Debian Bug report logs - #506377
CVE-2008-4829: Streamripper multiple buffer overflow vulnerabilities

version graph

Package: streamripper; Maintainer for streamripper is Michael Ablassmeier <abi@debian.org>; Source for streamripper is src:streamripper.

Reported by: Raphael Geissert <atomo64@gmail.com>

Date: Fri, 21 Nov 2008 00:33:02 UTC

Severity: grave

Tags: patch, security

Found in versions streamripper/1.63.5-1, streamripper/1.61.27-1

Fixed in version streamripper/1.63.5-2

Done: Michael Ablassmeier <abi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Michael Ablassmeier <abi@debian.org>:
Bug#506377; Package streamripper. (Fri, 21 Nov 2008 00:33:04 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <atomo64@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2008-4829: Streamripper multiple buffer overflow vulnerabilities
Date: Thu, 20 Nov 2008 18:28:45 -0600
[Message part 1 (text/plain, inline)]
Package: streamripper
Version: 1.63.5-1
Severity: grave
Tags: security patch

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was published for 
streamripper.

CVE-2008-4829/SA32562[1]:
> Secunia Research has discovered some vulnerabilities in Streamripper, which
> can be exploited by malicious people to compromise a user's system.
>
> 1) A boundary error exists within the function "http_parse_sc_header()" in
> lib/http.c when parsing an overly long HTTP header starting with
> "Zwitterion v".
>
> 2) A boundary error exists within the function "http_get_pls()" in
> lib/http.c when parsing a specially crafted pls playlist containing an
> overly long entry.
>
> 3) A boundary error exists within the function "http_get_m3u()" in
> lib/http.c when parsing a specially crafted m3u playlist containing an
> overly long "File" entry.
>
> Successful exploitation allows the execution of arbitrary code, but
> requires that a user is tricked into connecting to a malicious server.
>
> The vulnerabilities are confirmed in version 1.63.5. Other versions may
> also be affected.

The patch by upstream to fix the vulnerabilities can be found at [2].

It would be great if you could verify whether the version in etch is also 
affected.

If you fix the vulnerability please also make sure to include the CVE id in 
the changelog entry.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4829
     http://security-tracker.debian.net/tracker/CVE-2008-4829
     http://secunia.com/Advisories/32562/
[2]http://streamripper.cvs.sourceforge.net/viewvc/streamripper/sripper_1x/lib/http.c?view=patch&r1=1.50&r2=1.51&pathrev=sripper-1_64_0

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Ablassmeier <abi@debian.org>:
Bug#506377; Package streamripper. (Fri, 21 Nov 2008 09:31:20 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Ablassmeier <abi@grinser.de>:
Extra info received and forwarded to list. Copy sent to Michael Ablassmeier <abi@debian.org>. (Fri, 21 Nov 2008 09:32:24 GMT) Full text and rfc822 format available.

Message #8 received at 506377@bugs.debian.org (full text, mbox):

From: Michael Ablassmeier <abi@grinser.de>
To: Raphael Geissert <atomo64@gmail.com>, 506377@bugs.debian.org
Cc: security@debian.org, control@debian.org
Subject: Re: Bug#506377: CVE-2008-4829: Streamripper multiple buffer overflow vulnerabilities
Date: Fri, 21 Nov 2008 10:11:32 +0100
found 506377 1.61.27-1
found 506377 1.63.5-1
thanks

hi Raphael,

On Thu, Nov 20, 2008 at 06:28:45PM -0600, Raphael Geissert wrote:
> The following CVE (Common Vulnerabilities & Exposures) id was published for 
> streamripper.

looking at the source it seems that the version in stable is affected here too,
not the same functions but the code in general:

 httplib_parse_url():
    /* search for a login '@' token */
    if (strchr(url, '@') != NULL) {
    ret = sscanf(url, "%[^:]:%[^@]", urlinfo->username, urlinfo->password);

[..]

so patch has to be backportet.

Im forwarding to security@debian.org. Ive already prepared a fixed 1.63.5
package for unstable/lenny which im going to upload as soon as you guys give me
your OK :-)


> 
> CVE-2008-4829/SA32562[1]:
> > Secunia Research has discovered some vulnerabilities in Streamripper, which
> > can be exploited by malicious people to compromise a user's system.
> >
> > 1) A boundary error exists within the function "http_parse_sc_header()" in
> > lib/http.c when parsing an overly long HTTP header starting with
> > "Zwitterion v".
> >
> > 2) A boundary error exists within the function "http_get_pls()" in
> > lib/http.c when parsing a specially crafted pls playlist containing an
> > overly long entry.
> >
> > 3) A boundary error exists within the function "http_get_m3u()" in
> > lib/http.c when parsing a specially crafted m3u playlist containing an
> > overly long "File" entry.
> >
> > Successful exploitation allows the execution of arbitrary code, but
> > requires that a user is tricked into connecting to a malicious server.
> >
> > The vulnerabilities are confirmed in version 1.63.5. Other versions may
> > also be affected.
> 
> The patch by upstream to fix the vulnerabilities can be found at [2].
> 
> It would be great if you could verify whether the version in etch is also 
> affected.
> 
> If you fix the vulnerability please also make sure to include the CVE id in 
> the changelog entry.
> 
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4829
>      http://security-tracker.debian.net/tracker/CVE-2008-4829
>      http://secunia.com/Advisories/32562/
> [2]http://streamripper.cvs.sourceforge.net/viewvc/streamripper/sripper_1x/lib/http.c?view=patch&r1=1.50&r2=1.51&pathrev=sripper-1_64_0
> 
> Cheers,
> -- 
> Raphael Geissert - Debian Maintainer
> www.debian.org - get.debian.net






Bug marked as found in version 1.61.27-1. Request was from Michael Ablassmeier <abi@grinser.de> to control@bugs.debian.org. (Fri, 21 Nov 2008 09:33:51 GMT) Full text and rfc822 format available.

Bug marked as found in version 1.63.5-1. Request was from Michael Ablassmeier <abi@grinser.de> to control@bugs.debian.org. (Fri, 21 Nov 2008 09:33:54 GMT) Full text and rfc822 format available.

Reply sent to Michael Ablassmeier <abi@debian.org>:
You have taken responsibility. (Fri, 21 Nov 2008 10:10:34 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Fri, 21 Nov 2008 10:10:35 GMT) Full text and rfc822 format available.

Message #17 received at 506377-close@bugs.debian.org (full text, mbox):

From: Michael Ablassmeier <abi@debian.org>
To: 506377-close@bugs.debian.org
Subject: Bug#506377: fixed in streamripper 1.63.5-2
Date: Fri, 21 Nov 2008 09:47:02 +0000
Source: streamripper
Source-Version: 1.63.5-2

We believe that the bug you reported is fixed in the latest version of
streamripper, which is due to be installed in the Debian FTP archive:

streamripper_1.63.5-2.diff.gz
  to pool/main/s/streamripper/streamripper_1.63.5-2.diff.gz
streamripper_1.63.5-2.dsc
  to pool/main/s/streamripper/streamripper_1.63.5-2.dsc
streamripper_1.63.5-2_amd64.deb
  to pool/main/s/streamripper/streamripper_1.63.5-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 506377@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Ablassmeier <abi@debian.org> (supplier of updated streamripper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 21 Nov 2008 10:03:08 +0100
Source: streamripper
Binary: streamripper
Architecture: source amd64
Version: 1.63.5-2
Distribution: unstable
Urgency: high
Maintainer: abi@grinser.de
Changed-By: Michael Ablassmeier <abi@debian.org>
Description: 
 streamripper - download online streams into audio files
Closes: 506377
Changes: 
 streamripper (1.63.5-2) unstable; urgency=high
 .
   * Add debian/patches/CVE-2008-4829.diff, fix multiple vulnerabilities
     described in CVE-2008-4829, which can result in remote code execution.
     (Closes: #506377)
Checksums-Sha1: 
 45b5111a98be1a4ece3c1af99a8f9518e661c5cb 1085 streamripper_1.63.5-2.dsc
 8d054482e01425efcfcbf509bb0ec3b6824d62c1 5325 streamripper_1.63.5-2.diff.gz
 85fc0b5d3666a0e6310132520d124f5c7e246e64 90948 streamripper_1.63.5-2_amd64.deb
Checksums-Sha256: 
 bae0d3cfc4b92399b778390cf30bec030645132517fdf2483aaa27196887b081 1085 streamripper_1.63.5-2.dsc
 f96080a038389a3a530612da248ffa1fb7cd6cab146c3ab7bcccf9ad95940be8 5325 streamripper_1.63.5-2.diff.gz
 be61b571524e96a392ab86ce270c8bfe4f3509694a401240be481072f20dc9bd 90948 streamripper_1.63.5-2_amd64.deb
Files: 
 34f10db1eaf96cb0ce2f552525f13d37 1085 sound optional streamripper_1.63.5-2.dsc
 e040237c710c8507a05e8ab2e4f061e5 5325 sound optional streamripper_1.63.5-2.diff.gz
 b1b4bf32934d627faeaff9164c18460f 90948 sound optional streamripper_1.63.5-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkmgEYACgkQEFV7g4B8rCVEiwCfW6+9nw9sUSFo6sjZsf/mblgs
GFoAoNIOhpss2C946Z/Dk03wivnppypW
=OMiG
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 10:03:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:42:54 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.