tag 361863 + confirmed
thanks
On Mon, Apr 10, 2006 at 10:12:29PM +0200, Stefan Fritsch wrote:
> "Unspecified vulnerability in mpg123 0.59r allows user-complicit
> attackers to trigger a segmentation fault and possibly have other
> impacts via a certain MP3 file, as demonstrated by mpg1DoS3. NOTE:
> this issue might be related to CVE-2004-0991, but it is not clear."
Yep, thanks, I spotted it on vuln-dev already. I've investigated in the
meantime: The crash is caused by a heap overflow in
layer3.c::III_antialias(). The data written to the overflow region is
taken straight from the mp3, so it's quite likely that this bug allows
to inject arbitrary data. I have a patch that plugs the hole the hard
way with an exit()[0], effectively turning it into a DoS. Alas, it only
cures a symptom. The actual bug lies elsewhere, and I haven't managed
yet to identify the exact piece of code that fails to properly verify
the mp3 data. Anyway, just wanted to drop a note that I'm working on it.
> Version 0.59r-21 should be fixed against CVE-2004-0991 but segfaults
> with the poc-exploit. So it seems to be a different vulnerability
> than CVE-2004-0991.
CVE-2004-0991 is completely unrelated to this vulnerability.
Regards,
Daniel.
[0] If we just return from III_antialias(), mpg123 will crash a bit
further down the road, so an exit() is the only safe bet.
---[snip]---
Not a fix, just a band-aid. Only use if you're desperate. [dk]
diff -u -r1.5 layer3.c
--- layer3.c 7 Sep 2004 13:48:58 -0000 1.5
+++ layer3.c 19 Apr 2006 16:08:39 -0000
@@ -9,6 +9,7 @@
*/
#include <stdlib.h>
+#include <stdio.h>
#include "mpg123.h"
#include "huffman.h"
@@ -1166,6 +1167,10 @@
}
else {
sblim = gr_info->maxb-1;
+ if (sblim < 0 || sblim > SBLIMIT) {
+ fprintf(stderr, "maxb invalid: %d\n", gr_info->maxb);
+ exit(1);
+ }
}
/* 31 alias-reduction operations between each pair of sub-bands */
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
