taglib vulnerability ================ Author : Webin security lab - dbapp security Ltd =============== Introduction: ============= TagLib Audio Meta-Data Library http://taglib.org/ TagLib is a library for reading and editing the meta-data of several popular audio formats. Currently it supports both ID3v1 and ID3v2 for MP3 files, Ogg Vorbis comments and ID3 tags and Vorbis comments in FLAC, MPC, Speex, WavPack, TrueAudio, WAV, AIFF, MP4 and ASF files. TagLib is distributed under the GNU Lesser General Public License (LGPL) and Mozilla Public License (MPL). Essentially that means that it may be used in proprietary applications, but if changes are made to TagLib they must be contributed back to the project. Please review the licenses if you are considering using TagLib in your project. Affected version: ===== 1.11.1 Vulnerability Description: ========================== The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted audio file. tag reader file_scan ==23969==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000c75 at pc 0x000000704d1f bp 0x7ffee02d5d90 sp 0x7ffee02d5d88 READ of size 1 at 0x602000000c75 thread T0 #0 0x704d1e in TagLib::Ogg::FLAC::File::scan() /home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:237:8 #1 0x702899 in TagLib::Ogg::FLAC::File::read(bool, TagLib::AudioProperties::ReadStyle) /home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:179:3 #2 0x7030ca in TagLib::Ogg::FLAC::File::File(TagLib::IOStream*, bool, TagLib::AudioProperties::ReadStyle) /home/xxx/taglib/taglib/ogg/flac/oggflacfile.cpp:100:5 #3 0x6523f1 in (anonymous namespace)::detectByContent(TagLib::IOStream*, bool, TagLib::AudioProperties::ReadStyle) /home/xxx/taglib/taglib/fileref.cpp:154:18 #4 0x64ae35 in TagLib::FileRef::parse(char const*, bool, TagLib::AudioProperties::ReadStyle) /home/xxx/taglib/taglib/fileref.cpp:450:13 #5 0x555d96 in main /home/xxx/taglib/examples/tagreader.cpp:41:21 #6 0x7fb460bdd82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #7 0x459c88 in _start (/home/xxx/taglib/build/examples/tagreader+0x459c88) 0x602000000c75 is located 0 bytes to the right of 5-byte region [0x602000000c70,0x602000000c75) allocated by thread T0 here: #0 0x51deb8 in __interceptor_malloc (/home/xxx/taglib/build/examples/tagreader+0x51deb8) #1 0x7fb461d76e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77) Reproducer: file_scan CVE: CVE-2018-11439 ========================== Webin security lab - dbapp security Ltd