what you don't know can hurt you

TagLib Audio Meta-Data Library 1.11.1 Information Disclosure

TagLib Audio Meta-Data Library 1.11.1 Information Disclosure
Posted May 29, 2018
Authored by Webin Security Lab

The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib version 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file.

tags | advisory, remote, info disclosure
MD5 | f8a66ad1030d830a3c135f22235ba2e6

TagLib Audio Meta-Data Library 1.11.1 Information Disclosure

Change Mirror Download
taglib vulnerability
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
TagLib Audio Meta-Data Library

http://taglib.org/

TagLib is a library for reading and editing the meta-data of several popular audio formats. Currently it supports both ID3v1 and ID3v2 for MP3 files, Ogg Vorbis comments and ID3 tags and Vorbis comments in FLAC, MPC, Speex, WavPack, TrueAudio, WAV, AIFF, MP4 and ASF files.

TagLib is distributed under the GNU Lesser General Public License (LGPL) and Mozilla Public License (MPL). Essentially that means that it may be used in proprietary applications, but if changes are made to TagLib they must be contributed back to the project. Please review the licenses if you are considering using TagLib in your project.

Affected version:
=====
1.11.1


Vulnerability Description:
==========================


The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file.


tag reader file_scan


==23969==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000c75 at pc 0x000000704d1f bp 0x7ffee02d5d90 sp 0x7ffee02d5d88
READ of size 1 at 0x602000000c75 thread T0
#0 0x704d1e in TagLib::Ogg::FLAC::File::scan() /home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:237:8
#1 0x702899 in TagLib::Ogg::FLAC::File::read(bool, TagLib::AudioProperties::ReadStyle) /home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:179:3
#2 0x7030ca in TagLib::Ogg::FLAC::File::File(TagLib::IOStream*, bool, TagLib::AudioProperties::ReadStyle) /home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:100:5
#3 0x6523f1 in (anonymous namespace)::detectByContent(TagLib::IOStream*, bool, TagLib::AudioProperties::ReadStyle) /home/xxx/taglib/taglib/fileref.cpp:154:18
#4 0x64ae35 in TagLib::FileRef::parse(char const*, bool, TagLib::AudioProperties::ReadStyle) /home/xxx/taglib/taglib/fileref.cpp:450:13
#5 0x555d96 in main /home/xxx/taglib/examples/tagreader.cpp:41:21
#6 0x7fb460bdd82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#7 0x459c88 in _start (/home/xxx/taglib/build/examples/tagreader+0x459c88)

0x602000000c75 is located 0 bytes to the right of 5-byte region [0x602000000c70,0x602000000c75)
allocated by thread T0 here:
#0 0x51deb8 in __interceptor_malloc (/home/xxx/taglib/build/examples/tagreader+0x51deb8)
#1 0x7fb461d76e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)


Reproducer:
file_scan
CVE:
CVE-2018-11439


==========================


Webin security lab - dbapp security Ltd

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close