On Tue, Feb 19, 2002 at 10:20:07PM +0100, Peter Boutzev wrote: > Some time ago I discovered a buffer overflow vulnerability in bladeenc. > > Bladeenc is an open source mp3 encoder, widely used under linux. > > The program segfaults when a large string is given as argument on program > startup. Under normal conditions, the syntax of bladeenc is like : > > bladeenc filename.wav > > If you change 'filename.wav' with a large string (around 300 chars), bladeenc > crashes, overwriting %eip. [SNIP] > The overflow isn't really a security hole, since the binary isn't setuid. While it's not setuid, consider ripping software (e.g. grip) that uses data from CDDB servers. If the ripping software uses the song title as part of name for the wav file that it hands off to bladeenc, there could be a security issue here. I don't know of any rippers off-hand that do that, but it would be worth investigating. I've also wondered how well cd players and other software that reads CDDB data are at handling song titles or artist names that are, say, 513 characters long or have other oddities. For example, another ripper (abcde) which is implemented as a couple of shell scripts didn't properly escape backticks (this has been fixed for a few years). A popular CD with a maliciously entered song title of "`rm -rf $HOME`" could have made some people very unhappy. -- Steve Beattie Don't trust programmers? <steveat_private> Complete StackGuard distro at http://NxNW.org/~steve/ immunix.org www.personaltelco.net -- overthrowing QWest, one block at a time.
This archive was generated by hypermail 2b30 : Thu Feb 21 2002 - 16:42:02 PST