Debian Bug report logs - #361863
CVE-2006-1655: Unspecified vulnerability in mpg123

version graph

Package: mpg123; Maintainer for mpg123 is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>; Source for mpg123 is src:mpg123.

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Mon, 10 Apr 2006 20:18:02 UTC

Severity: grave

Tags: confirmed, patch, security

Found in versions mpg123/0.59r-21, mpg123/0.59r-1

Fixed in versions mpg123/0.59r-22, mpg123/0.59r-20sarge1

Done: Daniel Kobras <kobras@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Daniel Kobras <kobras@debian.org>:
Bug#361863; Package mpg123. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Daniel Kobras <kobras@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2006-1655: Unspecified vulnerability in mpg123
Date: Mon, 10 Apr 2006 22:12:29 +0200
Package: mpg123
Version: 0.59r-21
Severity: grave
Tags: security

cite:
"Unspecified vulnerability in mpg123 0.59r allows user-complicit
attackers to trigger a segmentation fault and possibly have other
impacts via a certain MP3 file, as demonstrated by mpg1DoS3.  NOTE:
this issue might be related to CVE-2004-0991, but it is not clear."


Version 0.59r-21 should be fixed against CVE-2004-0991 but segfaults
with the poc-exploit. So it seems to be a different vulnerability
than CVE-2004-0991.

gdb says the segfault is in layer3.c:1185, but debugging this is beyond
me.

If you fix it, please mention the CVE-id in the changelog.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#361863; Package mpg123. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 361863@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: Stefan Fritsch <sf@sfritsch.de>, 361863@bugs.debian.org
Subject: Re: Bug#361863: CVE-2006-1655: Unspecified vulnerability in mpg123
Date: Wed, 19 Apr 2006 18:13:55 +0200
tag 361863 + confirmed
thanks

On Mon, Apr 10, 2006 at 10:12:29PM +0200, Stefan Fritsch wrote:
> "Unspecified vulnerability in mpg123 0.59r allows user-complicit
> attackers to trigger a segmentation fault and possibly have other
> impacts via a certain MP3 file, as demonstrated by mpg1DoS3.  NOTE:
> this issue might be related to CVE-2004-0991, but it is not clear."

Yep, thanks, I spotted it on vuln-dev already. I've investigated in the
meantime: The crash is caused by a heap overflow in
layer3.c::III_antialias(). The data written to the overflow region is
taken straight from the mp3, so it's quite likely that this bug allows
to inject arbitrary data. I have a patch that plugs the hole the hard
way with an exit()[0], effectively turning it into a DoS. Alas, it only
cures a symptom. The actual bug lies elsewhere, and I haven't managed
yet to identify the exact piece of code that fails to properly verify
the mp3 data. Anyway, just wanted to drop a note that I'm working on it.

> Version 0.59r-21 should be fixed against CVE-2004-0991 but segfaults
> with the poc-exploit. So it seems to be a different vulnerability
> than CVE-2004-0991.

CVE-2004-0991 is completely unrelated to this vulnerability.

Regards,

Daniel.

[0] If we just return from III_antialias(), mpg123 will crash a bit
    further down the road, so an exit() is the only safe bet.

---[snip]---

Not a fix, just a band-aid. Only use if you're desperate. [dk]

diff -u -r1.5 layer3.c
--- layer3.c	7 Sep 2004 13:48:58 -0000	1.5
+++ layer3.c	19 Apr 2006 16:08:39 -0000
@@ -9,6 +9,7 @@
  */ 
 
 #include <stdlib.h>
+#include <stdio.h>
 #include "mpg123.h"
 #include "huffman.h"
 
@@ -1166,6 +1167,10 @@
    }
    else {
      sblim = gr_info->maxb-1;
+     if (sblim < 0 || sblim > SBLIMIT) {
+       fprintf(stderr, "maxb invalid: %d\n", gr_info->maxb);
+       exit(1);
+     }
    }
 
    /* 31 alias-reduction operations between each pair of sub-bands */



Tags added: confirmed Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#361863; Package mpg123. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #17 received at 361863@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: Stefan Fritsch <sf@sfritsch.de>, 361863@bugs.debian.org
Subject: Re: Bug#361863: CVE-2006-1655: Unspecified vulnerability in mpg123
Date: Fri, 28 Apr 2006 20:48:08 +0200
[Message part 1 (text/plain, inline)]
tag 361863 + patch
thanks

On Wed, Apr 19, 2006 at 06:13:55PM +0200, Daniel Kobras wrote:
> On Mon, Apr 10, 2006 at 10:12:29PM +0200, Stefan Fritsch wrote:
> > "Unspecified vulnerability in mpg123 0.59r allows user-complicit
> > attackers to trigger a segmentation fault and possibly have other
> > impacts via a certain MP3 file, as demonstrated by mpg1DoS3.  NOTE:
> > this issue might be related to CVE-2004-0991, but it is not clear."
> 
> Yep, thanks, I spotted it on vuln-dev already. I've investigated in the
> meantime: The crash is caused by a heap overflow in
> layer3.c::III_antialias(). The data written to the overflow region is
> taken straight from the mp3, so it's quite likely that this bug allows
> to inject arbitrary data. I have a patch that plugs the hole the hard
> way with an exit()[0], effectively turning it into a DoS. Alas, it only
> cures a symptom. The actual bug lies elsewhere, and I haven't managed
> yet to identify the exact piece of code that fails to properly verify
> the mp3 data. Anyway, just wanted to drop a note that I'm working on it.

The root cause of this bug lies in layer3.c::III_i_stereo(). A specially
crafted MPEG 2.0-type stereo frame with block type feature set to 2 in
the frame header can trigger a stack overflow in this function if it
flags all subbands to belong to the left channel. I'm not sure whether
such settings make sense for real data. In any case, the code didn't
take it into account, and as a result copied a fixed amount of data past
the end of the xr array. It is allocated on the stack in the calling
function, do_layer3(). There are plenty of other variables on the stack
before the xr array (actually called hybridIn in do_layer3()), so the
overflow cannot be exploited directly. However, it's possible to
overwrite several variable in do_layer3() from user-supplied data.
gr_info->maxb in particular is used later on as a loop boundary.
Modifying this value it is possible to overflow the same xr/hybridIn
array once more in III_antialias(), but this time the size of the
overflowing region can be arbitrarily large. To a limited extent, data
written to the overflow region can be user-controlled. Therefore, it
might be possible to exploit this bug to execute arbitrary code with
privileges of a user opening a malicious MPEG 2.0 layer3 file. The
attached patch prevents the hole by skipping the unnecessary copy of
subband data in the corner case mentioned above.

Regards,

Daniel.

[cve-2006-1655.diff (text/plain, inline)]
Index: layer3.c
===================================================================
RCS file: /home/kobras/cvsroot/debian/mpg123/layer3.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- layer3.c	7 Sep 2004 13:48:58 -0000	1.5
+++ layer3.c	28 Apr 2006 15:02:34 -0000	1.6
@@ -1125,7 +1125,10 @@
       } 
       else { /* ((gr_info->block_type != 2)) */
         int sfb = gr_info->maxbandl;
-        int is_p,idx = bi->longIdx[sfb];
+        int is_p,idx;
+	if (sfb > 21)
+	  return;
+	idx = bi->longIdx[sfb];
         for ( ; sfb<21; sfb++) {
           int sb = bi->longDiff[sfb];
           is_p = scalefac[sfb]; /* scale: 0-15 */

Tags added: patch Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Daniel Kobras <kobras@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #24 received at 361863-close@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 361863-close@bugs.debian.org
Subject: Bug#361863: fixed in mpg123 0.59r-22
Date: Fri, 28 Apr 2006 14:18:01 -0700
Source: mpg123
Source-Version: 0.59r-22

We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive:

mpg123-esd_0.59r-22_alpha.deb
  to pool/non-free/m/mpg123/mpg123-esd_0.59r-22_alpha.deb
mpg123-esd_0.59r-22_i386.deb
  to pool/non-free/m/mpg123/mpg123-esd_0.59r-22_i386.deb
mpg123-esd_0.59r-22_powerpc.deb
  to pool/non-free/m/mpg123/mpg123-esd_0.59r-22_powerpc.deb
mpg123-nas_0.59r-22_i386.deb
  to pool/non-free/m/mpg123/mpg123-nas_0.59r-22_i386.deb
mpg123-oss-3dnow_0.59r-22_i386.deb
  to pool/non-free/m/mpg123/mpg123-oss-3dnow_0.59r-22_i386.deb
mpg123-oss-i486_0.59r-22_i386.deb
  to pool/non-free/m/mpg123/mpg123-oss-i486_0.59r-22_i386.deb
mpg123_0.59r-22.diff.gz
  to pool/non-free/m/mpg123/mpg123_0.59r-22.diff.gz
mpg123_0.59r-22.dsc
  to pool/non-free/m/mpg123/mpg123_0.59r-22.dsc
mpg123_0.59r-22_alpha.deb
  to pool/non-free/m/mpg123/mpg123_0.59r-22_alpha.deb
mpg123_0.59r-22_arm.deb
  to pool/non-free/m/mpg123/mpg123_0.59r-22_arm.deb
mpg123_0.59r-22_hppa.deb
  to pool/non-free/m/mpg123/mpg123_0.59r-22_hppa.deb
mpg123_0.59r-22_i386.deb
  to pool/non-free/m/mpg123/mpg123_0.59r-22_i386.deb
mpg123_0.59r-22_m68k.deb
  to pool/non-free/m/mpg123/mpg123_0.59r-22_m68k.deb
mpg123_0.59r-22_powerpc.deb
  to pool/non-free/m/mpg123/mpg123_0.59r-22_powerpc.deb
mpg123_0.59r-22_sparc.deb
  to pool/non-free/m/mpg123/mpg123_0.59r-22_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 361863@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <kobras@debian.org> (supplier of updated mpg123 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 28 Apr 2006 18:27:35 +0200
Source: mpg123
Binary: mpg123-esd mpg123-oss-3dnow mpg123-nas mpg123-oss-i486 mpg123
Architecture: alpha arm hppa i386 m68k powerpc source sparc 
Version: 0.59r-22
Distribution: unstable
Urgency: high
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Daniel Kobras <kobras@debian.org>
Description: 
 mpg123     - MPEG layer 1/2/3 audio player
 mpg123-esd - MPEG layer 1/2/3 audio player with Esound support
Closes: 350356 361863
Changes: 
 mpg123 (0.59r-22) unstable; urgency=high
 .
   * layer3.c: Fix buffer overflow in III_i_stereo() (CVE-2006-1655).
     Closes: #361863
   * mpg123.1: Fix several typos in man page. Patch thanks to A Costa.
     Closes: #350356
   * decode_i386.c: Cheat around strict aliasing problem in WRITE_SAMPLE().
   * Makefile: Replace deprecated -mcpu option with -mtune in x86 targets.
   * debian/control: Complies with version 3.6.2 of Debian policy. Bump
     Standards-Version accordingly.
Files: 
 1b7af7f99f5da40a23f73ad2c81bcb73 101828 non-free/sound optional mpg123_0.59r-22_sparc.deb
 2e91950f51f8cd35098f0a84fd8d8603 100900 non-free/sound optional mpg123-oss-3dnow_0.59r-22_i386.deb
 3e36a30c7dc8365ad603485286ffa882 99028 non-free/sound optional mpg123-nas_0.59r-22_i386.deb
 553fdd06c744b959c29cd0cd86181c58 92714 non-free/sound optional mpg123_0.59r-22_m68k.deb
 5f0c54690171a19593961e4db56fe32c 107132 non-free/sound optional mpg123_0.59r-22_powerpc.deb
 682d1fc248323c805eedee638162bf7a 108114 non-free/sound optional mpg123-esd_0.59r-22_powerpc.deb
 89fff88cd3bdee5504bedaf20303e091 44058 non-free/sound optional mpg123_0.59r-22.diff.gz
 33bc4841d7a52c12c26c247e1073491c 684 non-free/sound optional mpg123_0.59r-22.dsc
 90037c6cd6d7a60e7f0da247d6d6f9f6 119666 non-free/sound optional mpg123_0.59r-22_alpha.deb
 93e00c032c75f11c585dbe893853d12d 97794 non-free/sound optional mpg123_0.59r-22_i386.deb
 9df6f65d2f87875bb073d2f8252e9682 119168 non-free/sound optional mpg123-esd_0.59r-22_alpha.deb
 9f9f217af2ca09a53159f3207af1740c 97328 non-free/sound optional mpg123-esd_0.59r-22_i386.deb
 d61fdcfc91c12637a94b54f95f355699 112904 non-free/sound optional mpg123_0.59r-22_hppa.deb
 df89626d43b5e3b5eebecb11a9adcf72 108524 non-free/sound optional mpg123_0.59r-22_arm.deb
 e6c00fdfe89428b33fe825bbb31ea6c1 106334 non-free/sound optional mpg123-oss-i486_0.59r-22_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)

iD8DBQFEUmO5pOKIA4m/fisRAh+RAKDXg1eZPVH4P9ovcTcu7gOKbQeLhACdHidA
tC0I8eWEd7WCcCGnqCk6rv0=
=4iMH
-----END PGP SIGNATURE-----




Bug marked as found in version 0.59r-1. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Daniel Kobras <kobras@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #31 received at 361863-close@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 361863-close@bugs.debian.org
Subject: Bug#361863: fixed in mpg123 0.59r-20sarge1
Date: Wed, 30 Aug 2006 23:05:16 -0700
Source: mpg123
Source-Version: 0.59r-20sarge1

We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive:

mpg123-esd_0.59r-20sarge1_alpha.deb
  to pool/non-free/m/mpg123/mpg123-esd_0.59r-20sarge1_alpha.deb
mpg123-esd_0.59r-20sarge1_i386.deb
  to pool/non-free/m/mpg123/mpg123-esd_0.59r-20sarge1_i386.deb
mpg123-esd_0.59r-20sarge1_powerpc.deb
  to pool/non-free/m/mpg123/mpg123-esd_0.59r-20sarge1_powerpc.deb
mpg123-nas_0.59r-20sarge1_i386.deb
  to pool/non-free/m/mpg123/mpg123-nas_0.59r-20sarge1_i386.deb
mpg123-oss-3dnow_0.59r-20sarge1_i386.deb
  to pool/non-free/m/mpg123/mpg123-oss-3dnow_0.59r-20sarge1_i386.deb
mpg123-oss-i486_0.59r-20sarge1_i386.deb
  to pool/non-free/m/mpg123/mpg123-oss-i486_0.59r-20sarge1_i386.deb
mpg123_0.59r-20sarge1.diff.gz
  to pool/non-free/m/mpg123/mpg123_0.59r-20sarge1.diff.gz
mpg123_0.59r-20sarge1.dsc
  to pool/non-free/m/mpg123/mpg123_0.59r-20sarge1.dsc
mpg123_0.59r-20sarge1_alpha.deb
  to pool/non-free/m/mpg123/mpg123_0.59r-20sarge1_alpha.deb
mpg123_0.59r-20sarge1_arm.deb
  to pool/non-free/m/mpg123/mpg123_0.59r-20sarge1_arm.deb
mpg123_0.59r-20sarge1_hppa.deb
  to pool/non-free/m/mpg123/mpg123_0.59r-20sarge1_hppa.deb
mpg123_0.59r-20sarge1_i386.deb
  to pool/non-free/m/mpg123/mpg123_0.59r-20sarge1_i386.deb
mpg123_0.59r-20sarge1_m68k.deb
  to pool/non-free/m/mpg123/mpg123_0.59r-20sarge1_m68k.deb
mpg123_0.59r-20sarge1_powerpc.deb
  to pool/non-free/m/mpg123/mpg123_0.59r-20sarge1_powerpc.deb
mpg123_0.59r-20sarge1_sparc.deb
  to pool/non-free/m/mpg123/mpg123_0.59r-20sarge1_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 361863@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <kobras@debian.org> (supplier of updated mpg123 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  3 May 2006 16:59:50 +0200
Source: mpg123
Binary: mpg123-esd mpg123-oss-3dnow mpg123-nas mpg123-oss-i486 mpg123
Architecture: alpha arm hppa i386 m68k powerpc source sparc 
Version: 0.59r-20sarge1
Distribution: stable-security
Urgency: high
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Daniel Kobras <kobras@debian.org>
Description: 
 mpg123     - MPEG layer 1/2/3 audio player
 mpg123-esd - MPEG layer 1/2/3 audio player with Esound support
Closes: 361863
Changes: 
 mpg123 (0.59r-20sarge1) stable-security; urgency=high
 .
   * layer3.c: Fix buffer overflow in III_i_stereo() (CVE-2006-1655).
     Closes: #361863
Files: 
 04843c3a016782384e2dc5ae987a365d 98058 non-free/sound optional mpg123-esd_0.59r-20sarge1_powerpc.deb
 3119adeed1228f6bd10c3f7100a308e0 41527 non-free/sound optional mpg123_0.59r-20sarge1.diff.gz
 3cc30d3290684dbce40e71acec6202ad 91586 non-free/sound optional mpg123_0.59r-20sarge1_sparc.deb
 54462dbc34ad9fbbfce90fec5608e79f 87232 non-free/sound optional mpg123-esd_0.59r-20sarge1_i386.deb
 55e68e2a8a4ad452d9078d26550fcd3b 124814 non-free/sound optional mpg123-esd_0.59r-20sarge1_alpha.deb
 5f04ef0d8a5ae5c30f3acdc0c00b0927 101702 non-free/sound optional mpg123_0.59r-20sarge1_hppa.deb
 ba026638de21be9fa5061056bd53a43d 751 non-free/sound optional mpg123_0.59r-20sarge1.dsc
 82ab3c03fc9256ad5e5049152a8c00fc 102068 non-free/sound optional mpg123_0.59r-20sarge1_arm.deb
 95df59ad1651dd2346d49fafc83747e7 159028 non-free/sound optional mpg123_0.59r.orig.tar.gz
 a072702eaf20b77fd0438ffeb28eede9 87160 non-free/sound optional mpg123_0.59r-20sarge1_i386.deb
 b9ea8480d28e09e27673072ade3021e3 124974 non-free/sound optional mpg123_0.59r-20sarge1_alpha.deb
 c4d04e08d4326ec2e734675922dd8f61 90148 non-free/sound optional mpg123-nas_0.59r-20sarge1_i386.deb
 cf2cf30c6c4d4b912c4585979c823eab 96536 non-free/sound optional mpg123_0.59r-20sarge1_powerpc.deb
 e7b3d76e2e011f2f6e70630e0cb15737 93850 non-free/sound optional mpg123-oss-i486_0.59r-20sarge1_i386.deb
 e8166266d16a7f503547217a58d871bb 90392 non-free/sound optional mpg123-oss-3dnow_0.59r-20sarge1_i386.deb
 e81a61a8c84c0a776655501b3cfff93c 80232 non-free/sound optional mpg123_0.59r-20sarge1_m68k.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEdFyspOKIA4m/fisRAjVfAKCDK+eLiG/K4vboiJ82vpwjkI1wJQCg4nTc
pkamgpljz0VlXKU0MsbCBWU=
=d/yK
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 04:44:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 16:47:10 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.