Hosting Provided By

flac123 0.0.9 - Stack overflow in comment parsing

From: David Thiel <david(at)isecpartners.com>
Date: Thu Jun 28 2007 - 22:34:02 EDT

iSEC Partners Security Advisory - 2007-002-flactools http://www.isecpartners.com

Vendor URL: http://flac-tools.sourceforge.net/ Severity: High (Allows for arbitrary code execution) Author: David Thiel <david[at]isecpartners[dot]com>

Vendor notified: 2007-06-05
Public release: 2007-06-28
Systems affected: Verified code execution on FreeBSD 6.2 - should affect most

systems.
Advisory URL: http://www.isecpartners.com/advisories/2007-002-flactools.txt

Summary:

flac123, also known as flac-tools, is vulnerable to a buffer overflow in vorbis comment parsing. This allows for the execution of arbitrary code.

Details:

The function local__vcentry_parse_value() in vorbiscomment.c does not correctly handle a long value_length, causing it to overflow the buffer "dest" during memcpy().

Fix Information:

This is the sole issue corrected in version 0.0.10.

Do you need help?

Thanks to:

Dan Johnson for quickly producing the fixed version.

About iSEC Partners:

iSEC Partners is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification.

More information on exploiting media players and codecs and tools to do the same will be presented at BlackHat USA 2007.

115 Sansome Street, Suite 1005
San Francisco, CA 94104
Phone: (415) 217-0052 Received on Fri Jun 29 12:04:16 2007

This message: [ Message body ]
Next message: RaeD(at)BsdMail.Com: "SQL Injection In Script VBZooM V1.12"
Previous message: Moritz Muehlenhoff: "[SECURITY] [DSA 1325-1] New evolution packages fix arbitrary code execution"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Fri Jun 29 2007 - 12:10:06 EDT