Bug#1089543: marked as done (libout123: UAF due to use strtok both inside jack and in libout123)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 22 Dec 2024 22:23:01 +0000
with message-id <E1tPULl-00GUYH-Oz@fasolo.debian.org>
and subject line Bug#1089543: fixed in mpg123 1.32.10-1
has caused the Debian Bug report #1089543,
regarding libout123: UAF due to use strtok both inside jack and in libout123
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1089543: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089543
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libout123: UAF due to use strtok both inside jack and in libout123
• From: "Yuriy M. Kaminskiy" <yumkam+debian@gmail.com>
• Date: Sun, 08 Dec 2024 20:24:01 +0300
• Message-id: <[🔎] 173367864119.3157800.1676298174531699799.reportbug@localhost>

Package: mpg123
Version: 1.31.2-1+deb12u1
Severity: normal
Tags: patch
X-Debbugs-Cc: yumkam+debian@gmail.com

Dear Maintainer,

While trying to catch another sigsegv, noticed in valgrind report:

==107307== Invalid read of size 1
==107307==    at 0x4AE712C: strtok_r (strtok_r.c:47)
==107307==    by 0x4933B23: out123_open (libout123.c:462)
==107307==    by 0x127DB7: main (mpg123.c:1280)
==107307==  Address 0x4c0d458 is 104 bytes inside a block of size 105 free'd
==107307==    at 0x4887B40: free (vg_replace_malloc.c:872)
==107307==    by 0x5B96C97: jack_get_tmpdir (in /usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B985D3: jack_client_open_aux (in /usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B98AEF: jack_client_open (in /usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B61CBB: open_jack (jack.c:427)
==107307==    by 0x4933CA3: aoopen (libout123.c:114)
==107307==    by 0x4933CA3: check_output_module (libout123.c:1156)
==107307==    by 0x4933CA3: out123_open (libout123.c:463)
==107307==    by 0x127DB7: main (mpg123.c:1280)
==107307==  Block was alloc'd at
==107307==    at 0x48850C8: malloc (vg_replace_malloc.c:381)
==107307==    by 0x4AE575F: strdup (strdup.c:42)
==107307==    by 0x5B96C1F: jack_get_tmpdir (in /usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B985D3: jack_client_open_aux (in /usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B98AEF: jack_client_open (in /usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B61CBB: open_jack (jack.c:427)
==107307==    by 0x4933CA3: aoopen (libout123.c:114)
==107307==    by 0x4933CA3: check_output_module (libout123.c:1156)
==107307==    by 0x4933CA3: out123_open (libout123.c:463)
==107307==    by 0x127DB7: main (mpg123.c:1280)


Apparently, jack uses strtok and this clashes with strtok use in
libout123 (with end result UAF/UB).
Patch attached.

-- System Information:
Debian Release: 12.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (100, 'proposed-updates')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 6.1.0-18-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mpg123 depends on:
ii  libasound2                        1.2.8-1+b1
ii  libaudio2                         1.9.4-7
ii  libc6                             2.36-9+deb12u9
ii  libjack-jackd2-0 [libjack-0.125]  1.9.21~dfsg-3
ii  libmpg123-0                       1.31.2-1+deb12u1
ii  libopenal1                        1:1.19.1-2
ii  libout123-0                       1.31.2-1+deb12u1
ii  libportaudio2                     19.6.0-1.2
ii  libpulse0                         16.1+dfsg1-2+b1
ii  libsyn123-0                       1.31.2-1+deb12u1

mpg123 recommends no packages.

Versions of packages mpg123 suggests:
ii  alsa-utils  1.2.8-1
pn  jackd       <none>
pn  nas         <none>
pn  oss-compat  <none>
pn  oss4-base   <none>
pn  pulseaudio  <none>

-- no debconf information

From: Yuriy Kaminskiy <yumkam+debian@gmail.com>

Apparently, libjack uses strtok, and subsequent calls result in UAF

==107307== Invalid read of size 1
==107307==    at 0x4AE712C: strtok_r (strtok_r.c:47)
==107307==    by 0x4933B23: out123_open (libout123.c:462)
==107307==    by 0x127DB7: main (mpg123.c:1280)
==107307==  Address 0x4c0d458 is 104 bytes inside a block of size 105 free'd
==107307==    at 0x4887B40: free (vg_replace_malloc.c:872)
==107307==    by 0x5B96C97: jack_get_tmpdir (in /usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B985D3: jack_client_open_aux (in /usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B98AEF: jack_client_open (in /usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B61CBB: open_jack (jack.c:427)
==107307==    by 0x4933CA3: aoopen (libout123.c:114)
==107307==    by 0x4933CA3: check_output_module (libout123.c:1156)
==107307==    by 0x4933CA3: out123_open (libout123.c:463)
==107307==    by 0x127DB7: main (mpg123.c:1280)
==107307==  Block was alloc'd at
==107307==    at 0x48850C8: malloc (vg_replace_malloc.c:381)
==107307==    by 0x4AE575F: strdup (strdup.c:42)
==107307==    by 0x5B96C1F: jack_get_tmpdir (in /usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B985D3: jack_client_open_aux (in /usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B98AEF: jack_client_open (in /usr/lib/aarch64-linux-gnu/libjack.so.0.0.28)
==107307==    by 0x5B61CBB: open_jack (jack.c:427)
==107307==    by 0x4933CA3: aoopen (libout123.c:114)
==107307==    by 0x4933CA3: check_output_module (libout123.c:1156)
==107307==    by 0x4933CA3: out123_open (libout123.c:463)
==107307==    by 0x127DB7: main (mpg123.c:1280)

Index: mpg123-1.32.9/src/libout123/libout123.c
===================================================================
--- mpg123-1.32.9.orig/src/libout123/libout123.c
+++ mpg123-1.32.9/src/libout123/libout123.c
@@ -455,11 +455,12 @@ out123_open(out123_handle *ao, const cha
 		}
 
 		/* Now loop over the list of possible modules to find one that works. */
-		nextname = strtok(modnames, ",");
+		char *r;
+		nextname = strtok_r(modnames, ",", &r);
 		while(!ao->open && nextname)
 		{
 			char *curname = nextname;
-			nextname = strtok(NULL, ",");
+			nextname = strtok_r(NULL, ",", &r);
 			check_output_module(ao, curname, device, !nextname);
 			if(ao->open)
 			{

--- End Message ---

--- Begin Message ---

• To: 1089543-close@bugs.debian.org
• Subject: Bug#1089543: fixed in mpg123 1.32.10-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sun, 22 Dec 2024 22:23:01 +0000
• Message-id: <E1tPULl-00GUYH-Oz@fasolo.debian.org>
• Reply-to: Sebastian Ramacher <sramacher@debian.org>

Source: mpg123
Source-Version: 1.32.10-1
Done: Sebastian Ramacher <sramacher@debian.org>

We believe that the bug you reported is fixed in the latest version of
mpg123, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1089543@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated mpg123 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 22 Dec 2024 23:07:30 +0100
Source: mpg123
Architecture: source
Version: 1.32.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 1089543
Changes:
 mpg123 (1.32.10-1) unstable; urgency=medium
 .
   [ Bastien Roucariès ]
   * Add salsa-ci
 .
   [ Sebastian Ramacher ]
   * New upstream version 1.32.10
     - Use strtok_r for multi-threaded use (Closes: #1089543)
Checksums-Sha1:
 47fc8cc7f6388e9330dabd0e3199543e4159f7bf 1787 mpg123_1.32.10-1.dsc
 e069646e5490eda8c25f304164309109ccaf980e 930140 mpg123_1.32.10.orig.tar.xz
 39dca63daf0feef26c0490218babe87b2129941d 25656 mpg123_1.32.10-1.debian.tar.xz
 9afdf652d9d871ba900b807c3a35c74441a6963d 10246 mpg123_1.32.10-1_amd64.buildinfo
Checksums-Sha256:
 4f7407183a508bebf2559dd3dd41cad4f28ffa75362f9341ca8e7e642786f5d3 1787 mpg123_1.32.10-1.dsc
 98867a796fa1eeb161847d211734d585ff61c56712fbc333de416fea7b59de29 930140 mpg123_1.32.10.orig.tar.xz
 4157aa57a6b1c1a568dcae3befdbffede51722f51349a342174fb876b842754d 25656 mpg123_1.32.10-1.debian.tar.xz
 0f1c8f7d0ab284503ab2fd8485fa8e5ed6513bd956b173f6b39b3dd1192a0338 10246 mpg123_1.32.10-1_amd64.buildinfo
Files:
 03f3c8452ba58c417eb2d5a583315901 1787 sound optional mpg123_1.32.10-1.dsc
 a7b2a5a8b6e68fa6b821369ea1a7958d 930140 sound optional mpg123_1.32.10.orig.tar.xz
 29c4038776d90f7810877991735730d2 25656 sound optional mpg123_1.32.10-1.debian.tar.xz
 978e453ba654901ce07e87354f766ab4 10246 sound optional mpg123_1.32.10-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRCYn6EHZln2oPh+pAhk2s2YA/NiQUCZ2iOKAAKCRAhk2s2YA/N
iSZPAP97eybfgVqoyXDQzQGjCR4lB02+xOtzkHeBjY8olpIM8AD+KzR9hVOEFlMa
lC6Pjv4Fpj08cATU+ZOpqEMP0PaAFgI=
=s53G
-----END PGP SIGNATURE-----

Attachment: pgpiL54xDI9_I.pgp
Description: PGP signature

--- End Message ---