'Re: [oss-security] CVE-Request taglib vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-Request taglib vulnerabilities
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-03-26 18:44:56
Message-ID: 4F70B928.7090308 () redhat ! com
[Download RAW message or body]

On 03/21/2012 12:19 PM, Zubin Mithra wrote:
> On Wed, Mar 21, 2012 at 10:49 PM, Kurt Seifried <kseifried@redhat.com>wrote:
> 
>> On 03/21/2012 09:42 AM, Ludwig Nussel wrote:
>>> Zubin Mithra wrote:
>>>> [...]
>>>> The issues which are present in the latest "release" but not in the
>> current
>>>> development head were :-
>>>>
>>>> [3] Lack of sanity checks of fields which were read, and were used for
>>>> allocating memory; crafted files would lead of application crash.
>>>
>>> Not an issue according to upstream:
>>> http://mail.kde.org/pipermail/taglib-devel/2012-March/002187.html
>>
>> Shouldn't it simply say "file to large" or "unable to allocate blah"
>> something rather than crashing? I assume by "large" file the file
>> doesn't actually need to be large, just the header information needs to
>> claim it is large?
>>
> 
> Yes, the file does not need to be large, it just needs to have a crafted
> header.
> 
> On investigating the issue further, discussing with a developer Lukas
> Laninsky and providing PoC's, we had confirmed that the root issue was an
> Integer overflow - which would cause a large allocation and crash the
> application.
> 
> The changeset that corrects it can be found here =>
> https://github.com/taglib/taglib/commit/dcdf4fd954e3213c355746fa15b7480461972308

Please use CVE-2012-1584 for this issue.

> 
> 
>>
>>>> [4] A one bit change in a working ogg file would cause a thread to loop
>>>> infinitely.
>>>
>>> http://mail.kde.org/pipermail/taglib-devel/2012-March/002191.html
>>>
>> https://github.com/taglib/taglib/commit/b3646a07348ffa276ea41a9dae03ddc63ea6c532
>>
>> Has this been confirmed? Does the looping thread actually cause a DoS,
>> simply slow down the application a bit, or?
>>
> 
> Yes, it just causes a thread to cause an infinite loop and does not cause
> an application crash.

Ok, not assigning a CVE then. Thanks!

> 
> 
>>
>>> cu
>>> Ludwig
>>
>>
>>
>> --
>> Kurt Seifried Red Hat Security Response Team (SRT)
>>
> 
> 
> Regards,
> Zubin Mithra
> 


-- 
Kurt Seifried Red Hat Security Response Team (SRT)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic