Bug 61221 (CVE-2004-0964:)

I have looked at CVS just now for the first time.

I see 2003/05/18
                                                                               
                                                
   Beginning of code to validate playlist entries before
   sending them to the player where if not available, the user
   is forced to deal with a string of errors.

In current version upper mentioned pls causes error message. Not yet tested with
older ones.

Note, that in older versions zinf was named freeamp.

Created attachment 24728 [details]
playlist.diff

proposal for patch against scanf buffer overflow in freeamp 2.1.1

Is this final version of patch for YOU?

No, I've just also discovered tmp races that can be fixed at the same time. 
I'll provide patches. 

Upper mentioned patch can be applied on older versions (freeamp - 8.1, 8.2). But
for zinf 2.2.4 and 2.2.5 cannot and 2.2.4 (9.0) and 2.2.5 (9.1 and 9.2) code
differs:


2.2.4:
    //strcpy(root, path);
    root = path;
    cp = strrchr(root.c_str(), DIR_MARKER);
    if(cp)
        *(cp + 1) = 0x00;
    fp = fopen(path.c_str(), "rb");
    if (!fp)
       return kError_FileNotFound;
    len = -1;
    while(!feof(fp)){
        if (fscanf(fp, " [%[^]]] ", key))
            continue;
        if (fscanf(fp, "%[^=]=%[^\n\r] ", key, value)){
            if (strncmp(key, "File", 4) == 0){
                if (file.length()){
                    AddItem(list, file, title, len, root);
                    title = "";
                    len = -1;
                }
                file = value;
                continue;
            }
            if (strncmp(key, "Title", 5) == 0){
                title = value;
                continue;
            }
            if (strncmp(key, "Length", 6) == 0){
                len = atoi(value);
                continue;
            }
            continue;
        }
    }
    if (file.length())
       AddItem(list, file, title, len, root);
    fclose(fp);
    if (cleanpath) unlink(path.c_str());


2.2.5:
Error PLS::ReadPlaylist( const char* url,
                            std::vector<PlaylistItem*>* list,
                            PLMCallBackFunction function,
                            void* cookie )

{
    vector<string> items;

    Error r = readPlaylist (string(url), items);

    for (vector<string>::iterator i = items.begin();
         i != items.end(); i++) {
        PlaylistItem *item = new PlaylistItem(*i);
        list->push_back(item);
    }
    return r;
}

2.2.5 is said to be unaffected by the problem. The patch can be applied with 
little modifications to 2.2.4, just the context is bit different. 
 
Did you ever try to actually run zinf on 9.0? This thing is broken beyond 
repair! It only starts the second time you call it and then it segfaults or 
hangs at every other operation. 

Created attachment 24733 [details]
freeamp-2.1.1-tmpworkaround.diff

Created attachment 24734 [details]
zinf-2.2.4-playlist.diff

Created attachment 24735 [details]
zinf-2.2.4-tmpworkaround.diff

Note the tmp stuff is just a hack. They should change their API and use 
mkstemp instead of tmpnam or create a temorary directory in a save way and use 
that. 2.2.5 is also affected but I don't think we need to do an update just 
for this. 

*grmbl* the setenv doesn't work for some reason. 

just scratch that tmp stuff and fix only the buffer overflow. If'm not 
mistaken an attacker would need to create 56800235584 ((26+26+10)^6) symlinks 
within the blink of an eye to exploit the race which is probably unlikely 
enough for non-setuid application ;-) 

Fixed for freeamp in 8.1 and 8.2 and zinf 9.0 and submitted.

- Fixed buffer overflow in playlist (Luigi Auriemma, #46221).

You can create patchinfo.

patchinfo submitted 

approved 

CAN-2004-0964 

CVE-2004-0964: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)