[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1002892: marked as done (abcmidi: Stack based buffer overflow in the karaokestarttrack function used by abc2midi)

Your message dated Fri, 14 Jan 2022 23:03:49 +0000
with message-id <E1n8Vbp-0006Nj-VC@fasolo.debian.org>
and subject line Bug#1002892: fixed in abcmidi 20220113-1
has caused the Debian Bug report #1002892,
regarding abcmidi: Stack based buffer overflow in the karaokestarttrack function used by abc2midi
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1002892: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002892
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: abcmidi
Version: 20211212-1
Severity: important
Tags: security

Dear Maintainer,

There is a stack based buffer overflow in the karaokestarttrack function from the genmidi.c file, which is used by the abc2midi application. The responsible code looks as follows:


static void karaokestarttrack (track)
int track;
/* header information for karaoke track based on w: fields */
{
  int j;
  int done;
  char atitle[200];
[...]
 while ((j < notes) && (done > 0))
  {
     j = j+1;
     if (feature[j] == TITLE) {
        if (track != 2)
           mf_write_meta_event(0L, sequence_name, atext[pitch[j]], strlen (atext[pitch[j]]));
        strcpy(atitle+2, atext[pitch[j]]);
        text_data(atitle);
        done--;
     }
     if (feature[j] == COMPOSER) {
        strcpy(atitle+2, atext[pitch[j]]);
        text_data(atitle);
        done--;
     }     
     if (feature[j] == COPYRIGHT) {
        strcpy(atitle+2, atext[pitch[j]]);
        text_data(atitle);
        done--;
     }
  }
}

In the while loop strcpy is used to copy data into the atitle buffer, which is of size 200, without any length check on the data. Therefore it is possible to copy over 200 into the atitle buffer overwriting othere data on the stack. I wrote the following poc script in python to test this:

#!/bin/python3

filecontent = b"""X:
T:""" + b"A" * 400 +  b"""
w:
K:D"""

f = open("poc.abc", "wb")
f.write(filecontent)
f.close()

The script generates a poc.abc file. Using abc2midi to convert the generated file leads to a memory corruption issue:
$ abc2midi poc.abc -o /dev/null
4.64 December 12 2021 abc2midi
Error in line-char 0-0 : Missing Number
Error in line-char 3-0 : missplaced w: field. w: field ignored
Warning in line-char 4-0 : No M: in header, using default
writing MIDI file /dev/null
*** buffer overflow detected ***: terminated
Aborted

Locally I fixed the issue by using strncpy instead of strcpy as follows:

static void karaokestarttrack (track)
int track;
/* header information for karaoke track based on w: fields */
{
  int j;
  int done;
  char atitle[200];
[...]
  while ((j < notes) && (done > 0))
  {
     j = j+1;
     if (feature[j] == TITLE) {
        if (track != 2)
           mf_write_meta_event(0L, sequence_name, atext[pitch[j]], strlen (atext[pitch[j]]));
        strncpy(atitle+2, atext[pitch[j]], 197);
        text_data(atitle);
        done--;
     }
     if (feature[j] == COMPOSER) {
        strncpy(atitle+2, atext[pitch[j]], 197);
        text_data(atitle);
        done--;
     }     
     if (feature[j] == COPYRIGHT) {
        strncpy(atitle+2, atext[pitch[j]], 197);
        text_data(atitle);
        done--;
     }
  }
}

This seemed to fix the buffer overflow for me. However if over 200 bytes of data are allowed in this location a different solution might be needed.

Best regards
Kolja

-- System Information:
Debian Release: 11.0
   APT prefers stable-updates
   APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages abcmidi depends on:
ii   libc6   2.31-13+deb11u2

abcmidi recommends no packages.

Versions of packages abcmidi suggests:
pn   abcm2ps                               <none>
ii   evince [postscript-viewer]   3.38.2-1
pn   timidity | pmidi                  <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: abcmidi
Source-Version: 20220113-1
Done: Dennis Braun <d_braun@kabelmail.de>

We believe that the bug you reported is fixed in the latest version of
abcmidi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1002892@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dennis Braun <d_braun@kabelmail.de> (supplier of updated abcmidi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 14 Jan 2022 23:14:45 +0100
Source: abcmidi
Architecture: source
Version: 20220113-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Dennis Braun <d_braun@kabelmail.de>
Closes: 890250 1002860 1002892 1002894 1002895 1002896
Changes:
 abcmidi (20220113-1) unstable; urgency=medium
 .
   * New upstream version 20220113
     (Closes: #890250, #1002860, #1002892, #1002894, #1002895, #1002896)
Checksums-Sha1:
 4a3ca35d3a2e09300707292c8ef8c1ddc4759e7f 2014 abcmidi_20220113-1.dsc
 d73dfcdd85c2202c2ab4dc0888f87ef112aea39f 416404 abcmidi_20220113.orig.tar.xz
 55369738a2b955f8e8e32a8d5ee91262eace7367 7776 abcmidi_20220113-1.debian.tar.xz
 2a9766edbb994e77e0e47b30280bf2e4bc4a900b 5606 abcmidi_20220113-1_source.buildinfo
Checksums-Sha256:
 e60f09e81e8efb270d2074ceba131e9b261791ea9348393e3b6cbdba761366db 2014 abcmidi_20220113-1.dsc
 02f55c5b57000db3f7da1e4d53f4b6bb6c10986078840158e51294d3d5d8bd24 416404 abcmidi_20220113.orig.tar.xz
 20843df70afe8679e1275aba3cb82a99ca5ca83f56a18d73509f13a4adb32b01 7776 abcmidi_20220113-1.debian.tar.xz
 3a6e74a55330ac34f29cd933f48ecb12f5fdc663920a6d789442531f7e2dac70 5606 abcmidi_20220113-1_source.buildinfo
Files:
 1e4997faec71339296cd1720e3289459 2014 sound optional abcmidi_20220113-1.dsc
 91806b9acb3afc10ea63eb70963ed356 416404 sound optional abcmidi_20220113.orig.tar.xz
 93c78f6123f0cf3a1cd61bb4c8403ab0 7776 sound optional abcmidi_20220113-1.debian.tar.xz
 dde19f7901ebc9ded2f65e91669d40ac 5606 sound optional abcmidi_20220113-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCgAzFiEEPLfDAq+1fmGoxhfdY06lXZArmDYFAmHh+X8VHGRfYnJhdW5A
a2FiZWxtYWlsLmRlAAoJEGNOpV2QK5g2hzkQAL3GIR2NPPpd/pZ8f4NMh+AHiaQd
NyFepDIFayByv5AIECmP1I0onEoSej+2bLhvP9mVazYxpc/vQ9HBzRUPVoKYd7uY
nVzuZTo5tagPRzqHFyeLgoLGj/6Zp9lJRjOQ0uX0YvfXW1OQIRn+sDFjfF0PsGvD
VwLHFZn2E5Sf1mj9fuXVSk3K6iTIJA2Nbyl1srFzFN68fLBN9rj2TXObyktF0fzE
zeog60tz2AL8xHYKvkBGP6t8YMde33KjkwHFUFn8bYEkTC9VdGYOzdyc8SfHmk6w
H6Vfp+dieoAyPac1nO5MHC5Mw0887001ruvq/xs4NNrc2TBlVmbHgYERf72A458l
EFO/FbgM2DguGMdtpGS0mW/X5FUVacDOhTg70qlZsBAqvy84euM4Mu4ws82/zR4D
21lFqoOcO1CdLY3QDTu6gLqdk1uo/EXSrwsiI7ZrRzET4kxwVEs+dUVNL4v6HjnA
KasOwyHrA82kf29qjExRBW5Gr0LJZdjVDjQRFKS0gqmcIYTsFrad7osQjVxguK4h
1dj+hJLFh2BzmbW76WXcFutmu1KP0wk+IGh4u0O+DoyyXUom4DTaV1lueQ5qkN9e
TF1wG9spEehAEzcjf7xg+mY3S1UH4pnvHbie8Ra/n3vgBu3n5ZJLGhPwl9Hydph/
X4eRMGNEA+qj2oKZ
=XaII
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: