Your message dated Fri, 14 Jan 2022 23:03:49 +0000 with message-id <[email protected]> and subject line Bug#1002892: fixed in abcmidi 20220113-1 has caused the Debian Bug report #1002892, regarding abcmidi: Stack based buffer overflow in the karaokestarttrack function used by abc2midi to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1002892: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002892 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: abcmidi Version: 20211212-1 Severity: important Tags: security Dear Maintainer, There is a stack based buffer overflow in the karaokestarttrack function from the genmidi.c file, which is used by the abc2midi application. The responsible code looks as follows: static void karaokestarttrack (track) int track; /* header information for karaoke track based on w: fields */ { int j; int done; char atitle[200]; [...] while ((j < notes) && (done > 0)) { j = j+1; if (feature[j] == TITLE) { if (track != 2) mf_write_meta_event(0L, sequence_name, atext[pitch[j]], strlen (atext[pitch[j]])); strcpy(atitle+2, atext[pitch[j]]); text_data(atitle); done--; } if (feature[j] == COMPOSER) { strcpy(atitle+2, atext[pitch[j]]); text_data(atitle); done--; } if (feature[j] == COPYRIGHT) { strcpy(atitle+2, atext[pitch[j]]); text_data(atitle); done--; } } } In the while loop strcpy is used to copy data into the atitle buffer, which is of size 200, without any length check on the data. Therefore it is possible to copy over 200 into the atitle buffer overwriting othere data on the stack. I wrote the following poc script in python to test this: #!/bin/python3 filecontent = b"""X: T:""" + b"A" * 400 + b""" w: K:D""" f = open("poc.abc", "wb") f.write(filecontent) f.close() The script generates a poc.abc file. Using abc2midi to convert the generated file leads to a memory corruption issue: $ abc2midi poc.abc -o /dev/null 4.64 December 12 2021 abc2midi Error in line-char 0-0 : Missing Number Error in line-char 3-0 : missplaced w: field. w: field ignored Warning in line-char 4-0 : No M: in header, using default writing MIDI file /dev/null *** buffer overflow detected ***: terminated Aborted Locally I fixed the issue by using strncpy instead of strcpy as follows: static void karaokestarttrack (track) int track; /* header information for karaoke track based on w: fields */ { int j; int done; char atitle[200]; [...] while ((j < notes) && (done > 0)) { j = j+1; if (feature[j] == TITLE) { if (track != 2) mf_write_meta_event(0L, sequence_name, atext[pitch[j]], strlen (atext[pitch[j]])); strncpy(atitle+2, atext[pitch[j]], 197); text_data(atitle); done--; } if (feature[j] == COMPOSER) { strncpy(atitle+2, atext[pitch[j]], 197); text_data(atitle); done--; } if (feature[j] == COPYRIGHT) { strncpy(atitle+2, atext[pitch[j]], 197); text_data(atitle); done--; } } } This seemed to fix the buffer overflow for me. However if over 200 bytes of data are allowed in this location a different solution might be needed. Best regards Kolja -- System Information: Debian Release: 11.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages abcmidi depends on: ii libc6 2.31-13+deb11u2 abcmidi recommends no packages. Versions of packages abcmidi suggests: pn abcm2ps <none> ii evince [postscript-viewer] 3.38.2-1 pn timidity | pmidi <none> -- no debconf information
--- End Message ---
--- Begin Message ---Source: abcmidi Source-Version: 20220113-1 Done: Dennis Braun <[email protected]> We believe that the bug you reported is fixed in the latest version of abcmidi, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dennis Braun <[email protected]> (supplier of updated abcmidi package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Jan 2022 23:14:45 +0100 Source: abcmidi Architecture: source Version: 20220113-1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <[email protected]> Changed-By: Dennis Braun <[email protected]> Closes: 890250 1002860 1002892 1002894 1002895 1002896 Changes: abcmidi (20220113-1) unstable; urgency=medium . * New upstream version 20220113 (Closes: #890250, #1002860, #1002892, #1002894, #1002895, #1002896) Checksums-Sha1: 4a3ca35d3a2e09300707292c8ef8c1ddc4759e7f 2014 abcmidi_20220113-1.dsc d73dfcdd85c2202c2ab4dc0888f87ef112aea39f 416404 abcmidi_20220113.orig.tar.xz 55369738a2b955f8e8e32a8d5ee91262eace7367 7776 abcmidi_20220113-1.debian.tar.xz 2a9766edbb994e77e0e47b30280bf2e4bc4a900b 5606 abcmidi_20220113-1_source.buildinfo Checksums-Sha256: e60f09e81e8efb270d2074ceba131e9b261791ea9348393e3b6cbdba761366db 2014 abcmidi_20220113-1.dsc 02f55c5b57000db3f7da1e4d53f4b6bb6c10986078840158e51294d3d5d8bd24 416404 abcmidi_20220113.orig.tar.xz 20843df70afe8679e1275aba3cb82a99ca5ca83f56a18d73509f13a4adb32b01 7776 abcmidi_20220113-1.debian.tar.xz 3a6e74a55330ac34f29cd933f48ecb12f5fdc663920a6d789442531f7e2dac70 5606 abcmidi_20220113-1_source.buildinfo Files: 1e4997faec71339296cd1720e3289459 2014 sound optional abcmidi_20220113-1.dsc 91806b9acb3afc10ea63eb70963ed356 416404 sound optional abcmidi_20220113.orig.tar.xz 93c78f6123f0cf3a1cd61bb4c8403ab0 7776 sound optional abcmidi_20220113-1.debian.tar.xz dde19f7901ebc9ded2f65e91669d40ac 5606 sound optional abcmidi_20220113-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCgAzFiEEPLfDAq+1fmGoxhfdY06lXZArmDYFAmHh+X8VHGRfYnJhdW5A a2FiZWxtYWlsLmRlAAoJEGNOpV2QK5g2hzkQAL3GIR2NPPpd/pZ8f4NMh+AHiaQd NyFepDIFayByv5AIECmP1I0onEoSej+2bLhvP9mVazYxpc/vQ9HBzRUPVoKYd7uY nVzuZTo5tagPRzqHFyeLgoLGj/6Zp9lJRjOQ0uX0YvfXW1OQIRn+sDFjfF0PsGvD VwLHFZn2E5Sf1mj9fuXVSk3K6iTIJA2Nbyl1srFzFN68fLBN9rj2TXObyktF0fzE zeog60tz2AL8xHYKvkBGP6t8YMde33KjkwHFUFn8bYEkTC9VdGYOzdyc8SfHmk6w H6Vfp+dieoAyPac1nO5MHC5Mw0887001ruvq/xs4NNrc2TBlVmbHgYERf72A458l EFO/FbgM2DguGMdtpGS0mW/X5FUVacDOhTg70qlZsBAqvy84euM4Mu4ws82/zR4D 21lFqoOcO1CdLY3QDTu6gLqdk1uo/EXSrwsiI7ZrRzET4kxwVEs+dUVNL4v6HjnA KasOwyHrA82kf29qjExRBW5Gr0LJZdjVDjQRFKS0gqmcIYTsFrad7osQjVxguK4h 1dj+hJLFh2BzmbW76WXcFutmu1KP0wk+IGh4u0O+DoyyXUom4DTaV1lueQ5qkN9e TF1wG9spEehAEzcjf7xg+mY3S1UH4pnvHbie8Ra/n3vgBu3n5ZJLGhPwl9Hydph/ X4eRMGNEA+qj2oKZ =XaII -----END PGP SIGNATURE-----
--- End Message ---
