Bug#1002896: marked as done (abcmidi: Stack based buffer overflow in the event_info_key function used by abc2midi)

To: Dennis Braun <d_braun@kabelmail.de>
Subject: Bug#1002896: marked as done (abcmidi: Stack based buffer overflow in the event_info_key function used by abc2midi)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 14 Jan 2022 23:06:11 +0000
Message-id: <[🔎] handler.1002896.D1002896.164220143213581.ackdone@bugs.debian.org>
Reply-to: 1002896@bugs.debian.org
References: <E1n8Vbq-0006O9-1H@fasolo.debian.org> <15111135.558013.1640945412615@office.mailbox.org>

Your message dated Fri, 14 Jan 2022 23:03:50 +0000
with message-id <E1n8Vbq-0006O9-1H@fasolo.debian.org>
and subject line Bug#1002896: fixed in abcmidi 20220113-1
has caused the Debian Bug report #1002896,
regarding abcmidi: Stack based buffer overflow in the event_info_key function used by abc2midi
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1002896: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002896
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: "submit@bugs.debian.org" <submit@bugs.debian.org>
Subject: abcmidi: Stack based buffer overflow in the event_info_key function used by abc2midi
From: Kolja Grassmann <koljagrassmann@mailbox.org>
Date: Fri, 31 Dec 2021 11:10:12 +0100 (CET)
Message-id: <15111135.558013.1640945412615@office.mailbox.org>

Package: abcmidi
Version: 20211212-1
Severity: important
Tags: security

Dear Maintainer,

There is a stack based buffer overflow in the event_info_key function from the store.c file used by abc2midi. The issues exists in the following code:

void event_info_key(key, value)
char* key;
char* value;
{
  int num;
  char midicmd[64];
  char errmsg[80];
[...]
  else {
    sprintf(errmsg,"I: key \' %s\' not recognized", key);
    if (quiet == -1 && silent == 0) event_error(errmsg); /* [SS] 2018-04-01 */
    }   

As can be seen there is errmsg buffer with size 80. Later on sprintf is used to write to this buffer without any boundary check. I wrote a small poc script for this in python:

#!/bin/python3

filecontent = b"""X:
I:""" + b"A" * 400 

f = open("poc.abc", "wb")
f.write(filecontent)
f.close()

This generates a poc.abc file. When executing the current version of abc2midi as follows this leads to a stack overflow:
$ abc2midi poc.abc -o /dev/null
4.64 December 12 2021 abc2midi
Error in line-char 0-0 : Missing Number
*** buffer overflow detected ***: terminated
Aborted


Locally I fixed this issue by using snprintf as follows:

  else {
    snprintf(errmsg, 80, "I: key \' %s\' not recognized", key);
    if (quiet == -1 && silent == 0) event_error(errmsg); /* [SS] 2018-04-01 */
    }

Best regards
Kolja
-- System Information:
Debian Release: 11.0
   APT prefers stable-updates
   APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages abcmidi depends on:
ii   libc6   2.31-13+deb11u2

abcmidi recommends no packages.

Versions of packages abcmidi suggests:
pn   abcm2ps                               <none>
ii   evince [postscript-viewer]   3.38.2-1
pn   timidity | pmidi                  <none>

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 1002896-close@bugs.debian.org
Subject: Bug#1002896: fixed in abcmidi 20220113-1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Fri, 14 Jan 2022 23:03:50 +0000
Message-id: <E1n8Vbq-0006O9-1H@fasolo.debian.org>
Reply-to: Dennis Braun <d_braun@kabelmail.de>

Source: abcmidi
Source-Version: 20220113-1
Done: Dennis Braun <d_braun@kabelmail.de>

We believe that the bug you reported is fixed in the latest version of
abcmidi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1002896@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dennis Braun <d_braun@kabelmail.de> (supplier of updated abcmidi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 14 Jan 2022 23:14:45 +0100
Source: abcmidi
Architecture: source
Version: 20220113-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Dennis Braun <d_braun@kabelmail.de>
Closes: 890250 1002860 1002892 1002894 1002895 1002896
Changes:
 abcmidi (20220113-1) unstable; urgency=medium
 .
   * New upstream version 20220113
     (Closes: #890250, #1002860, #1002892, #1002894, #1002895, #1002896)
Checksums-Sha1:
 4a3ca35d3a2e09300707292c8ef8c1ddc4759e7f 2014 abcmidi_20220113-1.dsc
 d73dfcdd85c2202c2ab4dc0888f87ef112aea39f 416404 abcmidi_20220113.orig.tar.xz
 55369738a2b955f8e8e32a8d5ee91262eace7367 7776 abcmidi_20220113-1.debian.tar.xz
 2a9766edbb994e77e0e47b30280bf2e4bc4a900b 5606 abcmidi_20220113-1_source.buildinfo
Checksums-Sha256:
 e60f09e81e8efb270d2074ceba131e9b261791ea9348393e3b6cbdba761366db 2014 abcmidi_20220113-1.dsc
 02f55c5b57000db3f7da1e4d53f4b6bb6c10986078840158e51294d3d5d8bd24 416404 abcmidi_20220113.orig.tar.xz
 20843df70afe8679e1275aba3cb82a99ca5ca83f56a18d73509f13a4adb32b01 7776 abcmidi_20220113-1.debian.tar.xz
 3a6e74a55330ac34f29cd933f48ecb12f5fdc663920a6d789442531f7e2dac70 5606 abcmidi_20220113-1_source.buildinfo
Files:
 1e4997faec71339296cd1720e3289459 2014 sound optional abcmidi_20220113-1.dsc
 91806b9acb3afc10ea63eb70963ed356 416404 sound optional abcmidi_20220113.orig.tar.xz
 93c78f6123f0cf3a1cd61bb4c8403ab0 7776 sound optional abcmidi_20220113-1.debian.tar.xz
 dde19f7901ebc9ded2f65e91669d40ac 5606 sound optional abcmidi_20220113-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCgAzFiEEPLfDAq+1fmGoxhfdY06lXZArmDYFAmHh+X8VHGRfYnJhdW5A
a2FiZWxtYWlsLmRlAAoJEGNOpV2QK5g2hzkQAL3GIR2NPPpd/pZ8f4NMh+AHiaQd
NyFepDIFayByv5AIECmP1I0onEoSej+2bLhvP9mVazYxpc/vQ9HBzRUPVoKYd7uY
nVzuZTo5tagPRzqHFyeLgoLGj/6Zp9lJRjOQ0uX0YvfXW1OQIRn+sDFjfF0PsGvD
VwLHFZn2E5Sf1mj9fuXVSk3K6iTIJA2Nbyl1srFzFN68fLBN9rj2TXObyktF0fzE
zeog60tz2AL8xHYKvkBGP6t8YMde33KjkwHFUFn8bYEkTC9VdGYOzdyc8SfHmk6w
H6Vfp+dieoAyPac1nO5MHC5Mw0887001ruvq/xs4NNrc2TBlVmbHgYERf72A458l
EFO/FbgM2DguGMdtpGS0mW/X5FUVacDOhTg70qlZsBAqvy84euM4Mu4ws82/zR4D
21lFqoOcO1CdLY3QDTu6gLqdk1uo/EXSrwsiI7ZrRzET4kxwVEs+dUVNL4v6HjnA
KasOwyHrA82kf29qjExRBW5Gr0LJZdjVDjQRFKS0gqmcIYTsFrad7osQjVxguK4h
1dj+hJLFh2BzmbW76WXcFutmu1KP0wk+IGh4u0O+DoyyXUom4DTaV1lueQ5qkN9e
TF1wG9spEehAEzcjf7xg+mY3S1UH4pnvHbie8Ra/n3vgBu3n5ZJLGhPwl9Hydph/
X4eRMGNEA+qj2oKZ
=XaII
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#1002895: marked as done (abcmidi: Stack based buffer overflow in the event_handle_instruction function used by abc2midi)
Next by Date: Bug#890250: marked as done (abcmidi: valgrind errors running conversions autopkgtest)
Previous by thread: Bug#1002895: marked as done (abcmidi: Stack based buffer overflow in the event_handle_instruction function used by abc2midi)
Next by thread: Bug#890250: marked as done (abcmidi: valgrind errors running conversions autopkgtest)
Index(es):
- Date
- Thread