Debian Bug report logs - #478680
[gnome-peercast] CVE-2008-2040 stack-based buffer overflow in HTTP::getAuthUserPass function

version graph

Package: gnome-peercast; Maintainer for gnome-peercast is (unknown);

Reported by: Nico Golde <nion@debian.org>

Date: Wed, 30 Apr 2008 10:21:01 UTC

Severity: grave

Tags: patch, security

Found in version gnome-peercast/0.5.4-1.1

Fixed in version gnome-peercast/0.5.4-1.1etch0

Done: Marco Rodrigues <gothicx@sapo.pt>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, secure-testing-team@lists.alioth.debian.org, Takuo KITAME <kitame@debian.org>:
Bug#478680; Package gnome-peercast. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to secure-testing-team@lists.alioth.debian.org, Takuo KITAME <kitame@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: [gnome-peercast] remote stack-based buffer overflow in HTTP::getAuthUserPass function
Date: Wed, 30 Apr 2008 12:19:03 +0200
[Message part 1 (text/plain, inline)]
Package: gnome-peercast
Version: 0.5.4-1.1
Severity: grave
Tags: security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org

Hi,
I found a security issue in the peercast server which also 
affects gnome-peercast. I contacted the upstream author of 
peercast 6 days ago without any reply so far.
Here are the details:
From core/common/http.cpp:

105 void HTTP::getAuthUserPass(char *user, char *pass)
106 {
107         if (arg)
108         {   
109                 char *s = stristr(arg,"Basic");
110                 if (s) 
111                 {   
112                         while (*s)
113                                 if (*s++ == ' ')
114                                         break;
115                         String str;
116                         str.set(s,String::T_BASE64);
117                         str.convertTo(String::T_ASCII);
118                         s = strstr(str.cstr(),":");
119                         if (s) 
120                         {   
121                                 *s = 0;
122                                 if (user)
123                                         strcpy(user,str.cstr());
124                                 if (pass)
125                                         strcpy(pass,s+1);

This function is used if authentication to the gnome-peercast server is done by basic http auth
which is the case in the standard configuration of gnome-peercast.
In line 116 the base64 encoded string is copied into str.
Note the set method is peercasts/gnome-peercasts own implementation of set
since it reimplements the String class. set looks like this:

From core/common/sys.h:
38                 MAX_LEN = 256 
...
62         void set(const char *p, TYPE t=T_ASCII)
63         {   
64                 strncpy(data,p,MAX_LEN-1);
65                 data[MAX_LEN-1] = 0;
66                 type = t;
67         }   

In line 117 the string gets decoded and in line 118 and 
following the part before ':' in the decoded string gets copied
into user and the part after it into pass.

From core/common/servhs.cpp:
558 bool Servent::handshakeAuth(HTTP &http,const char *args,bool local)
559 {
560         char user[64],pass[64];
561         user[0] = pass[0] = 0;
...
580     while (http.nextHeader())
581         {   
582                 char *arg = http.getArgStr();
583                 if (!arg)
584                         continue;
585
586                 switch (servMgr->authType)
587                 {   
588                         case ServMgr::AUTH_HTTPBASIC:
589                                 if (http.isHeader("Authorization"))
590                                         http.getAuthUserPass(user,pass);
591                                 break;

user and pass are only declared to have 64 bytes (line 558) while the buffer used for 
copy can store up to MAX_LEN (256) bytes (ok minus the : here). Servent::handshakeAuth calls then
the getAuthUserPass function triggering a buffer overflow.
It's thus possible to crash the server and execute arbitrary code if the server
allows http-basic authentication.

I already requested a CVE id for this.

PoC attached.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[peercast.py (text/x-python, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>:
Bug#478680; Package gnome-peercast. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>. (full text, mbox, link).


Message #10 received at 478680@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 478573@bugs.debian.org, 478680@bugs.debian.org
Subject: got CVE id
Date: Wed, 30 Apr 2008 16:41:51 +0200
[Message part 1 (text/plain, inline)]
retitle 478680 [gnome-peercast] CVE-2008-2040 stack-based buffer overflow in HTTP::getAuthUserPass function
retitle 478573 [peercast] CVE-2008-2040 stack-based buffer overflow in HTTP::getAuthUserPass function
thanks

Hi,
CVE-2008-2040 was assigned to that, please mention the CVE 
id in the changelog if you fix this bug.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `[gnome-peercast] CVE-2008-2040 stack-based buffer overflow in HTTP::getAuthUserPass function' from `[gnome-peercast] remote stack-based buffer overflow in HTTP::getAuthUserPass function'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Wed, 30 Apr 2008 14:45:04 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>:
Bug#478680; Package gnome-peercast. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>. (full text, mbox, link).


Message #17 received at 478680@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 478573@bugs.debian.org, 478680@bugs.debian.org
Subject: patch
Date: Wed, 30 Apr 2008 18:05:48 +0200
[Message part 1 (text/plain, inline)]
tags 478680 + patch
tags 478573 + patch
thanks

Hi,
attached is a patch to fix this issue.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[peercast.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Tags added: patch Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Wed, 30 Apr 2008 16:18:22 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>:
Bug#478680; Package gnome-peercast. (full text, mbox, link).


Acknowledgement sent to Takuo Kitame <kitame@debian.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>. (full text, mbox, link).


Message #24 received at 478680@bugs.debian.org (full text, mbox, reply):

From: Takuo Kitame <kitame@debian.org>
To: 478680@bugs.debian.org, 478573@bugs.debian.org
Subject: fix soon.
Date: Thu, 08 May 2008 15:27:53 +0900
I'll fix it next weekend.

Regards.
-- 
Takuo Kitame <kitame at debian.org>





Reply sent to Marco Rodrigues <gothicx@sapo.pt>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #29 received at 478680-done@bugs.debian.org (full text, mbox, reply):

From: Marco Rodrigues <gothicx@sapo.pt>
To: 478680-done@bugs.debian.org
Subject: This bug was been fixed in etch...
Date: Fri, 30 May 2008 12:54:39 +0100
Package: gnome-peercast
Version: 0.5.4-1.1etch0

It was been fixed for etch, the uploader forget to close the bug.

Thanks!

-- 
Marco Rodrigues

http://Marco.Tondela.org





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Aug 2008 07:35:03 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:44:25 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.