Debian Bug report logs - #476241
mt-daapd: CVE-2008-1771 integer overflow allowing remote DoS and possibly arbitrary code execution

version graph

Package: mt-daapd; Maintainer for mt-daapd is Julien BLACHE <jblache@debian.org>;

Reported by: Nico Golde <nion@debian.org>

Date: Tue, 15 Apr 2008 10:42:05 UTC

Severity: grave

Tags: patch, security

Found in version mt-daapd/0.9~r1696-1.2

Fixed in version mt-daapd/0.9~r1696-1.3

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Joshua Kwan <joshk@triplehelix.org>:
Bug#476241; Package mt-daapd. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Joshua Kwan <joshk@triplehelix.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mt-daapd: CVE-2008-1771 integer overflow allowing remote DoS and possibly arbitrary code execution
Date: Tue, 15 Apr 2008 12:35:36 +0200
Package: mt-daapd
Version: 0.9~r1696-1.2
Severity: grave

Hi,
I found a security issue in mt-daapd:

This is an integer overflow leading to a heap-based buffer overflow in 
the ws_getpostvars function.

>From src/webserver.c:
   707  int ws_getpostvars(WS_CONNINFO *pwsc) {
   708      char *content_length;
   709      unsigned char *buffer;
   710      uint32_t length;
   711      uint32_t ms;
            ....
   715      content_length = ws_getarg(&pwsc->request_headers,"Content-Length");
            ....
   722      length=atoi(content_length);
   723      ws_dprintf(L_WS_DBG,"Thread %d: Post var length: %d\n",
   724              pwsc->threadno,length);
   725
   726      buffer=(unsigned char*)malloc(length+1);
            ....
   739      if(!io_read_timeout(pwsc->hclient, buffer, &length, &ms)) {
            ....
   757
   758      if(!ws_getgetvars(pwsc,(char*)buffer)) {
   759          /* assume error was set already */
   760          free(buffer);
   761          ws_dprintf(L_WS_LOG,"Could not parse get vars\n");
   762          return FALSE;
   763      }
   764
   765      free(buffer);

The relevant variable here is length, it is of type uint32_t. In line
715 content_length points to the user supplied Content-Length value in the HTTP POST.
This value gets then converted to an integer using atoi in line 722.

Here integer conversion happens on negative values. A value of -1 will set length to
UINT_MAX because length is of type uint32_t. Then the length value is used to
allocate space on the heap. Adding + 1 in the malloc call triggers an integer overflow.
With a Content-Length: -1 the buffer size (UINT_MAX + 1) buffer size passed to malloc
will be 0. This causes malloc to allocate the smallest possible chunk but it does not fail.

In line 739 a timed read is done on the buffer. io_read_timeout() (from src/io.c)
basically ends up calling io_read and reading length bytes into the buffer and writing
the count of read bytes back to length. So there is a heap-based buffer overflow here.

This corrupts the heap structure and leads to a server crash in line 765 when freeing the
buffer which is now corrupted.

This is a remote DoS for _unauthenticated_ users and does possibly lead to arbitrary code
execution

A very simple PoC attached.

CVE-2008-1771 was assigned to this, please mention this CVE id in the changelog if you
fix this bug.

Kind regards
Nico




Information forwarded to debian-bugs-dist@lists.debian.org, Joshua Kwan <joshk@triplehelix.org>:
Bug#476241; Package mt-daapd. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Joshua Kwan <joshk@triplehelix.org>. Full text and rfc822 format available.

Message #10 received at 476241@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 476241@bugs.debian.org
Subject: forgot attachment
Date: Tue, 15 Apr 2008 12:42:44 +0200
[Message part 1 (text/plain, inline)]
Hi,
forgot the attachment.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[mt-daapd.py (text/x-python, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Tags added: security Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Tue, 15 Apr 2008 11:09:13 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Joshua Kwan <joshk@triplehelix.org>:
Bug#476241; Package mt-daapd. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Joshua Kwan <joshk@triplehelix.org>. Full text and rfc822 format available.

Message #17 received at 476241@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 476241@bugs.debian.org
Subject: intent to NMU
Date: Thu, 17 Apr 2008 21:16:02 +0200
[Message part 1 (text/plain, inline)]
Hi,
attached is a patch fixing this issue.

It will be also archived on:
http://people.debian.org/~nion/nmu-diff/mt-daapd-0.9~r1696-1.2_0.9~r1696-1.3.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[mt-daapd-0.9~r1696-1.2_0.9~r1696-1.3.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 17 Apr 2008 19:21:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Joshua Kwan <joshk@triplehelix.org>:
Bug#476241; Package mt-daapd. Full text and rfc822 format available.

Acknowledgement sent to joshk@triplehelix.org (Joshua Kwan):
Extra info received and forwarded to list. Copy sent to Joshua Kwan <joshk@triplehelix.org>. Full text and rfc822 format available.

Message #24 received at 476241@bugs.debian.org (full text, mbox):

From: joshk@triplehelix.org (Joshua Kwan)
To: Nico Golde <nion@debian.org>, 476241@bugs.debian.org
Subject: Re: Bug#476241: intent to NMU
Date: Thu, 17 Apr 2008 12:38:27 -0700
On Thu, Apr 17, 2008 at 09:16:02PM +0200, Nico Golde wrote:
> Hi,
> attached is a patch fixing this issue.
> 
> It will be also archived on:
> http://people.debian.org/~nion/nmu-diff/mt-daapd-0.9~r1696-1.2_0.9~r1696-1.3.patch
> 
> Kind regards
> Nico

Go for it. I'm too busy with school...
I'm on Low Threshold NMU anyway.

-- 
Joshua Kwan




Information forwarded to debian-bugs-dist@lists.debian.org, Joshua Kwan <joshk@triplehelix.org>:
Bug#476241; Package mt-daapd. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Joshua Kwan <joshk@triplehelix.org>. Full text and rfc822 format available.

Message #29 received at 476241@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 476241@bugs.debian.org
Subject: Re: Bug#476241: intent to NMU
Date: Thu, 17 Apr 2008 21:48:19 +0200
[Message part 1 (text/plain, inline)]
Hi Joshua,
* Joshua Kwan <joshk@triplehelix.org> [2008-04-17 21:40]:
> On Thu, Apr 17, 2008 at 09:16:02PM +0200, Nico Golde wrote:
> > Hi,
> > attached is a patch fixing this issue.
> > 
> > It will be also archived on:
> > http://people.debian.org/~nion/nmu-diff/mt-daapd-0.9~r1696-1.2_0.9~r1696-1.3.patch
> 
> Go for it. I'm too busy with school...
> I'm on Low Threshold NMU anyway.

Ok fine, uploading now.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #34 received at 476241-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 476241-close@bugs.debian.org
Subject: Bug#476241: fixed in mt-daapd 0.9~r1696-1.3
Date: Thu, 17 Apr 2008 21:02:26 +0000
Source: mt-daapd
Source-Version: 0.9~r1696-1.3

We believe that the bug you reported is fixed in the latest version of
mt-daapd, which is due to be installed in the Debian FTP archive:

mt-daapd_0.9~r1696-1.3.diff.gz
  to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1.3.diff.gz
mt-daapd_0.9~r1696-1.3.dsc
  to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1.3.dsc
mt-daapd_0.9~r1696-1.3_amd64.deb
  to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1.3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 476241@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated mt-daapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 17 Apr 2008 19:03:48 +0200
Source: mt-daapd
Binary: mt-daapd
Architecture: source amd64
Version: 0.9~r1696-1.3
Distribution: unstable
Urgency: high
Maintainer: Joshua Kwan <joshk@triplehelix.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 mt-daapd   - iTunes-compatible DAAP server
Closes: 476241
Changes: 
 mt-daapd (0.9~r1696-1.3) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix integer overflow leading to heap-based buffer overflow causing a
     remote Denial of Service and possibly allows to execute arbitrary code
     (CVE-2008-1771; Closes: #476241).
Checksums-Sha1: 
 954ad909599382bc62f9fb98ca5fbf4b668357b0 1153 mt-daapd_0.9~r1696-1.3.dsc
 810f347b3ee562c163ae6aed52cef6a9d3ae60d2 19985 mt-daapd_0.9~r1696-1.3.diff.gz
 27deedd13b7bf72e6b4069f397c7e2c384ddb946 742660 mt-daapd_0.9~r1696-1.3_amd64.deb
Checksums-Sha256: 
 1d298bb1359955638e87e11bc4b8e9f9bd472bd84d3c291f6f7cb36a7a20e100 1153 mt-daapd_0.9~r1696-1.3.dsc
 541f500237fbf6b35616fc2b9d8a20b5debdec08aae15ed3bc34ad0469e5db2f 19985 mt-daapd_0.9~r1696-1.3.diff.gz
 8197a418e9eec9b151aa663cc6349deb64ac276845dc1d4cf96dd541c0381a17 742660 mt-daapd_0.9~r1696-1.3_amd64.deb
Files: 
 1383ddb4b921b5ee1dd1a753b0657c12 1153 sound optional mt-daapd_0.9~r1696-1.3.dsc
 413a1c480bc622ff0c8a98353f1f9b71 19985 sound optional mt-daapd_0.9~r1696-1.3.diff.gz
 db0435938bad3bba73f709b1052548e9 742660 sound optional mt-daapd_0.9~r1696-1.3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIB6mfHYflSXNkfP8RAsNvAJ0XDZsTkeSJsU92FBXEg1u7OcaA8gCfbY36
wN7j8wrhnzivyMtP41aZoOE=
=1duT
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 28 May 2008 07:32:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 23:17:15 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.