Bugzilla – Bug 61221
VUL-0: CVE-2004-0964:: zinf buffer overflow
Last modified: 2021-09-27 14:43:13 UTC
We received the following report via bugtraq. The issue is public. The reporter says the overflow got fixed in 2.2.5. I can't find any upstream changelog that would clarify whether 2.2.4 on 9.0 is vulnerable. It at least runs into an endless loop when presented with a pls file with long lines. Stanislav, do you follow zinf development/CVS and know when they fixed the bug? Date: Fri, 24 Sep 2004 21:31:02 +0000 From: Luigi Auriemma <aluigi@autistici.org> To: bugtraq@securityfocus.com Subject: Buffer overflow in Zinf 2.2.1 for Win32 X-Spam-Level: I don't know why this bug has not been tracked but moreover I don't completely know why it has not been fixed yet in the Windows version of Zinf. In short, Zinf is an audio player for Linux and Windows: http://www.zinf.org The latest Linux version is 2.2.5 while the latest Windows version is 2.2.1 which is still vulnerable to a buffer-overflow bug in the management of the playlist files ".pls". This bug has been found and fixed by the same developers in the recent versions for Linux but, as already said, the vulnerable Windows version is still downloadable and can be exploited locally and remotely through the web browser and a malicious pls file. A simple proof-of-concept to test the bug is available here: http://aluigi.altervista.org/poc/zinf-bof.pls That's all, just to keep track of this bug and to warn who uses the Windows version. BYEZ --- Luigi Auriemma http://aluigi.altervista.org
I have looked at CVS just now for the first time. I see 2003/05/18 Beginning of code to validate playlist entries before sending them to the player where if not available, the user is forced to deal with a string of errors. In current version upper mentioned pls causes error message. Not yet tested with older ones. Note, that in older versions zinf was named freeamp.
Created attachment 24728 [details] playlist.diff proposal for patch against scanf buffer overflow in freeamp 2.1.1
Is this final version of patch for YOU?
No, I've just also discovered tmp races that can be fixed at the same time. I'll provide patches.
Upper mentioned patch can be applied on older versions (freeamp - 8.1, 8.2). But for zinf 2.2.4 and 2.2.5 cannot and 2.2.4 (9.0) and 2.2.5 (9.1 and 9.2) code differs: 2.2.4: //strcpy(root, path); root = path; cp = strrchr(root.c_str(), DIR_MARKER); if(cp) *(cp + 1) = 0x00; fp = fopen(path.c_str(), "rb"); if (!fp) return kError_FileNotFound; len = -1; while(!feof(fp)){ if (fscanf(fp, " [%[^]]] ", key)) continue; if (fscanf(fp, "%[^=]=%[^\n\r] ", key, value)){ if (strncmp(key, "File", 4) == 0){ if (file.length()){ AddItem(list, file, title, len, root); title = ""; len = -1; } file = value; continue; } if (strncmp(key, "Title", 5) == 0){ title = value; continue; } if (strncmp(key, "Length", 6) == 0){ len = atoi(value); continue; } continue; } } if (file.length()) AddItem(list, file, title, len, root); fclose(fp); if (cleanpath) unlink(path.c_str()); 2.2.5: Error PLS::ReadPlaylist( const char* url, std::vector<PlaylistItem*>* list, PLMCallBackFunction function, void* cookie ) { vector<string> items; Error r = readPlaylist (string(url), items); for (vector<string>::iterator i = items.begin(); i != items.end(); i++) { PlaylistItem *item = new PlaylistItem(*i); list->push_back(item); } return r; }
2.2.5 is said to be unaffected by the problem. The patch can be applied with little modifications to 2.2.4, just the context is bit different. Did you ever try to actually run zinf on 9.0? This thing is broken beyond repair! It only starts the second time you call it and then it segfaults or hangs at every other operation.
Created attachment 24733 [details] freeamp-2.1.1-tmpworkaround.diff
Created attachment 24734 [details] zinf-2.2.4-playlist.diff
Created attachment 24735 [details] zinf-2.2.4-tmpworkaround.diff
Note the tmp stuff is just a hack. They should change their API and use mkstemp instead of tmpnam or create a temorary directory in a save way and use that. 2.2.5 is also affected but I don't think we need to do an update just for this.
*grmbl* the setenv doesn't work for some reason.
just scratch that tmp stuff and fix only the buffer overflow. If'm not mistaken an attacker would need to create 56800235584 ((26+26+10)^6) symlinks within the blink of an eye to exploit the race which is probably unlikely enough for non-setuid application ;-)
Fixed for freeamp in 8.1 and 8.2 and zinf 9.0 and submitted. - Fixed buffer overflow in playlist (Luigi Auriemma, #46221). You can create patchinfo.
patchinfo submitted
approved
CAN-2004-0964
CVE-2004-0964: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)