Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Joshua Kwan <joshk@triplehelix.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mt-daapd: CVE-2008-1771 integer overflow allowing remote DoS and possibly
arbitrary code execution
Date: Tue, 15 Apr 2008 12:35:36 +0200
Package: mt-daapd
Version: 0.9~r1696-1.2
Severity: grave
Hi,
I found a security issue in mt-daapd:
This is an integer overflow leading to a heap-based buffer overflow in
the ws_getpostvars function.
>From src/webserver.c:
707 int ws_getpostvars(WS_CONNINFO *pwsc) {
708 char *content_length;
709 unsigned char *buffer;
710 uint32_t length;
711 uint32_t ms;
....
715 content_length = ws_getarg(&pwsc->request_headers,"Content-Length");
....
722 length=atoi(content_length);
723 ws_dprintf(L_WS_DBG,"Thread %d: Post var length: %d\n",
724 pwsc->threadno,length);
725
726 buffer=(unsigned char*)malloc(length+1);
....
739 if(!io_read_timeout(pwsc->hclient, buffer, &length, &ms)) {
....
757
758 if(!ws_getgetvars(pwsc,(char*)buffer)) {
759 /* assume error was set already */
760 free(buffer);
761 ws_dprintf(L_WS_LOG,"Could not parse get vars\n");
762 return FALSE;
763 }
764
765 free(buffer);
The relevant variable here is length, it is of type uint32_t. In line
715 content_length points to the user supplied Content-Length value in the HTTP POST.
This value gets then converted to an integer using atoi in line 722.
Here integer conversion happens on negative values. A value of -1 will set length to
UINT_MAX because length is of type uint32_t. Then the length value is used to
allocate space on the heap. Adding + 1 in the malloc call triggers an integer overflow.
With a Content-Length: -1 the buffer size (UINT_MAX + 1) buffer size passed to malloc
will be 0. This causes malloc to allocate the smallest possible chunk but it does not fail.
In line 739 a timed read is done on the buffer. io_read_timeout() (from src/io.c)
basically ends up calling io_read and reading length bytes into the buffer and writing
the count of read bytes back to length. So there is a heap-based buffer overflow here.
This corrupts the heap structure and leads to a server crash in line 765 when freeing the
buffer which is now corrupted.
This is a remote DoS for _unauthenticated_ users and does possibly lead to arbitrary code
execution
A very simple PoC attached.
CVE-2008-1771 was assigned to this, please mention this CVE id in the changelog if you
fix this bug.
Kind regards
Nico
Information forwarded to debian-bugs-dist@lists.debian.org, Joshua Kwan <joshk@triplehelix.org>: Bug#476241; Package mt-daapd.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Joshua Kwan <joshk@triplehelix.org>.
(full text, mbox, link).
Hi,
forgot the attachment.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Tags added: security
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Tue, 15 Apr 2008 11:09:13 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Joshua Kwan <joshk@triplehelix.org>: Bug#476241; Package mt-daapd.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Joshua Kwan <joshk@triplehelix.org>.
(full text, mbox, link).
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Thu, 17 Apr 2008 19:21:05 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Joshua Kwan <joshk@triplehelix.org>: Bug#476241; Package mt-daapd.
(full text, mbox, link).
Acknowledgement sent to joshk@triplehelix.org (Joshua Kwan):
Extra info received and forwarded to list. Copy sent to Joshua Kwan <joshk@triplehelix.org>.
(full text, mbox, link).
To: Nico Golde <nion@debian.org>, 476241@bugs.debian.org
Subject: Re: Bug#476241: intent to NMU
Date: Thu, 17 Apr 2008 12:38:27 -0700
On Thu, Apr 17, 2008 at 09:16:02PM +0200, Nico Golde wrote:
> Hi,
> attached is a patch fixing this issue.
>
> It will be also archived on:
> http://people.debian.org/~nion/nmu-diff/mt-daapd-0.9~r1696-1.2_0.9~r1696-1.3.patch
>
> Kind regards
> Nico
Go for it. I'm too busy with school...
I'm on Low Threshold NMU anyway.
--
Joshua Kwan
Information forwarded to debian-bugs-dist@lists.debian.org, Joshua Kwan <joshk@triplehelix.org>: Bug#476241; Package mt-daapd.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Joshua Kwan <joshk@triplehelix.org>.
(full text, mbox, link).
Hi Joshua,
* Joshua Kwan <joshk@triplehelix.org> [2008-04-17 21:40]:
> On Thu, Apr 17, 2008 at 09:16:02PM +0200, Nico Golde wrote:
> > Hi,
> > attached is a patch fixing this issue.
> >
> > It will be also archived on:
> > http://people.debian.org/~nion/nmu-diff/mt-daapd-0.9~r1696-1.2_0.9~r1696-1.3.patch
>
> Go for it. I'm too busy with school...
> I'm on Low Threshold NMU anyway.
Ok fine, uploading now.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Subject: Bug#476241: fixed in mt-daapd 0.9~r1696-1.3
Date: Thu, 17 Apr 2008 21:02:26 +0000
Source: mt-daapd
Source-Version: 0.9~r1696-1.3
We believe that the bug you reported is fixed in the latest version of
mt-daapd, which is due to be installed in the Debian FTP archive:
mt-daapd_0.9~r1696-1.3.diff.gz
to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1.3.diff.gz
mt-daapd_0.9~r1696-1.3.dsc
to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1.3.dsc
mt-daapd_0.9~r1696-1.3_amd64.deb
to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1.3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 476241@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated mt-daapd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 17 Apr 2008 19:03:48 +0200
Source: mt-daapd
Binary: mt-daapd
Architecture: source amd64
Version: 0.9~r1696-1.3
Distribution: unstable
Urgency: high
Maintainer: Joshua Kwan <joshk@triplehelix.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
mt-daapd - iTunes-compatible DAAP server
Closes: 476241
Changes:
mt-daapd (0.9~r1696-1.3) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix integer overflow leading to heap-based buffer overflow causing a
remote Denial of Service and possibly allows to execute arbitrary code
(CVE-2008-1771; Closes: #476241).
Checksums-Sha1:
954ad909599382bc62f9fb98ca5fbf4b668357b0 1153 mt-daapd_0.9~r1696-1.3.dsc
810f347b3ee562c163ae6aed52cef6a9d3ae60d2 19985 mt-daapd_0.9~r1696-1.3.diff.gz
27deedd13b7bf72e6b4069f397c7e2c384ddb946 742660 mt-daapd_0.9~r1696-1.3_amd64.deb
Checksums-Sha256:
1d298bb1359955638e87e11bc4b8e9f9bd472bd84d3c291f6f7cb36a7a20e100 1153 mt-daapd_0.9~r1696-1.3.dsc
541f500237fbf6b35616fc2b9d8a20b5debdec08aae15ed3bc34ad0469e5db2f 19985 mt-daapd_0.9~r1696-1.3.diff.gz
8197a418e9eec9b151aa663cc6349deb64ac276845dc1d4cf96dd541c0381a17 742660 mt-daapd_0.9~r1696-1.3_amd64.deb
Files:
1383ddb4b921b5ee1dd1a753b0657c12 1153 sound optional mt-daapd_0.9~r1696-1.3.dsc
413a1c480bc622ff0c8a98353f1f9b71 19985 sound optional mt-daapd_0.9~r1696-1.3.diff.gz
db0435938bad3bba73f709b1052548e9 742660 sound optional mt-daapd_0.9~r1696-1.3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIB6mfHYflSXNkfP8RAsNvAJ0XDZsTkeSJsU92FBXEg1u7OcaA8gCfbY36
wN7j8wrhnzivyMtP41aZoOE=
=1duT
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 28 May 2008 07:32:40 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.