Bug 64323 (CVE-2004-1284)

Summary: VUL-0: CVE-2004-1284: buffer overflow in mpg123
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: nadvornik, pmladek, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1284: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Proposed patch by nadvornik@suse.cz
mpg123.patch.box
mpg123.patch.maintained

Description Ludwig Nussel 2004-12-16 22:49:45 UTC 
We received the following report via vendor-sec.
The issue is public.

This is a corner case. It only happens if you actually load a
playlist from a subdirectory.

From djb@cr.yp.to Wed Dec 15 14:20:39 2004
Date: 15 Dec 2004 08:14:59 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, hippm@informatik.uni-tuebingen.de
Subject: [remote] [control] mpg123 0.59r find_next_file overflows linetmp
    buffer

Bartlomiej Sieka, a student in my Fall 2004 UNIX Security Holes course,
has discovered a remotely exploitable security hole in mpg123. I'm
publishing this notice, but all the discovery credits should be assigned
to Sieka.

You are at risk if you use mpg123 --list to take an MP3 playlist from a
web page (or any other source that could be controlled by an attacker).
Whoever provides that input then has complete control over your account:
he can read and modify your files, watch the programs you're running,
etc.

Of course, when you accept a playlist from someone else, you are running
the risk that the playlist will include some of your files, conceivably
secret audio files. But the mpg123 documentation does not suggest that
there is any larger risk.

Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type

   cd /usr/ports/audio/mpg123
   make install

to download and compile the mpg123 program, version 0.59r (current ports
version; note that pre0.59s does not appear to have fixed the bug).
Then, as any user, save the file 8.list attached to this message, and
type

   mkdir 1234567890123456789
   mv 8.list 1234567890123456789/8.list
   mpg123 -s --list 1234567890123456789/8.list >/dev/null

with the unauthorized result that a file named EXPLOIT is created in the
current directory. (I tested this with a 4621-byte environment, as
reported by printenv | wc -c.)

Here's the bug: In playlist.c, find_next_file() uses strcat() to copy
any amount of data into a 1024-byte linetmp[] array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

    [ Part 2, Application/OCTET-STREAM  1.3KB. ]
    [ Unable to print this part. ]
Comment 1 Petr Mladek 2004-12-17 20:24:32 UTC 
Created attachment 27170 [details]
Proposed patch by nadvornik@suse.cz

Vladimir created the attached patch to fix the problem yesterday evening.
He has had vacation since today. I'll update the package instead of him.

I am going to prepare packages for SL 8.1, 8.2, 9.0, 9.1, 9,2, SLES9, STABLE
and PLUS.
Comment 2 Petr Mladek 2004-12-17 20:29:45 UTC 
Has the bug any CAN number?
Comment 3 Ludwig Nussel 2004-12-17 20:31:55 UTC 
Patch is OK. You can use 1024 (sizeof(linetmp)) at the strncpy though (and 
only there). 
 
No CAN yet.
Comment 4 Petr Mladek 2004-12-17 20:40:16 UTC 
Thanks for checking. I'll leave the patch as is because the 1024th byte is set
to zero anyway, so it must not be copied. Feel free to force me to use 1024 if you
have any other opinion.
Comment 5 Ludwig Nussel 2004-12-17 20:53:09 UTC 
Created attachment 27171 [details]
mpg123.patch.box
Comment 6 Ludwig Nussel 2004-12-17 20:53:20 UTC 
Created attachment 27172 [details]
mpg123.patch.maintained
Comment 7 Petr Mladek 2004-12-17 22:45:04 UTC 
The updated packages have been submitted. So, I'll reassign the bug to the
security team.
Comment 8 Marcus Meissner 2004-12-21 22:45:03 UTC 
======================================================                           
Candidate: CAN-2004-1284                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1284                 
Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/mpg123.txt                  
                                                                                 
Buffer overflow in the find_next_file function in playlist.c for                 
mpg123 0.59r allows remote attackers to execute arbitrary code via a             
crafted MP3 playlist.
Comment 9 Marcus Meissner 2005-01-04 02:13:56 UTC 
packages approved.
Comment 10 Thomas Biege 2009-10-13 20:05:37 UTC 
CVE-2004-1284: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)