mp3info: CVE-2006-2465: buffer overflow via command-line argument

Debian Bug report logs - #368207
mp3info: CVE-2006-2465: buffer overflow via command-line argument

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alec Berryman <alec@thened.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mp3info: CVE-2006-2465: buffer overflow via command-line argument

Date: Sat, 20 May 2006 14:57:58 +0100

[Message part 1 (text/plain, inline)]

Package: mp3info
Version: 0.8.4-9
Severity: normal
Tags: security patch

CVE-2006-2465: "Buffer overflow in MP3Info 0.8.4 allows attackers to
execute arbitrary code via a long command line argument. NOTE: if
mp3info is not installed setuid or setgid in any reasonable context,
then this issue might not be a vulnerability."

I've confirmed this issue appears in 0.8.4-9 and attached a patch that
fixes it.  There are other sprintf()s around the source, but since it's
reading the fixed-length ID3 tags I'm not sure there are any
vulnerabilities there.

Please mention the CVE in your changelog.

Thanks,

Alec

[CVE-2006-2465.diff (text/plain, attachment)]

Message #10 received at 368207@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: control@bugs.debian.org

Cc: 337127@bugs.debian.org, 375281@bugs.debian.org, 370144@bugs.debian.org, 355797@bugs.debian.org, 368207@bugs.debian.org

Subject: Raise severities of some security bugs

Date: Sat, 12 Aug 2006 16:21:26 +0200

severity 337127 grave
severity 375281 grave
severity 370144 grave
severity 355797 grave
severity 368207 grave
thanks

I'm raising the severity of these security bugs, which have been
neglected for too long. Etch should not ship with them. If the
bug should not apply to Etch, please indicate so.

Cheers,
        Moritz

Message #17 received at 368207@bugs.debian.org (full text, mbox, reply):

From: Carlos C Soto <csoto@sia-solutions.com>

To: 368207@bugs.debian.org

Subject: RE: CVE-2006-2465: buffer overflow via command-line argument

Date: Sun, 13 Aug 2006 19:20:46 -0500

[Message part 1 (text/plain, inline)]

I'm applying the following pathch wich includes the patch from Alec 
Berryman <alec@thened.net> who corrects CVE-2006-2465.

Also in this patch is corrected a lintian error about the missing target 
build-indep at debian/rules

This is a patch for the package.


-- Carlos C Soto :: eclipxe

[mp3info-patch.diff (text/x-patch, inline)]

diff -ru mp3info-0.8.4-orig/debian/changelog mp3info-0.8.4/debian/changelog
--- mp3info-0.8.4-orig/debian/changelog	2006-08-13 19:14:09.000000000 -0500
+++ mp3info-0.8.4/debian/changelog	2006-08-13 19:12:04.000000000 -0500
@@ -1,3 +1,11 @@
+mp3info (0.8.4-9.1) unstable; urgency=low
+
+  * Applied patch from Alec Berryman <alec@thened.net> (Closes: #368207)
+  * Added an empty binary-indep target in debian/rules, to fix Lintian
+    error message
+
+ -- Carlos C Soto <csoto@sia-solutions.com>  Sun, 13 Aug 2006 19:10:14 -0500
+
 mp3info (0.8.4-9) unstable; urgency=low
 
   * Changed debconf dependency to include debconf-2.0 (closes: #332032)
diff -ru mp3info-0.8.4-orig/debian/rules mp3info-0.8.4/debian/rules
--- mp3info-0.8.4-orig/debian/rules	2006-08-13 19:14:09.000000000 -0500
+++ mp3info-0.8.4/debian/rules	2006-08-13 19:09:42.000000000 -0500
@@ -87,5 +87,8 @@
 	dh_md5sums
 	dh_builddeb
 
+binary-indep:
+	true
+
 binary: binary-arch
 .PHONY: build clean binary-arch binary install configure
diff -ru mp3info-0.8.4-orig/mp3info.c mp3info-0.8.4/mp3info.c
--- mp3info-0.8.4-orig/mp3info.c	2006-08-13 19:14:09.000000000 -0500
+++ mp3info-0.8.4/mp3info.c	2006-08-13 19:01:00.000000000 -0500
@@ -183,7 +183,7 @@
       file_open=0;
       if (view_only == 1) { 
         if ( !( fp=fopen(argv[i],"r") ) ) {
-  	        sprintf(error_msg,"Error opening MP3: %s",argv[i]);
+  	        snprintf(error_msg,sizeof(error_msg),"Error opening MP3: %s",argv[i]);
                 perror(error_msg);
 		retcode |= 1;
         } else {
@@ -191,7 +191,7 @@
 	}
       } else {
         if ( !( fp=fopen(argv[i],"rb+") ) ) {
-  	        sprintf(error_msg,"Error opening MP3: %s",argv[i]);
+  	        snprintf(error_msg,sizeof(error_msg),"Error opening MP3: %s",argv[i]);
                 perror(error_msg);
 	        retcode |= 1;
         } else {

Message #22 received at 368207-submitter@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>

To: 368207-submitter@bugs.debian.org

Subject: Debian bug #368207

Date: Thu, 26 Oct 2006 22:29:20 +0100

Hi,

You should have recently received (or will soon receive) an e-mail
telling you that I've closed Debian bug #368207 in the mp3info 
package, which you reported.

Due to the fact that the package was uploaded by someone who does not
normally do so, the bug was marked as "fixed" rather than closed.

Debian's bug tracking system now allows for this information to be
recorded in a more useful manner, enabling these bugs to be closed.

Due to the volume of bugs affected by this change, we are unfortunately
not sending individualized explanations for each bug. If you have
questions about the fix for your particular bug or about this email,
please contact me directly or follow up to the bug report in the Debian
BTS.

[It's possible you may receive multiple messages stating that the bug
was fixed in several different versions of the package. There are two
common reasons for this:

  - the bug was fixed in one version but subsequently found to exist
    in a later version

  - the bug existed in multiple distributions (for instance, "unstable"
    and "stable") and was thus fixed in a separate upload to each
    distribution
]

Regards,

Adam

Send a report that this bug log contains spam.