Debian Bug report logs - #459961
mt-daapd: CVE-2007-582[4,5] multiple security vulnerabilities

version graph

Package: mt-daapd; Maintainer for mt-daapd is Julien BLACHE <jblache@debian.org>;

Reported by: Nico Golde <nion@debian.org>

Date: Wed, 9 Jan 2008 21:24:02 UTC

Severity: grave

Tags: patch, security

Fixed in versions mt-daapd/0.9~r1696-1.1, 0.2.4+r1376-1.1+etch1

Done: Devin Carraway <devin@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Joshua Kwan <joshk@triplehelix.org>:
Bug#459961; Package mt-daapd. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Joshua Kwan <joshk@triplehelix.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: mt-daapd: CVE-2007-582[4,5] multiple security vulnerabilities
Date: Wed, 9 Jan 2008 22:21:44 +0100
[Message part 1 (text/plain, inline)]
Package: mt-daapd
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mt-daapd.

CVE-2007-5824[0]:
| webserver.c in mt-dappd in Firefly Media Server 0.2.4 and earlier
| allows remote attackers to cause a denial of service (NULL dereference
| and daemon crash) via a stats method action to /xml-rpc with (1) an
| empty Authorization header line, which triggers a crash in the
| ws_decodepassword function; or (2) a header line without a ':'
| character, which triggers a crash in the ws_getheaders function.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

A patch extracted from upstream CVS is attached.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5824

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[CVE-2007-5825-2007-5824.dpatch (text/plain, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Joshua Kwan <joshk@triplehelix.org>:
Bug#459961; Package mt-daapd. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Joshua Kwan <joshk@triplehelix.org>.

Your message did not contain a Subject field. They are recommended and useful because the title of a Bug is determined using this field. Please remember to include a Subject field in your messages in future.

Full text and rfc822 format available.


Message #10 received at 459961@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 459961@bugs.debian.org
Date: Thu, 10 Jan 2008 15:29:33 +0100
[Message part 1 (text/plain, inline)]
Hi,
forgot to include the other CVE id:
CVE-2007-5825[0]:
| Format string vulnerability in the ws_addarg function in webserver.c
| in mt-dappd in Firefly Media Server 0.2.4 and earlier allows remote
| attackers to execute arbitrary code via a stats method action to
| /xml-rpc with format string specifiers in the (1) username or (2)
| password portion of base64-encoded data on the "Authorization: Basic"
| HTTP header line.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5825
    http://security-tracker.debian.net/tracker/CVE-2007-5825

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Joshua Kwan <joshk@triplehelix.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 459961-close@bugs.debian.org (full text, mbox):

From: Joshua Kwan <joshk@triplehelix.org>
To: 459961-close@bugs.debian.org
Subject: Bug#459961: fixed in mt-daapd 0.9~r1696-1
Date: Fri, 11 Jan 2008 05:47:05 +0000
Source: mt-daapd
Source-Version: 0.9~r1696-1

We believe that the bug you reported is fixed in the latest version of
mt-daapd, which is due to be installed in the Debian FTP archive:

mt-daapd_0.9~r1696-1.diff.gz
  to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1.diff.gz
mt-daapd_0.9~r1696-1.dsc
  to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1.dsc
mt-daapd_0.9~r1696-1_amd64.deb
  to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1_amd64.deb
mt-daapd_0.9~r1696.orig.tar.gz
  to pool/main/m/mt-daapd/mt-daapd_0.9~r1696.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 459961@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joshua Kwan <joshk@triplehelix.org> (supplier of updated mt-daapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 10 Jan 2008 20:48:24 -0800
Source: mt-daapd
Binary: mt-daapd
Architecture: source amd64
Version: 0.9~r1696-1
Distribution: unstable
Urgency: low
Maintainer: Joshua Kwan <joshk@triplehelix.org>
Changed-By: Joshua Kwan <joshk@triplehelix.org>
Description: 
 mt-daapd   - iTunes-compatible DAAP server
Closes: 459444 459961
Changes: 
 mt-daapd (0.9~r1696-1) unstable; urgency=low
 .
   * New upstream snapshot.
   * Includes fixes for security bugs CVE-2007-5825, CVE-2007-5824.
     closes: #459961
   * Fix crash brought on by long filenames, thanks Adrian Bridgett.
     closes: #459444
   * 03_plugins_in_libdir patch merged by upstream, so it's been removed.
   * Bump Standards-Version to 3.7.3 - no changes required.
Files: 
 c0fe4cda1c32576805017f80bf9c7413 1437 sound optional mt-daapd_0.9~r1696-1.dsc
 76cd13073c17bbb4ad11a8864caf47a9 1390499 sound optional mt-daapd_0.9~r1696.orig.tar.gz
 8009f9912c0922f62698bcaa4c73da4d 18508 sound optional mt-daapd_0.9~r1696-1.diff.gz
 6252709bd3119f155d0ba7caebe2b3b6 739426 sound optional mt-daapd_0.9~r1696-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://triplehelix.org/~joshk/pubkey_gpg.asc

iQIVAwUBR4b+h6OILr94RG8mAQI9rBAAlatpD0j3pN16zd8qb+znaR+RRLSX2wkA
XOZZK2xFaWwgja/JbMyAgXSvf/QQussKKNQETzAv/5N36Z5vOIIKP8D0Zb/AQRtg
aIiyTYR5bgm8GqFQ9BHIKL8gofoeRG09Nk6I2orANlh/CIOi0bD+7r0CwkeqsEPA
Uq7c4IRcp6lkI/wPTXpGTQJV+hZRQ+vCANf2KJnZhQGloe9jy1y8T81Okh4Mz0NE
IZAjvULW+9DTUhZ7k/U95KtSd7Pji/QPCJ36zM4YZSr54L8tmEDE+DQPw+/qCcY7
oOjBoi5yJtiOD+NjqTdN381x/cW2GgjtOpN74fAIovY4P/14mACUcVAvNtVt+9dE
LyxwD0af9ac/q3qNek5EkhrSIqi1rzECH4NDADVE7lEzZAIXoH1ykLa0qVfZnxfm
zPZyqEm5RomKUKPyMYP6kNQW9RGgRLZFp6ljiRtXJpjq207S4mL6AaFlLdoZuPJc
WQL09gtX13hqTHFSCEj6v7t2f8AwfUjUd3TV+lOxnkuxPcwkeetdGOHElmKWUBWF
hS0HwELwhV/PZQZoqjcMqHMDMkUfKwjiX3KMqjNAVO40gTlff2MUhIPKHW9S9w9K
xAg4cMW+zvWnKjkRsBgNV99lk5UIfY80UZeYYsWYuTJbVM+BsgNaf/0O5sfL5MNa
gqk+Kv+sEWg=
=HGZM
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Joshua Kwan <joshk@triplehelix.org>:
Bug#459961; Package mt-daapd. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Joshua Kwan <joshk@triplehelix.org>. Full text and rfc822 format available.

Message #20 received at 459961@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 459961@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: mt-daapd: CVE-2007-582[4,5] multiple security vulnerabilities
Date: Sun, 13 Jan 2008 01:17:36 +0100
[Message part 1 (text/plain, inline)]
reopen 459961
thanks

Hi,
this bug is only partially fixed. mt-daapd does still 
segfault on lines that do not contain a ':'.

Why don't you just package the current upstream version?
The version numbers confuse me as the current upstream 
version is 0.2.4 and you have 0.9 in here.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sun, 13 Jan 2008 00:18:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Joshua Kwan <joshk@triplehelix.org>:
Bug#459961; Package mt-daapd. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Joshua Kwan <joshk@triplehelix.org>. Full text and rfc822 format available.

Message #27 received at 459961@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 459961@bugs.debian.org
Subject: Re: Bug#459961: mt-daapd: CVE-2007-582[4,5] multiple security vulnerabilities
Date: Sun, 13 Jan 2008 19:22:07 +0100
[Message part 1 (text/plain, inline)]
Hi,
a part of the original patch was patching in the wrong 
direction and since you built a new upstream revision the 
whole thing got dispatched. I will upload an NMU now to fix 
this cause a part of my original patch caused this.

Kind regards and sorry
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[mt-daapd-0.9~r1696-1_0.9~r1696-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 459961-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 459961-close@bugs.debian.org
Subject: Bug#459961: fixed in mt-daapd 0.9~r1696-1.1
Date: Sun, 13 Jan 2008 18:32:02 +0000
Source: mt-daapd
Source-Version: 0.9~r1696-1.1

We believe that the bug you reported is fixed in the latest version of
mt-daapd, which is due to be installed in the Debian FTP archive:

mt-daapd_0.9~r1696-1.1.diff.gz
  to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1.1.diff.gz
mt-daapd_0.9~r1696-1.1.dsc
  to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1.1.dsc
mt-daapd_0.9~r1696-1.1_i386.deb
  to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 459961@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated mt-daapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 13 Jan 2008 19:13:27 +0100
Source: mt-daapd
Binary: mt-daapd
Architecture: source i386
Version: 0.9~r1696-1.1
Distribution: unstable
Urgency: high
Maintainer: Joshua Kwan <joshk@triplehelix.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 mt-daapd   - iTunes-compatible DAAP server
Closes: 459961
Changes: 
 mt-daapd (0.9~r1696-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by security team.
   * Remove 02_secfix, the patch was patching in the wrong
     direction, needed to fix crash on lines without ':'
     (CVE-2007-5824; Closes: #459961).
Files: 
 879f956ec54381fb7375cf885927b26a 749 sound optional mt-daapd_0.9~r1696-1.1.dsc
 ea15fb0373f5782d011e6a6934852ec5 18630 sound optional mt-daapd_0.9~r1696-1.1.diff.gz
 83ff6565365958f549b37f413d7bc920 715890 sound optional mt-daapd_0.9~r1696-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHilbgHYflSXNkfP8RAjw3AJ0YttkimnSbxBWq44ZbQTP8hmMRYACdEa40
/lEazhzCuuzy1AXA+VQepTM=
=S8Mf
-----END PGP SIGNATURE-----





Bug marked as fixed in version 0.2.4+r1376-1.1+etch1, send any further explanations to Nico Golde <nion@debian.org> Request was from thijs@kinkhorst.com (Thijs Kinkhorst) to control@bugs.debian.org. (Fri, 13 Jun 2008 10:12:11 GMT) Full text and rfc822 format available.

Reply sent to Devin Carraway <devin@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #39 received at 459961-close@bugs.debian.org (full text, mbox):

From: Devin Carraway <devin@debian.org>
To: 459961-close@bugs.debian.org
Subject: Bug#459961: fixed in mt-daapd 0.2.4+r1376-1.1+etch1
Date: Thu, 10 Jul 2008 19:52:23 +0000
Source: mt-daapd
Source-Version: 0.2.4+r1376-1.1+etch1

We believe that the bug you reported is fixed in the latest version of
mt-daapd, which is due to be installed in the Debian FTP archive:

mt-daapd_0.2.4+r1376-1.1+etch1.diff.gz
  to pool/main/m/mt-daapd/mt-daapd_0.2.4+r1376-1.1+etch1.diff.gz
mt-daapd_0.2.4+r1376-1.1+etch1.dsc
  to pool/main/m/mt-daapd/mt-daapd_0.2.4+r1376-1.1+etch1.dsc
mt-daapd_0.2.4+r1376-1.1+etch1_amd64.deb
  to pool/main/m/mt-daapd/mt-daapd_0.2.4+r1376-1.1+etch1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 459961@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Devin Carraway <devin@debian.org> (supplier of updated mt-daapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  9 Jun 2008 06:36:18 +0000
Source: mt-daapd
Binary: mt-daapd
Architecture: source amd64
Version: 0.2.4+r1376-1.1+etch1
Distribution: stable-security
Urgency: high
Maintainer: Joshua Kwan <joshk@triplehelix.org>
Changed-By: Devin Carraway <devin@debian.org>
Description: 
 mt-daapd   - iTunes-compatible DAAP server
Closes: 459961 476241
Changes: 
 mt-daapd (0.2.4+r1376-1.1+etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Apply backport of upstream fixes for two related
     vulnerabilities (Closes: #459961):
     + CVE-2007-5824: Remote denial-of-service through a null pointer
       dereference in src/webserver.c's authorization header handling
     + CVE-2007-5825: Remote arbitrary code execution through a format
       string vulnerability in authorization header of an /xml-rpc request
   * Apply fix from Nico Golde <nion@debian.org> for CVE-2008-1771, an
     integer overflow vulnerability also in src/webserver.c, potentilly
     enabling execution of arbitrary code (Closes: #476241)
Files: 
 a303c40811df75fd395c28485d038ceb 765 sound optional mt-daapd_0.2.4+r1376-1.1+etch1.dsc
 c427c26e93914290b7cd615835ea333a 995301 sound optional mt-daapd_0.2.4+r1376.orig.tar.gz
 a565dacb5773182a44b367b6c78a0da8 8929 sound optional mt-daapd_0.2.4+r1376-1.1+etch1.diff.gz
 9297976354240c5a75b2c3636fe0746d 610844 sound optional mt-daapd_0.2.4+r1376-1.1+etch1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFITOyZU5XKDemr/NIRAjnwAKDPSxgW//tr2N7GewWAvyUIHWYS3QCeNlN2
A3JUS/iPA+M/yIpWDPGPlBc=
=bwia
-----END PGP SIGNATURE-----





Reply sent to Devin Carraway <devin@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #44 received at 459961-close@bugs.debian.org (full text, mbox):

From: Devin Carraway <devin@debian.org>
To: 459961-close@bugs.debian.org
Subject: Bug#459961: fixed in mt-daapd 0.2.4+r1376-1.1+etch1
Date: Sat, 26 Jul 2008 09:57:42 +0000
Source: mt-daapd
Source-Version: 0.2.4+r1376-1.1+etch1

We believe that the bug you reported is fixed in the latest version of
mt-daapd, which is due to be installed in the Debian FTP archive:

mt-daapd_0.2.4+r1376-1.1+etch1.diff.gz
  to pool/main/m/mt-daapd/mt-daapd_0.2.4+r1376-1.1+etch1.diff.gz
mt-daapd_0.2.4+r1376-1.1+etch1.dsc
  to pool/main/m/mt-daapd/mt-daapd_0.2.4+r1376-1.1+etch1.dsc
mt-daapd_0.2.4+r1376-1.1+etch1_amd64.deb
  to pool/main/m/mt-daapd/mt-daapd_0.2.4+r1376-1.1+etch1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 459961@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Devin Carraway <devin@debian.org> (supplier of updated mt-daapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  9 Jun 2008 06:36:18 +0000
Source: mt-daapd
Binary: mt-daapd
Architecture: source amd64
Version: 0.2.4+r1376-1.1+etch1
Distribution: stable-security
Urgency: high
Maintainer: Joshua Kwan <joshk@triplehelix.org>
Changed-By: Devin Carraway <devin@debian.org>
Description: 
 mt-daapd   - iTunes-compatible DAAP server
Closes: 459961 476241
Changes: 
 mt-daapd (0.2.4+r1376-1.1+etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Apply backport of upstream fixes for two related
     vulnerabilities (Closes: #459961):
     + CVE-2007-5824: Remote denial-of-service through a null pointer
       dereference in src/webserver.c's authorization header handling
     + CVE-2007-5825: Remote arbitrary code execution through a format
       string vulnerability in authorization header of an /xml-rpc request
   * Apply fix from Nico Golde <nion@debian.org> for CVE-2008-1771, an
     integer overflow vulnerability also in src/webserver.c, potentilly
     enabling execution of arbitrary code (Closes: #476241)
Files: 
 a303c40811df75fd395c28485d038ceb 765 sound optional mt-daapd_0.2.4+r1376-1.1+etch1.dsc
 c427c26e93914290b7cd615835ea333a 995301 sound optional mt-daapd_0.2.4+r1376.orig.tar.gz
 a565dacb5773182a44b367b6c78a0da8 8929 sound optional mt-daapd_0.2.4+r1376-1.1+etch1.diff.gz
 9297976354240c5a75b2c3636fe0746d 610844 sound optional mt-daapd_0.2.4+r1376-1.1+etch1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFITOyZU5XKDemr/NIRAjnwAKDPSxgW//tr2N7GewWAvyUIHWYS3QCeNlN2
A3JUS/iPA+M/yIpWDPGPlBc=
=bwia
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Aug 2008 07:33:17 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 01:17:58 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.