lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20637.88.149.150.1.1165988873.squirrel@webmail.zone-h.fr>
Date: Wed, 13 Dec 2006 06:47:53 +0100 (CET)
From: "Siegfried" <admin@...e-h.fr>
To: full-disclosure@...ts.grok.org.uk
Subject: Coolplayer buffer overflow vulnerabilities

Affected software: Coolplayer (coolplayer.sourceforge.net)
Versions: <= 215
Discovered by: Mehdi Oudad and Kevin Fernandez, zone-h.fr

The coolplayer authors have been mailed through contact _\at/_
daansystems. com on november 15 2005 but we never got any reply. On
november 30 2006 they published a new version that somewhat patches the
flaws.

1) A boundary error exists in the CPL_AddPrefixedFile() function of
CPI_Playlist.c :

        char cFullPath[MAX_PATH];
        memcpy(cFullPath, pcPlaylistFile, iPlaylist_VolumeBytes);
        strcpy(cFullPath + iPlaylist_VolumeBytes, pcFilename + 1);
        CPL_AddSingleFile(hPlaylist, cFullPath, pcTitle);

The program tries to put a 512 input string into a 260 buffer. This can be
exploited via a malicious playlist file containing overly long song names.

2) A boundary error exists in the main_skin_check_ini_value() function of
skin.c :

  sscanf(textposition, "%s %d %d %d %d %d %d %d %d %d %[^\0]", name, &x,
           &y, &w, &h, &maxw, &x2, &y2, &w2, &h2, tooltip);


It can be exploited with a skin file containing overly long button names.

3) An error in main_skin_open() of skin.c can be exploited with a skin
file containing overly long bitmap filenames.

Additionally coolplayer was using an obsolete version of the zlib library,
the changelog doesn't say it is updated.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ