libmodplug: CVE-2013-4233 CVE-2013-4234

Debian Bug report logs - #719462
libmodplug: CVE-2013-4233 CVE-2013-4234

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libmodplug: CVE-2013-4233 CVE-2013-4234

Date: Mon, 12 Aug 2013 08:24:33 +0200

Package: libmodplug
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see http://blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/

For the CVE assignments:
http://seclists.org/oss-sec/2013/q3/343

Cheers,
        Moritz

Message #10 received at 719462@bugs.debian.org (full text, mbox, reply):

From: Zed Pobre <zed@resonant.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 719462@bugs.debian.org

Cc: Konstanty Bialkowski <konstanty@ieee.org>

Subject: Re: Bug#719462: libmodplug: CVE-2013-4233 CVE-2013-4234

Date: Tue, 13 Aug 2013 21:07:47 -0400

[Message part 1 (text/plain, inline)]

Hi Konstanty, this is your friendly Debian maintainer.

I had a security issue in libmodplug sent to me, and I wanted to make
sure you saw it:

On Mon, Aug 12, 2013 at 08:24:33AM +0200, Moritz Muehlenhoff wrote:
> Hi,
> please see http://blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/
> 
> For the CVE assignments:
> http://seclists.org/oss-sec/2013/q3/343

At first glance, it looks like the first one can be solved just by
replacing 'j+1' with '(j+1) || j' (though maybe it would be better to
explicitly check to see if someone is attempting an overflow and exit
with a warning instead), but on the others I'm afraid I don't know
where to start.  Can you work out what the real maximum size is that
can be generated by those attacks and just up the buffer to that, or
is there something more systemic involved?

Regards,

-- 
Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 719462@bugs.debian.org (full text, mbox, reply):

From: Konstanty Bialkowski <konstanty@ieee.org>

To: Zed Pobre <zed@resonant.org>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 719462@bugs.debian.org

Subject: Re: Bug#719462: libmodplug: CVE-2013-4233 CVE-2013-4234

Date: Wed, 14 Aug 2013 16:08:26 +1000

[Message part 1 (text/plain, inline)]

Hi Zed, (all),

Thanks for forwarding the error. I've applied some fixes for these CVE's.
Being a library, I think it is a bit difficult to report a warning (at
least there is no API call to get this out).

I've added bounds checking on populating the h->gchord and h->drum
variables, and conceptually it will just skip any additional drum/chord
flags after 80 have been reached (in practice this might be only 40 as a
number '1' if appended to each if it does not already exist).

Also, I've committed + synced some other bugs in libmodplug (some
evaluation might be needed whether a CVE is needed for some of them as
well).

https://sourceforge.net/p/modplug-xmms/git/ci/master/tree/

Also, for the purposes of packaging, I've split out libmodplug into its own
git tree.
https://github.com/Konstanty/libmodplug

Let me know if you notice any problems with any of these patches,

Konstanty


On Wed, Aug 14, 2013 at 11:07 AM, Zed Pobre <zed@resonant.org> wrote:

> Hi Konstanty, this is your friendly Debian maintainer.
>
> I had a security issue in libmodplug sent to me, and I wanted to make
> sure you saw it:
>
> On Mon, Aug 12, 2013 at 08:24:33AM +0200, Moritz Muehlenhoff wrote:
> > Hi,
> > please see
> http://blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/
> >
> > For the CVE assignments:
> > http://seclists.org/oss-sec/2013/q3/343
>
> At first glance, it looks like the first one can be solved just by
> replacing 'j+1' with '(j+1) || j' (though maybe it would be better to
> explicitly check to see if someone is attempting an overflow and exit
> with a warning instead), but on the others I'm afraid I don't know
> where to start.  Can you work out what the real maximum size is that
> can be generated by those attacks and just up the buffer to that, or
> is there something more systemic involved?
>
> Regards,
>
> --
> Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
> PGP key and fingerprint available on finger; encrypted mail welcomed.
>

[Message part 2 (text/html, inline)]

Message #20 received at 719462@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 719462@bugs.debian.org, Konstanty Bialkowski <konstanty@ieee.org>

Subject: Re: Bug#719462: libmodplug: CVE-2013-4233 CVE-2013-4234

Date: Wed, 14 Aug 2013 16:17:38 +0200

Hi Konstanty,

Looking at your fix in c4d4e0478, I'd look into fixing it in a way
that doesn't imply that integers overflow, as that's undefined
behavior and can be optimised away by compilers. None of the
instructions can actually decrease j, so j + 1 can never be <= 0 if
integers don't overflow.
Wouldn't it be better to just set a limit to j that is checked while
calculating the amount of memory that is needed, and that is lower
enough than INT_MAX that performing one more iteration won't overflow
it?

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #25 received at 719462@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: Konstanty Bialkowski <konstanty@ieee.org>

Cc: 719462@bugs.debian.org

Subject: Re: Bug#719462: libmodplug: CVE-2013-4233 CVE-2013-4234

Date: Wed, 28 Aug 2013 12:39:36 +0200

[Message part 1 (text/plain, inline)]

Hi,

On 14 August 2013 16:17, Raphael Geissert <geissert@debian.org> wrote:
> Looking at your fix in c4d4e0478, I'd look into fixing it in a way
> that doesn't imply that integers overflow, as that's undefined
> behavior and can be optimised away by compilers. None of the
> instructions can actually decrease j, so j + 1 can never be <= 0 if
> integers don't overflow.
> Wouldn't it be better to just set a limit to j that is checked while
> calculating the amount of memory that is needed, and that is lower
> enough than INT_MAX that performing one more iteration won't overflow
> it?

Attached patch does something like the above and performs a check on
the value of i, which I believe can be made to point past the end of
the buffer.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

[0001-Don-t-rely-on-the-behaviour-of-signed-integer-overfl.patch (application/octet-stream, attachment)]

Message #30 received at 719462@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 719462@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#719462: should this package be removed?

Date: Thu, 29 Aug 2013 11:08:31 +0200

Hi Zed,

Looking at the big picture here it seems like the best way to go with
libmodplug is to remove it from old/stable and then re-consider its
inclusion in jessie and future releases.
MOD and other formats are rarely used yet they are readily available
in mainstream audio/video players through gstreamer, vlc, and xine.
These players/frameworks expose a lot of code that was most likely not
written with security in mind, putting users at risk.

What I propose then is to:
* modify rdepends so that they no longer use libmodplug
* drop the modplug package entirely if no longer used

Let me know what you think.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #35 received at 719462@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Raphael Geissert <geissert@debian.org>

Cc: 719462@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#719462: should this package be removed?

Date: Thu, 29 Aug 2013 16:59:09 +0200

On Thu, Aug 29, 2013 at 11:08:31AM +0200, Raphael Geissert wrote:
> Hi Zed,
> 
> Looking at the big picture here it seems like the best way to go with
> libmodplug is to remove it from old/stable and then re-consider its
> inclusion in jessie and future releases.
> MOD and other formats are rarely used yet they are readily available
> in mainstream audio/video players through gstreamer, vlc, and xine.
> These players/frameworks expose a lot of code that was most likely not
> written with security in mind, putting users at risk.
> 
> What I propose then is to:
> * modify rdepends so that they no longer use libmodplug
> * drop the modplug package entirely if no longer used
> 
> Let me know what you think.

I think we should rather update to the current libmodplug in stable/oldstable.

Cheers,
        Moritz

Message #40 received at 719462@bugs.debian.org (full text, mbox, reply):

From: Zed Pobre <zed@resonant.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 719462@bugs.debian.org

Cc: Raphael Geissert <geissert@debian.org>, Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#719462: should this package be removed?

Date: Thu, 29 Aug 2013 13:23:49 -0400

[Message part 1 (text/plain, inline)]

On Thu, Aug 29, 2013 at 04:59:09PM +0200, Moritz Muehlenhoff wrote:
> On Thu, Aug 29, 2013 at 11:08:31AM +0200, Raphael Geissert wrote:
> > 
> > Looking at the big picture here it seems like the best way to go with
> > libmodplug is to remove it from old/stable and then re-consider its
> > inclusion in jessie and future releases.
> > MOD and other formats are rarely used yet they are readily available
> > in mainstream audio/video players through gstreamer, vlc, and xine.
> > These players/frameworks expose a lot of code that was most likely not
> > written with security in mind, putting users at risk.
> > 
> > What I propose then is to:
> > * modify rdepends so that they no longer use libmodplug
> > * drop the modplug package entirely if no longer used
> > 
> > Let me know what you think.
> 
> I think we should rather update to the current libmodplug in stable/oldstable.

As someone who actually still has a MOD collection, I would somewhat
mourn its loss, but I must admit that I don't have the skill to keep
up with the security issues in it.

Given that all of the changes since Squeeze appear to be bugfixes, I
think that there's really very little risk in pushing 0.8.8.4+patches
back to both Squeeze and Wheezy (other than that there are likely
still undiscovered bugs), but note that there hasn't actually been an
official new versioned release with the new fixes yet.  I would be
building out of Git (which does contain as of yesterday Raphael's
patch).

-- 
Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.

[signature.asc (application/pgp-signature, inline)]

Message #45 received at 719462@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: Zed Pobre <zed@resonant.org>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 719462@bugs.debian.org

Subject: Re: Bug#719462: should this package be removed?

Date: Fri, 30 Aug 2013 12:46:23 +0200

Hi,

On 29 August 2013 19:23, Zed Pobre <zed@resonant.org> wrote:
> On Thu, Aug 29, 2013 at 04:59:09PM +0200, Moritz Muehlenhoff wrote:
>> I think we should rather update to the current libmodplug in stable/oldstable.
[...]
> Given that all of the changes since Squeeze appear to be bugfixes, I
> think that there's really very little risk in pushing 0.8.8.4+patches
> back to both Squeeze and Wheezy (other than that there are likely
> still undiscovered bugs), but note that there hasn't actually been an
> official new versioned release with the new fixes yet.

I think this would just delay the inevitable, and that players should
really split support for non-common formats into packages that are not
installed by default.
Anyway, since removing support for libmodplug in some players only
works around the problem, let's do it this way for now.

Note, however, that a few changes are needed to the packaging given
that it now uses dpkg-buildflags.

>  I would be
> building out of Git (which does contain as of yesterday Raphael's
> patch).

Yes, please. For old/stable please also prepare the packages (taking
care of the version number so that ugprades from squeeze to wheezy to
jessie are possible), targeting the $codename-security archives with a
symbolic urgency of "high" and send the debdiffs to team@security.d.o
prior to their upload to the security archive.

Thanks in advance.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #50 received at 719462@bugs.debian.org (full text, mbox, reply):

From: Zed Pobre <zed@resonant.org>

To: Raphael Geissert <geissert@debian.org>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 719462@bugs.debian.org

Subject: Re: Bug#719462: should this package be removed?

Date: Mon, 2 Sep 2013 23:13:17 -0400

[Message part 1 (text/plain, inline)]

On Mon, Sep 02, 2013 at 12:54:12AM +0200, Raphael Geissert wrote:
> 
> > Yes, please. For old/stable please also prepare the packages (taking
> > care of the version number so that ugprades from squeeze to wheezy to
> > jessie are possible), targeting the $codename-security archives with a
> > symbolic urgency of "high" and send the debdiffs to team@security.d.o
> > prior to their upload to the security archive.
> 
> Ping? Since this bug allows code execution and the complexity of the attack 
> is low, the bug is rather important.
> Please let me know if you would like some sort of help.

Apologies.  I'm preparing for a wedding and got distracted.  I've made
the changes and pushed my repository out to Alioth.

Unfortunately, in my haste to make things right I missed that there
was a request to send the debdiff before making pushing to
security-master.  I hope I haven't made a mess for you.  The repo is
at:

http://anonscm.debian.org/gitweb/?p=collab-maint/libmodplug.git

The Squeeze-specific release is out of the debian-squeeze branch, the
Wheezy-specific release is out of the debian-wheezy branch, and the
unstable release is out of the debian branch.  Do you still want me to
send explicit debdiffs as well?  They'll be large, due to the nature
of the merge with the konstanty (upstream) branch.

Regards,
Zed

-- 
Zed Pobre <zed@resonant.org> a.k.a. Zed Pobre <zed@debian.org>
PGP key and fingerprint available on finger; encrypted mail welcomed.

[signature.asc (application/pgp-signature, inline)]

Message #55 received at 719462-done@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 719462-done@bugs.debian.org

Subject: Re: Bug#719462: libmodplug: CVE-2013-4233 CVE-2013-4234

Date: Tue, 3 Sep 2013 21:53:49 +0200

Source: libmodplug
Source-Version: 1:0.8.8.4-4

Closes contained a typo referring to another bugreport:

On Tue, 2013-09-03 at 03:18 +0000, Zed Pobre wrote:
>  libmodplug (1:0.8.8.4-4) unstable; urgency=high
>  .
>      * Merge all changes from latest upstream Git repository (0.8.8.4 with
>        additional patches), including the following security changes:
>        * CVE-2013-4233: fix integer overflow in load_abc.cpp
>        * CVE-2013-4234: fix heap overflows in abc_MIDI_drum and abc_MIDI_gchord
>        * Closes: #719642

Message #60 received at 719462-close@bugs.debian.org (full text, mbox, reply):

From: Zed Pobre <zed@debian.org>

To: 719462-close@bugs.debian.org

Subject: Bug#719462: fixed in libmodplug 1:0.8.8.4-3+deb7u1+git20130828

Date: Sun, 08 Sep 2013 19:02:04 +0000

Source: libmodplug
Source-Version: 1:0.8.8.4-3+deb7u1+git20130828

We believe that the bug you reported is fixed in the latest version of
libmodplug, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 719462@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Zed Pobre <zed@debian.org> (supplier of updated libmodplug package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 02 Sep 2013 22:29:48 -0400
Source: libmodplug
Binary: libmodplug1 libmodplug-dev
Architecture: source all amd64
Version: 1:0.8.8.4-3+deb7u1+git20130828
Distribution: stable-security
Urgency: high
Maintainer: Zed Pobre <zed@debian.org>
Changed-By: Zed Pobre <zed@debian.org>
Description: 
 libmodplug-dev - development files for mod music based on ModPlug
 libmodplug1 - shared libraries for mod music based on ModPlug
Closes: 719462
Changes: 
 libmodplug (1:0.8.8.4-3+deb7u1+git20130828) stable-security; urgency=high
 .
     * Merge all changes from latest upstream Git repository (0.8.8.4 with
       additional patches), including the following security changes:
       * CVE-2013-4233: fix integer overflow in load_abc.cpp
       * CVE-2013-4234: fix heap overflows in abc_MIDI_drum and abc_MIDI_gchord
       * Closes: #719462
Checksums-Sha1: 
 236b755918a6da0e154a6b6c8714f4f7938a3094 1837 libmodplug_0.8.8.4-3+deb7u1+git20130828.dsc
 df4deffe542b501070ccb0aee37d875ebb0c9e22 546319 libmodplug_0.8.8.4.orig.tar.gz
 47f286e863de1cc33af3880112f98632d99dc6c4 20759 libmodplug_0.8.8.4-3+deb7u1+git20130828.diff.gz
 3b580c26529ecbaf951541e786bab6439e82f6c9 27854 libmodplug-dev_0.8.8.4-3+deb7u1+git20130828_all.deb
 609b3e61edfcad5d2de32fe27e7a34118506a37b 182910 libmodplug1_0.8.8.4-3+deb7u1+git20130828_amd64.deb
Checksums-Sha256: 
 fc32bcf08fb2c37ccdab822324f48e9b8ef7b9b4697f64e6ef1dbf9572c7b2d3 1837 libmodplug_0.8.8.4-3+deb7u1+git20130828.dsc
 5c5ee13dddbed144be26276e5f102da17ff5b1c992f3100389983082da2264f7 546319 libmodplug_0.8.8.4.orig.tar.gz
 4ab7cf898fc57b7da868f30ae4bacb4acc9dd53ee9c26c21833997b5dbb208ae 20759 libmodplug_0.8.8.4-3+deb7u1+git20130828.diff.gz
 475013a1d9f79b899a98df821d8a943fb2394aa16f116c6362dbfd2e78a76f4c 27854 libmodplug-dev_0.8.8.4-3+deb7u1+git20130828_all.deb
 54884ba9750b06796c7b8b901bfc02c4680dc6283dad81c3472f08214fffd1bc 182910 libmodplug1_0.8.8.4-3+deb7u1+git20130828_amd64.deb
Files: 
 f7b13625d8be7e92e0e2c1ac92abad74 1837 libs optional libmodplug_0.8.8.4-3+deb7u1+git20130828.dsc
 fddc3c704c5489de2a3cf0fedfec59db 546319 libs optional libmodplug_0.8.8.4.orig.tar.gz
 d1695f0593a235f73699ea53b0ad144d 20759 libs optional libmodplug_0.8.8.4-3+deb7u1+git20130828.diff.gz
 186ca35fa7622263e263d21183e831e8 27854 libdevel optional libmodplug-dev_0.8.8.4-3+deb7u1+git20130828_all.deb
 e4217b8469711120fbd3d3db6f1cd88a 182910 libs optional libmodplug1_0.8.8.4-3+deb7u1+git20130828_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJSJj9UAAoJEEj0fFjWHGKDDN0P/1bd6quYZJnTCbmOkhL5P6nR
kmpjncv37Xdp9CY9Z0vP33WlX9B5YjAd4wIbGq7BZrrvmyzIO4pKvCTLL36yimSc
lnuRjQ1EYRWTPOwj8E4/CQWjPI3eKdQy2yofdqnmMDU0W7MspR6SjSZ/YOXxRD0n
FJECxlxSx04FRfzKrdcXSx3ACpBp/9RdoaNXZAjdHipQLUvGCL51FMMuXqxAdpWJ
Q+lXj091gkitn4As5AbjBy6JxeeDmnwtxyIxERLHI/ViPPB25z7LOwLsrpNAtiP2
B3u0yyhRJoo0lkzrFc5BYEvUGteHpVm4pYI4JAs5iQWIwy0O3Ns57Av7/Z3cHGz6
8RTok3ck3q15668sdqGHkTYhYn8pCIqtBXfGN56K4l7lSjrVgpJotCHYoviw7aox
0X6j7mm/GXaMmbYg6FzBBNQJ0Q0ZhLKpUsmxT86O9w/L+3QAJVrgAQcFFPyR8m26
5Vc/tP5afsTy/gYPt6YD90v2DKJYNKjeb2UAUINdkjKNaILGHUyC7bd1A2S/AqXC
sHry/Rst3daZNWGns6B2YNUeosGGAm2bEHyP62gV8XK3ULl7Ktkm4RN8Z5DMHba+
JyZuMNp2Nptj+9GvvtM0u2evMrOfEiGHW5nWqC/kmSUL27WQSViQbK/jN7QLk3WG
7zbDaEPF7Bk9K2b5PTnt
=VRbT
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.