Integer signedness error in the store_id3_text function in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code

CVE-2009-1301

Stefan Lesicnik wrote:
> ** Changed in: mpg123 (Ubuntu Dapper)
> Status: Confirmed => Invalid
>
> ** Changed in: mpg123 (Ubuntu Dapper)
> Assignee: Stefan Lesicnik (stefanlsd) => (unassigned)
>
>

Marking 'In Progress' as per https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Submission

Thanks for the debdiffs Stefan! :) Can you indicate the testing performed?

Dapper code seems to not be affected. There is no id3.c and grepping for the strings also return no results.

There is no released POC for this exploit and no inbuilt tests. The resulting .dsc was built on all releases and builds ok.

Testing was done to ensure that mpg123 still works as expected by playing random mp3 files and checking the id3 tag information was displayed.

The patch itself is of low impact as it introduces no ABI / API changes but just convers an integer to unsigned integer.

I ran mpg123 -v --rva-album --long-tag file.mp3 (all the related id3 tag functions from the manpage). These function as expected.

The patches themselves look good. I've uploaded hardy-jaunty to the security PPA. I can publish these and karmic once I get feedback on testing.

BTW-- the Dapper task was mark 'Invalid', does this issue not affect Dapper?

This was fixed in 1.7.2-1, and Karmic now has 1.7.2-3ubuntu1.

Stefan, what is the status of your testing?

Hey Jamie,

Dapper was marked invalid as the code seems to not be affected. There is no id3.c and grepping for the strings for the fix also return no results.

I have tested as much as I am able too.

mpg123 -v --rva-album file.mp3
mpg123 -v --long-tag file.mp3

Functions as expected. (These are all the related id3 tag functions from the manpage that could possibly trigger the function).

I played random files to determine that the id3 information is still displayed correctly and can find no errors.

mpg123 (1.4.3-4ubuntu1.1) jaunty-security; urgency=low

  * SECURITY UPDATE: Integer signedness error in the store_id3_text function
    in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause
    a denial of service (out-of-bounds memory access) and possibly execute
    arbitrary code via an ID3 tag with a negative encoding value. (LP: 370031).
   - src/libmpg123/id3.c: Inline patch from upstream SVN rev 1920.
   - http://www.mpg123.org/cgi-bin/viewvc.cgi/tags/1.7.2/?view=log
   - CVE-2009-1301

mpg123 (1.4.3-3ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: Integer signedness error in the store_id3_text function
    in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause
    a denial of service (out-of-bounds memory access) and possibly execute
    arbitrary code via an ID3 tag with a negative encoding value. (LP: 370031).
   - src/libmpg123/id3.c: Inline patch from upstream SVN rev 1920.
   - http://www.mpg123.org/cgi-bin/viewvc.cgi/tags/1.7.2/?view=log
   - CVE-2009-1301

mpg123 (0.67-1ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: Integer signedness error in the store_id3_text function
    in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause
    a denial of service (out-of-bounds memory access) and possibly execute
    arbitrary code via an ID3 tag with a negative encoding value. (LP: 370031).
   - src/id3.c: Inline patch from upstream SVN rev 1920.
   - http://www.mpg123.org/cgi-bin/viewvc.cgi/tags/1.7.2/?view=log
   - CVE-2009-1301

Stefan, thanks for the update and testing! :)