017 19:34:01 +0000

Source: mpg123
Source-Version: 1.25.1-1

We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 866860@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated mpg123 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 03 Jul 2017 21:13:06 +0200
Source: mpg123
Binary: mpg123 libmpg123-0 libout123-0 libmpg123-dev
Architecture: source
Version: 1.25.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
 libmpg123-0 - MPEG layer 1/2/3 audio decoder (shared library)
 libmpg123-dev - MPEG layer 1/2/3 audio decoder (development files)
 libout123-0 - MPEG layer 1/2/3 audio decoder (libout123 shared library)
 mpg123     - MPEG layer 1/2/3 audio player
Closes: 866860
Changes:
 mpg123 (1.25.1-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release.
     - Fix heap-based buffer over-read (CVE-2017-10683) (Closes: #866860)
   * debian/control: Bump Standards-Version.
Checksums-Sha1:
 5deac5e889a95e074f279e461ac446ccb32fe97a 2282 mpg123_1.25.1-1.dsc
 66239b257801df70d4618b82405d038a78f7c5c8 917500 mpg123_1.25.1.orig.tar.bz2
 cc43c907b58bcd4478db2f893310fd1e34a9d0db 23332 mpg123_1.25.1-1.debian.tar.xz
 fcd74acc0a5ee326430e9e7c6ae8f36d8dbef0d3 8653 mpg123_1.25.1-1_amd64.buildinfo
Checksums-Sha256:
 7dc995e3165c5d36188dfcee567d95be80b05b74fbb51cf4625e99c7a27aaf0b 2282 mpg123_1.25.1-1.dsc
 0fe7270a4071367f97a7c1fb45fb2ef3cfef73509c205124e080ea569217b05f 917500 mpg123_1.25.1.orig.tar.bz2
 46e05e5e61ebd27d300ed682414ec72809249d06cce43105bf7888c08b1b8fab 23332 mpg123_1.25.1-1.debian.tar.xz
 24a5bdf94a59bacc5fbb608331e0aa5e79b21191b69938a26fb947d55c7ed7ef 8653 mpg123_1.25.1-1_amd64.buildinfo
Files:
 84e8feee04418ddf70751d845d22394a 2282 sound optional mpg123_1.25.1-1.dsc
 89a388221d281b9e9a1a875a0fb3f3f1 917500 sound optional mpg123_1.25.1.orig.tar.bz2
 955470b679e0e4060db1c150bf89116d 23332 sound optional mpg123_1.25.1-1.debian.tar.xz
 87c34fcde029a0fc8706f3cabaf96f82 8653 sound optional mpg123_1.25.1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAllamBgACgkQafL8UW6n
GZNVIRAAnYW0OYxcE34rObZhjijosHqBpX82TGOTgTAJI27tRIboIEi4KeyGe7Be
z9ixKazPwmISyuRr0AOvk4tfcpuubUKTj1tN2HG2PFmxJqqb95jJGECBWU4SA66U
CEPlRVbUAbw+LQ6YFwUWtUfmCR6H0Dn/9w/Tbk8prLSSldqXroghYs7eHXQEJIIO
SdV0nI97hvlRah7LQPLgyMzsir7/b/sjFXWgsLQqEiIqE9oUF8k0qScgk1wVB1/6
04C7dw3SGKVx5CWbmjUt3WPXB3efCFMWHDC5+V+9TJSp7BMbW97ICnmrEHZ5B713
yB10dptMGxLdEnpbvmM4teM9iPOIaa2cwkblaGt5A3s/JTDJ+wLiSD4S/qfTyG5X
GLQu4J/3wF19MXOS+b03AMjQ7IcApujw0tfVPr3SSHkSj9y9ii0kd8sE2Fyhm7dF
nA0274EAQWia3+CmZ2CQvSc0h8hPdJA+hpE9kDP8kpIsWeMsH8Yg7J0nkpXAp4lW
DL0CRfj7V2vl5txAL+yJLTuSW1xlP3wlv/xifdynf5NATKA3BL3qVjcRHyBhyrDx
nczuNzqB+5S2vIL9lAoo7XuPU4ZlCaQTABBEH/xwVdO1woeV4dbpcpiCDje/mv2m
BxbtFI//i2v1gDDQf6ZVyIAZjtg7azy1W64ORXZRjb2NCYDIT7I=
=XN71
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.