lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <3ed2941.128.163a484e870.Coremail.bear.xiong@dbappsecurity.com.cn>
Date: Mon, 28 May 2018 10:12:43 +0800 (GMT+08:00)
From: 熊文彬 <bear.xiong@...ppsecurity.com.cn>
To: seclist <fulldisclosure@...lists.org>
Subject: [FD] taglib 1.11.1 vuln

taglib vulnerability
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
TagLib Audio Meta-Data Library

http://taglib.org/

TagLib is a library for reading and editing the meta-data of several popular audio formats. Currently it supports both ID3v1 and ID3v2 for MP3 files, Ogg Vorbis comments and ID3 tags and Vorbis comments in FLAC, MPC, Speex, WavPack, TrueAudio, WAV, AIFF, MP4 and ASF files.

TagLib is distributed under the GNU Lesser General Public License (LGPL) and Mozilla Public License (MPL). Essentially that means that it may be used in proprietary applications, but if changes are made to TagLib they must be contributed back to the project. Please review the licenses if you are considering using TagLib in your project.

Affected version:
=====
1.11.1


Vulnerability Description:
==========================


The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file.


tag reader file_scan


==23969==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000c75 at pc 0x000000704d1f bp 0x7ffee02d5d90 sp 0x7ffee02d5d88
READ of size 1 at 0x602000000c75 thread T0
    #0 0x704d1e in TagLib::Ogg::FLAC::File::scan() /home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:237:8
    #1 0x702899 in TagLib::Ogg::FLAC::File::read(bool, TagLib::AudioProperties::ReadStyle) /home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:179:3
    #2 0x7030ca in TagLib::Ogg::FLAC::File::File(TagLib::IOStream*, bool, TagLib::AudioProperties::ReadStyle) /home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:100:5
    #3 0x6523f1 in (anonymous namespace)::detectByContent(TagLib::IOStream*, bool, TagLib::AudioProperties::ReadStyle) /home/xxx/taglib/taglib/fileref.cpp:154:18
    #4 0x64ae35 in TagLib::FileRef::parse(char const*, bool, TagLib::AudioProperties::ReadStyle) /home/xxx/taglib/taglib/fileref.cpp:450:13
    #5 0x555d96 in main /home/xxx/taglib/examples/tagreader.cpp:41:21
    #6 0x7fb460bdd82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x459c88 in _start (/home/xxx/taglib/build/examples/tagreader+0x459c88)

0x602000000c75 is located 0 bytes to the right of 5-byte region [0x602000000c70,0x602000000c75)
allocated by thread T0 here:
    #0 0x51deb8 in __interceptor_malloc (/home/xxx/taglib/build/examples/tagreader+0x51deb8)
    #1 0x7fb461d76e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)


Reproducer:
file_scan
CVE:
CVE-2018-11439


==========================


Webin security lab - dbapp security Ltd
Download attachment "poc.zip" of type "application/x-zip-compressed" (244 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ