Debian Bug report logs - #466539
gnome-peercast: CVE-2007-6454 heap-based buffer overflow possibly leading to code execution

version graph

Package: gnome-peercast; Maintainer for gnome-peercast is (unknown);

Reported by: Romain Beauxis <toots@rastageeks.org>

Date: Tue, 19 Feb 2008 13:00:01 UTC

Severity: grave

Tags: security

Found in version gnome-peercast/0.5.4-1.1

Fixed in version gnome-peercast/0.5.4-1.2

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Takuo KITAME <kitame@debian.org>:
Bug#466539; Package gnome-peercast. Full text and rfc822 format available.

Acknowledgement sent to Romain Beauxis <toots@rastageeks.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Takuo KITAME <kitame@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Romain Beauxis <toots@rastageeks.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gnome-peercast: CVE-2007-6454 heap-based buffer overflow possibly leading to code execution
Date: Tue, 19 Feb 2008 13:57:43 +0100
Package: gnome-peercast
Version: 0.5.4-1.1
Severity: grave
Tags: security
Justification: user security hole


	Hi !

CVE-2007-6454 as been fixed for peercast, but since this package
includes a static version of the code, the vulnerability still applies
there.

As a side note, I've already done a lot of things to try to fix this,
but upstream seems not to care at all, and didn't maintain this package
for 1 year (last upload was my NMU)...



Romain

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24-rc7-mactel (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=fr_FR, LC_CTYPE=fr_FR (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash




Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>:
Bug#466539; Package gnome-peercast. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>. Full text and rfc822 format available.

Message #10 received at 466539@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Romain Beauxis <toots@rastageeks.org>, 466539@bugs.debian.org
Cc: debian-qa@lists.debian.org
Subject: Re: Bug#466539: gnome-peercast: CVE-2007-6454 heap-based buffer overflow possibly leading to code execution
Date: Tue, 19 Feb 2008 14:08:46 +0100
[Message part 1 (text/plain, inline)]
On Tuesday 19 February 2008 13:57, Romain Beauxis wrote:
> Package: gnome-peercast
> Version: 0.5.4-1.1
> Severity: grave
> Tags: security
> Justification: user security hole
>
>
>         Hi !
>
> CVE-2007-6454 as been fixed for peercast, but since this package
> includes a static version of the code, the vulnerability still applies
> there.
>
> As a side note, I've already done a lot of things to try to fix this,
> but upstream seems not to care at all, and didn't maintain this package
> for 1 year (last upload was my NMU)...

So am I right to conclude that we'd better remove this package rather than to 
try and fix it?


Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>:
Bug#466539; Package gnome-peercast. Full text and rfc822 format available.

Acknowledgement sent to Romain Beauxis <toots@rastageeks.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>. Full text and rfc822 format available.

Message #15 received at 466539@bugs.debian.org (full text, mbox):

From: Romain Beauxis <toots@rastageeks.org>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: 466539@bugs.debian.org, debian-qa@lists.debian.org
Subject: Re: Bug#466539: gnome-peercast: CVE-2007-6454 heap-based buffer overflow possibly leading to code execution
Date: Tue, 19 Feb 2008 19:39:20 +0100
Le Tuesday 19 February 2008 14:08:46 Thijs Kinkhorst, vous avez écrit :
> > As a side note, I've already done a lot of things to try to fix this,
> > but upstream seems not to care at all, and didn't maintain this package
> > for 1 year (last upload was my NMU)...
>
> So am I right to conclude that we'd better remove this package rather than
> to try and fix it?

Well, popcon is not zero, but unless maintainer is willing to support it (he 
is upstream too), then yes, that's my point too.


Romain




Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>:
Bug#466539; Package gnome-peercast. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>. Full text and rfc822 format available.

Message #20 received at 466539@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 466539@bugs.debian.org
Subject: Re: gnome-peercast: CVE-2007-6454 heap-based buffer overflow possibly leading to code execution
Date: Mon, 25 Feb 2008 00:22:12 +0100
[Message part 1 (text/plain, inline)]
Hi,
are you sure this is fixed in unstable?
Looking at the code it seems to be partly fixed.
The checks for MAX_CGI_LEN are included but:
-                       strcpy(loginPassword,in+7);
+                       loginPassword.set(in+7);
                        
-                       LOG_DEBUG("ICY client: %s %s",loginPassword,mount?mount:"unknown");
+                       LOG_DEBUG("ICY client: %s %s",loginPassword.cstr(),mount?mount:"unknown");
                }
 
                if (mount)
-                       strcpy(loginMount,mount);
+                       loginMount.set(mount);
 
                handshakeICY(Channel::SRC_ICECAST,isHTTP);
                sock = NULL;    // socket is taken over by channel, so don`t close it
@@ -318,7 +329,7 @@
                if (!isAllowed(ALLOW_BROADCAST))
                        throw HTTPException(HTTP_SC_UNAVAILABLE,503);
 
-               strcpy(loginPassword,servMgr->password);        // pwd already checked
+               loginPassword.set(servMgr->password);   // pwd already checked
-

is not included which is bad because loginPassword is declared as
char    loginPassword[64]; while #define MAX_CGI_LEN 512. So it looks to me that
the code is still affected. I did not try to exploit it though.
Comments?
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>:
Bug#466539; Package gnome-peercast. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>. Full text and rfc822 format available.

Message #25 received at 466539@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 466539@bugs.debian.org
Subject: Re: gnome-peercast: CVE-2007-6454 heap-based buffer overflow possibly leading to code execution
Date: Tue, 26 Feb 2008 15:08:40 +0100
[Message part 1 (text/plain, inline)]
Hi,
alright I had time testing this with an exploit now and 
indeed the version in unstable is vulnerable and not fixed.

I am going to upload a 0-day NMU to fix this.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>:
Bug#466539; Package gnome-peercast. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>. Full text and rfc822 format available.

Message #30 received at 466539@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 466539@bugs.debian.org
Subject: intent to NMU
Date: Tue, 26 Feb 2008 15:54:47 +0100
[Message part 1 (text/plain, inline)]
Hi,
attached is a patch for a 0-day NMU fixing the described 
vulnerability.

It will be also archived on:
http://people.debian.org/~nion/nmu-diff/gnome-peercast-0.5.4-1.1_0.5.4-1.2.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[gnome-peercast-0.5.4-1.1_0.5.4-1.2.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Romain Beauxis <toots@rastageeks.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #35 received at 466539-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 466539-close@bugs.debian.org
Subject: Bug#466539: fixed in gnome-peercast 0.5.4-1.2
Date: Tue, 26 Feb 2008 15:02:02 +0000
Source: gnome-peercast
Source-Version: 0.5.4-1.2

We believe that the bug you reported is fixed in the latest version of
gnome-peercast, which is due to be installed in the Debian FTP archive:

gnome-peercast_0.5.4-1.2.diff.gz
  to pool/main/g/gnome-peercast/gnome-peercast_0.5.4-1.2.diff.gz
gnome-peercast_0.5.4-1.2.dsc
  to pool/main/g/gnome-peercast/gnome-peercast_0.5.4-1.2.dsc
gnome-peercast_0.5.4-1.2_i386.deb
  to pool/main/g/gnome-peercast/gnome-peercast_0.5.4-1.2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 466539@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated gnome-peercast package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 26 Feb 2008 15:11:40 +0100
Source: gnome-peercast
Binary: gnome-peercast
Architecture: source i386
Version: 0.5.4-1.2
Distribution: unstable
Urgency: high
Maintainer: Takuo KITAME <kitame@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 gnome-peercast - PeerCast user interface for GNOME includes peercast core
Closes: 466539
Changes: 
 gnome-peercast (0.5.4-1.2) unstable; urgency=high
 .
   * Non-maintainer upload by security team.
   * This update addresses the following security issue:
     - CVE-2007-6454: Use the methods from the String class to copy buffers
       rather than strcpy to fix Heap-based buffer overflow in the handshakeHTTP
       function possibly leading to arbitrary code execution (Closes: #466539).
Files: 
 d7285dac1421fc04ad17c4bb5653dc1c 654 gnome optional gnome-peercast_0.5.4-1.2.dsc
 3669875e7941e7c2784c3ca69d08fe06 1929 gnome optional gnome-peercast_0.5.4-1.2.diff.gz
 c7f63fcd6c5bb2b5732edd087aa43197 245838 gnome optional gnome-peercast_0.5.4-1.2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHxChHHYflSXNkfP8RAtK9AKCBMN2MrJgoWmwtRuzhQ3tkq13G7gCeMK2w
woQNOmtcNO5hmokMgvh86+U=
=qSFp
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>:
Bug#466539; Package gnome-peercast. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>. Full text and rfc822 format available.

Message #40 received at 466539@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: debian-qa@lists.debian.org
Cc: Romain Beauxis <toots@rastageeks.org>, 466539@bugs.debian.org
Subject: Re: Bug#466539: gnome-peercast: CVE-2007-6454 heap-based buffer overflow possibly leading to code execution
Date: Mon, 3 Mar 2008 15:50:34 +0100
[Message part 1 (text/plain, inline)]
On Tuesday 19 February 2008 19:39, Romain Beauxis wrote:
> Le Tuesday 19 February 2008 14:08:46 Thijs Kinkhorst, vous avez écrit :
> > > As a side note, I've already done a lot of things to try to fix this,
> > > but upstream seems not to care at all, and didn't maintain this package
> > > for 1 year (last upload was my NMU)...
> >
> > So am I right to conclude that we'd better remove this package rather
> > than to try and fix it?
>
> Well, popcon is not zero, but unless maintainer is willing to support it
> (he is upstream too), then yes, that's my point too.

No further comment by maintainer, I'm filing a removal bug then.


Thijs
[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Feb 2009 08:05:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 07:13:28 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.