Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

taglib 1.11.1 vuln

From: 熊文彬 <bear.xiong () dbappsecurity com cn>
Date: Mon, 28 May 2018 10:12:43 +0800 (GMT+08:00)
taglib vulnerability
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
TagLib Audio Meta-Data Library

http://taglib.org/

TagLib is a library for reading and editing the meta-data of several popular audio formats. Currently it supports both 
ID3v1 and ID3v2 for MP3 files, Ogg Vorbis comments and ID3 tags and Vorbis comments in FLAC, MPC, Speex, WavPack, 
TrueAudio, WAV, AIFF, MP4 and ASF files.

TagLib is distributed under the GNU Lesser General Public License (LGPL) and Mozilla Public License (MPL). Essentially 
that means that it may be used in proprietary applications, but if changes are made to TagLib they must be contributed 
back to the project. Please review the licenses if you are considering using TagLib in your project.

Affected version:
=====
1.11.1


Vulnerability Description:
==========================


The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause 
information disclosure (heap-based buffer over-read) via a crafted audio file.


tag reader file_scan


==23969==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000c75 at pc 0x000000704d1f bp 0x7ffee02d5d90 
sp 0x7ffee02d5d88
READ of size 1 at 0x602000000c75 thread T0
    #0 0x704d1e in TagLib::Ogg::FLAC::File::scan() /home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:237:8
    #1 0x702899 in TagLib::Ogg::FLAC::File::read(bool, TagLib::AudioProperties::ReadStyle) 
/home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:179:3
    #2 0x7030ca in TagLib::Ogg::FLAC::File::File(TagLib::IOStream*, bool, TagLib::AudioProperties::ReadStyle) 
/home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:100:5
    #3 0x6523f1 in (anonymous namespace)::detectByContent(TagLib::IOStream*, bool, TagLib::AudioProperties::ReadStyle) 
/home/xxx/taglib/taglib/fileref.cpp:154:18
    #4 0x64ae35 in TagLib::FileRef::parse(char const*, bool, TagLib::AudioProperties::ReadStyle) 
/home/xxx/taglib/taglib/fileref.cpp:450:13
    #5 0x555d96 in main /home/xxx/taglib/examples/tagreader.cpp:41:21
    #6 0x7fb460bdd82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x459c88 in _start (/home/xxx/taglib/build/examples/tagreader+0x459c88)

0x602000000c75 is located 0 bytes to the right of 5-byte region [0x602000000c70,0x602000000c75)
allocated by thread T0 here:
    #0 0x51deb8 in __interceptor_malloc (/home/xxx/taglib/build/examples/tagreader+0x51deb8)
    #1 0x7fb461d76e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)


Reproducer:
file_scan
CVE:
CVE-2018-11439


==========================


Webin security lab - dbapp security Ltd

Attachment: poc.zip
Description: 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: