flac123 0.0.9 - Stack overflow in comment parsing
Vendor URL: http://flac-tools.sourceforge.net/
Severity: High (Allows for arbitrary code execution)
Author: David Thiel <david[at]isecpartners[dot]com>
Vendor notified: 2007-06-05
Public release: 2007-06-28
Systems affected: Verified code execution on FreeBSD 6.2 - should affect most
systems.
Advisory URL: http://www.isecpartners.com/advisories/2007-002-flactools.txt
flac123, also known as flac-tools, is vulnerable to a buffer overflow in
vorbis comment parsing. This allows for the execution of arbitrary code.
The function local__vcentry_parse_value() in vorbiscomment.c does not
correctly handle a long value_length, causing it to overflow the buffer
"dest" during memcpy().
This is the sole issue corrected in version 0.0.10.
Dan Johnson for quickly producing the fixed version.
iSEC Partners is a full-service security consulting firm that provides
penetration testing, secure systems development, security education
and software design verification.
More information on exploiting media players and codecs and tools to do
the same will be presented at BlackHat USA 2007.
115 Sansome Street, Suite 1005
San Francisco, CA 94104
Phone: (415) 217-0052