Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-21724: Ogg Video Tools / Bugs

Buffer Overflow vulnerability in ExtractorInformation function in streamExtractor.cpp in oggvideotools 0.9.1 allows remaote attackers to run arbitrary code via opening of crafted ogg file.

CVE
#vulnerability#ubuntu#linux#c++#amd#buffer_overflow

I use AddressSanitizer to build oggvideotools 0.9.1 and get segment fault as below. I use the command:
oggLength <testcase>
The testcase I used is put in the attachment.
This software can also be installed by command apt install oggvideotools but the version is 0.8a-7, which can also get segment fault with the same testcase.</testcase>

MediaConverter::setAvailable(): decoder is not configured or has ended
MediaConverter::setAvailable(): decoder is not configured or has ended
MediaConverter::setAvailable(): decoder is not configured or has ended
=================================================================
==32390==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000e4b8 at pc 0x00000046e493 bp 0x7ffe9af99060 sp 0x7ffe9af99050
WRITE of size 4 at 0x60600000e4b8 thread T0
#0 0x46e492 in ExtractorInformation::operator=(ExtractorInformation const&) /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/base/streamExtractor.cpp:17
#1 0x4407e2 in StreamConfig::operator=(StreamConfig const&) /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/base/streamConfig.h:12
#2 0x43ea66 in StreamSerializer::getStreamConfig(std::vector<streamconfig, std::allocator<streamconfig=""> >&) /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/main/streamSerializer.cpp:210
#3 0x43b0c4 in oggLengthCmd(int, char**) /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:93
#4 0x43b4e5 in main /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:136
#5 0x7f13e016782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x43aa78 in _start (/home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/install/bin/oggLength+0x43aa78)</streamconfig,>

0x60600000e4b8 is located 0 bytes to the right of 56-byte region [0x60600000e480,0x60600000e4b8)
allocated by thread T0 here:
#0 0x7f13e0b42532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x4468b4 in __gnu_cxx::new_allocator<streamconfig>::allocate(unsigned long, void const_) /usr/include/c++/5/ext/new_allocator.h:104
#2 0x4460b3 in std::allocator_traits<std::allocator<streamconfig> >::allocate(std::allocator<streamconfig>&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
#3 0x4451fd in std::_Vector_base<streamconfig, std::allocator<streamconfig=""> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
#4 0x443257 in std::vector<streamconfig, std::allocator<streamconfig=""> >::_M_default_append(unsigned long) (/home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/install/bin/oggLength+0x443257)
#5 0x441d5e in std::vector<streamconfig, std::allocator<streamconfig=""> >::resize(unsigned long) (/home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/install/bin/oggLength+0x441d5e)
#6 0x43e9a5 in StreamSerializer::getStreamConfig(std::vector<streamconfig, std::allocator<streamconfig=""> >&) /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/main/streamSerializer.cpp:206
#7 0x43b0c4 in oggLengthCmd(int, char</streamconfig,></streamconfig,></streamconfig,></streamconfig,></streamconfig></std::allocator<streamconfig>_*) /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:93
#8 0x43b4e5 in main /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:136
#9 0x7f13e016782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)</streamconfig>

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/base/streamExtractor.cpp:17 ExtractorInformation::operator=(ExtractorInformation const&)
Shadow bytes around the buggy address:
0x0c0c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9c90: 00 00 00 00 00 00 00[fa]fa fa fa fa 00 00 00 00
0x0c0c7fff9ca0: 00 00 05 fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c7fff9cb0: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa
0x0c0c7fff9cc0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c7fff9cd0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 06 fa
0x0c0c7fff9ce0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==32390==ABORTING

My system is:
Description: Ubuntu 16.04.6 LTS
Release: 16.04

The software information:
oggvideotools:
Installed: 0.8a-7
Candidate: 0.8a-7
Version table:
*** 0.8a-7 500
500 https://mirrors.tuna.tsinghua.edu.cn/ubuntu xenial/universe amd64 Packages
500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
100 /var/lib/dpkg/status

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: oggvideotools 0.8a-7
ProcVersionSignature: Ubuntu 4.15.0-66.75~16.04.1-generic 4.15.18
Uname: Linux 4.15.0-66-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.21
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Nov 14 19:56:47 2019
InstallationDate: Installed on 2019-01-24 (293 days ago)
InstallationMedia: Ubuntu 16.04.5 LTS “Xenial Xerus” - Release amd64 (20180731)
SourcePackage: oggvideotools
UpgradeStatus: No upgrade log present (probably fresh install)

1 Attachments

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907