[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] taglib 1.11.1 vuln

To: seclist <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] taglib 1.11.1 vuln
From: 熊文彬 <bear.xiong@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 28 May 2018 10:12:43 +0800 (GMT+08:00)

taglib vulnerability
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
TagLib Audio Meta-Data Library

http://taglib.org/

TagLib is a library for reading and editing the meta-data of several popular 
audio formats. Currently it supports both ID3v1 and ID3v2 for MP3 files, Ogg 
Vorbis comments and ID3 tags and Vorbis comments in FLAC, MPC, Speex, WavPack, 
TrueAudio, WAV, AIFF, MP4 and ASF files.

TagLib is distributed under the GNU Lesser General Public License (LGPL) and 
Mozilla Public License (MPL). Essentially that means that it may be used in 
proprietary applications, but if changes are made to TagLib they must be 
contributed back to the project. Please review the licenses if you are 
considering using TagLib in your project.

Affected version:
=====
1.11.1


Vulnerability Description:
==========================


The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 
allows remote attackers to cause information disclosure (heap-based buffer 
over-read) via a crafted audio file.


tag reader file_scan


==23969==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x602000000c75 at pc 0x000000704d1f bp 0x7ffee02d5d90 sp 0x7ffee02d5d88
READ of size 1 at 0x602000000c75 thread T0
    #0 0x704d1e in TagLib::Ogg::FLAC::File::scan() 
/home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:237:8
    #1 0x702899 in TagLib::Ogg::FLAC::File::read(bool, 
TagLib::AudioProperties::ReadStyle) 
/home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:179:3
    #2 0x7030ca in TagLib::Ogg::FLAC::File::File(TagLib::IOStream*, bool, 
TagLib::AudioProperties::ReadStyle) 
/home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:100:5
    #3 0x6523f1 in (anonymous namespace)::detectByContent(TagLib::IOStream*, 
bool, TagLib::AudioProperties::ReadStyle) 
/home/xxx/taglib/taglib/fileref.cpp:154:18
    #4 0x64ae35 in TagLib::FileRef::parse(char const*, bool, 
TagLib::AudioProperties::ReadStyle) /home/xxx/taglib/taglib/fileref.cpp:450:13
    #5 0x555d96 in main /home/xxx/taglib/examples/tagreader.cpp:41:21
    #6 0x7fb460bdd82f in __libc_start_main 
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x459c88 in _start (/home/xxx/taglib/build/examples/tagreader+0x459c88)

0x602000000c75 is located 0 bytes to the right of 5-byte region 
[0x602000000c70,0x602000000c75)
allocated by thread T0 here:
    #0 0x51deb8 in __interceptor_malloc 
(/home/xxx/taglib/build/examples/tagreader+0x51deb8)
    #1 0x7fb461d76e77 in operator new(unsigned long) 
(/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)


Reproducer:
file_scan
CVE:
CVE-2018-11439


==========================


Webin security lab - dbapp security Ltd

Attachment: poc.zip
Description: Zip compressed data

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] taglib 1.11.1 vuln
  - From: Alan Coopersmith

Prev by Date: [FD] libmobi 0.3 vulns
Next by Date: [FD] WindScribe VPN 1.81 Privilege Escalation
Previous by thread: [FD] libmobi 0.3 vulns
Next by thread: Re: [FD] taglib 1.11.1 vuln
Index(es):
- Date
- Thread