Bug#305072: CAN-2005-0706: Bufferoverflow in CDDB response parsing
Moritz Muehlenhoff
Moritz Muehlenhoff <jmm@inutil.org>, 305072@bugs.debian.org
Sun, 17 Apr 2005 21:19:32 +0200
This is a multi-part MIME message sent by reportbug.
--===============0264665847==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: gnome-vfs2
Severity: grave
Tags: security patch
Justification: user security hole
[ Dear security team; this seems to affect stable as well ]
CAN-2005-0706 describes a buffer overflow in grip CDDB response parsing that
can potentially be exploited to execute arbitrary code.
gnome-vfs2 contains the vulnerable code as well. Attached you can find
a patch like it has been patched for grip.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
--===============0264665847==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="CAN-2005-0706-gnome-vfs2.patch"
diff -Naur gnome-vfs2-2.8.4.orig/modules/cdda-cddb.c gnome-vfs2-2.8.4/modules/cdda-cddb.c
--- gnome-vfs2-2.8.4.orig/modules/cdda-cddb.c 2004-07-25 17:40:35.000000000 +0200
+++ gnome-vfs2-2.8.4/modules/cdda-cddb.c 2005-04-17 21:11:26.000000000 +0200
@@ -440,7 +440,7 @@
query->query_match=MATCH_INEXACT;
query->query_matches=0;
- while(!CDDBReadLine(socket,inbuffer,256)) {
+ while(query->query_matches < MAX_INEXACT_MATCHES && !CDDBReadLine(socket,inbuffer,256)) {
query->query_list[query->query_matches].list_genre=
CDDBGenreValue(ChopWhite(strtok(inbuffer," ")));
--===============0264665847==--