Re: buffer overflow in bladeenc

From: Steve Beattie (steve@wirex.net)
Date: 02/22/02 

Date: Thu, 21 Feb 2002 15:05:42 -0800
From: Steve Beattie <steve@wirex.net>
To: Peter Boutzev <boutzev@bulgaria.com>

On Tue, Feb 19, 2002 at 10:20:07PM +0100, Peter Boutzev wrote:
> Some time ago I discovered a buffer overflow vulnerability in bladeenc.
>
> Bladeenc is an open source mp3 encoder, widely used under linux.
>
> The program segfaults when a large string is given as argument on program
> startup. Under normal conditions, the syntax of bladeenc is like :
>
> bladeenc filename.wav
>
> If you change 'filename.wav' with a large string (around 300 chars), bladeenc
> crashes, overwriting %eip.
[SNIP]
> The overflow isn't really a security hole, since the binary isn't setuid.

While it's not setuid, consider ripping software (e.g. grip) that uses
data from CDDB servers. If the ripping software uses the song title as
part of name for the wav file that it hands off to bladeenc, there could
be a security issue here. I don't know of any rippers off-hand that do
that, but it would be worth investigating.

I've also wondered how well cd players and other software that reads
CDDB data are at handling song titles or artist names that are, say,
513 characters long or have other oddities. For example, another ripper
(abcde) which is implemented as a couple of shell scripts didn't properly
escape backticks (this has been fixed for a few years). A popular CD
with a maliciously entered song title of "`rm -rf $HOME`" could have
made some people very unhappy. 

-- 
Steve Beattie                               Don't trust programmers? 
<steve@wirex.net>                         Complete StackGuard distro at
http://NxNW.org/~steve/                            immunix.org
  www.personaltelco.net -- overthrowing QWest, one block at a time.