Your message dated Fri, 14 Jan 2022 23:03:50 +0000 with message-id <[email protected]> and subject line Bug#1002895: fixed in abcmidi 20220113-1 has caused the Debian Bug report #1002895, regarding abcmidi: Stack based buffer overflow in the event_handle_instruction function used by abc2midi to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1002895: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002895 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: abcmidi Version: 20211212-1 Severity: important Tags: security Dear Maintainer, There is a stack based buffer overflow in the event_handle_instruction function from the store.c file used by abc2midi. The issues exists in the following code: void event_handle_instruction(s) /* handler for ! ! instructions */ /* does ppp pp p mp mf f ff fff */ /* also does !drum! and !nodrum! */ char* s; { char buff[MAXLINE]; // MAXLINE = 500 char* p; char* q; int done; char midimsg[40]; [...] if (done == 0 && quiet == -1) { /* [SS] 2013-11-02 */ sprintf(buff, "instruction !%s! ignored", s); event_warning(buff); }; As can be seen there is buff buffer with size 500. Later in the code sprintf is used to write data to this buffer without any boundary check. I wrote a small poc script for this in python: #!/bin/python3 filecontent = b"""X: K:C +""" + b"A" * 600 + b"+" f = open("poc.abc", "wb") f.write(filecontent) f.close() This generates a poc.abc file. When executing the current version of abc2midi as follows this leads to a stack overflow: $ abc2midi poc.abc -o /dev/null 4.64 December 12 2021 abc2midi Error in line-char 0-0 : Missing Number Warning in line-char 2-0 : No M: in header, using default *** buffer overflow detected ***: terminated Aborted Locally I fixed this issue by using snprintf instead as follows: if (done == 0 && quiet == -1) { /* [SS] 2013-11-02 */ snprintf(buff, MAXLINE, "instruction !%s! ignored", s); event_warning(buff); }; Best regards Kolja -- System Information: Debian Release: 11.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages abcmidi depends on: ii libc6 2.31-13+deb11u2 abcmidi recommends no packages. Versions of packages abcmidi suggests: pn abcm2ps <none> ii evince [postscript-viewer] 3.38.2-1 pn timidity | pmidi <none> -- no debconf information
--- End Message ---
--- Begin Message ---Source: abcmidi Source-Version: 20220113-1 Done: Dennis Braun <[email protected]> We believe that the bug you reported is fixed in the latest version of abcmidi, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dennis Braun <[email protected]> (supplier of updated abcmidi package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Jan 2022 23:14:45 +0100 Source: abcmidi Architecture: source Version: 20220113-1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <[email protected]> Changed-By: Dennis Braun <[email protected]> Closes: 890250 1002860 1002892 1002894 1002895 1002896 Changes: abcmidi (20220113-1) unstable; urgency=medium . * New upstream version 20220113 (Closes: #890250, #1002860, #1002892, #1002894, #1002895, #1002896) Checksums-Sha1: 4a3ca35d3a2e09300707292c8ef8c1ddc4759e7f 2014 abcmidi_20220113-1.dsc d73dfcdd85c2202c2ab4dc0888f87ef112aea39f 416404 abcmidi_20220113.orig.tar.xz 55369738a2b955f8e8e32a8d5ee91262eace7367 7776 abcmidi_20220113-1.debian.tar.xz 2a9766edbb994e77e0e47b30280bf2e4bc4a900b 5606 abcmidi_20220113-1_source.buildinfo Checksums-Sha256: e60f09e81e8efb270d2074ceba131e9b261791ea9348393e3b6cbdba761366db 2014 abcmidi_20220113-1.dsc 02f55c5b57000db3f7da1e4d53f4b6bb6c10986078840158e51294d3d5d8bd24 416404 abcmidi_20220113.orig.tar.xz 20843df70afe8679e1275aba3cb82a99ca5ca83f56a18d73509f13a4adb32b01 7776 abcmidi_20220113-1.debian.tar.xz 3a6e74a55330ac34f29cd933f48ecb12f5fdc663920a6d789442531f7e2dac70 5606 abcmidi_20220113-1_source.buildinfo Files: 1e4997faec71339296cd1720e3289459 2014 sound optional abcmidi_20220113-1.dsc 91806b9acb3afc10ea63eb70963ed356 416404 sound optional abcmidi_20220113.orig.tar.xz 93c78f6123f0cf3a1cd61bb4c8403ab0 7776 sound optional abcmidi_20220113-1.debian.tar.xz dde19f7901ebc9ded2f65e91669d40ac 5606 sound optional abcmidi_20220113-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCgAzFiEEPLfDAq+1fmGoxhfdY06lXZArmDYFAmHh+X8VHGRfYnJhdW5A a2FiZWxtYWlsLmRlAAoJEGNOpV2QK5g2hzkQAL3GIR2NPPpd/pZ8f4NMh+AHiaQd NyFepDIFayByv5AIECmP1I0onEoSej+2bLhvP9mVazYxpc/vQ9HBzRUPVoKYd7uY nVzuZTo5tagPRzqHFyeLgoLGj/6Zp9lJRjOQ0uX0YvfXW1OQIRn+sDFjfF0PsGvD VwLHFZn2E5Sf1mj9fuXVSk3K6iTIJA2Nbyl1srFzFN68fLBN9rj2TXObyktF0fzE zeog60tz2AL8xHYKvkBGP6t8YMde33KjkwHFUFn8bYEkTC9VdGYOzdyc8SfHmk6w H6Vfp+dieoAyPac1nO5MHC5Mw0887001ruvq/xs4NNrc2TBlVmbHgYERf72A458l EFO/FbgM2DguGMdtpGS0mW/X5FUVacDOhTg70qlZsBAqvy84euM4Mu4ws82/zR4D 21lFqoOcO1CdLY3QDTu6gLqdk1uo/EXSrwsiI7ZrRzET4kxwVEs+dUVNL4v6HjnA KasOwyHrA82kf29qjExRBW5Gr0LJZdjVDjQRFKS0gqmcIYTsFrad7osQjVxguK4h 1dj+hJLFh2BzmbW76WXcFutmu1KP0wk+IGh4u0O+DoyyXUom4DTaV1lueQ5qkN9e TF1wG9spEehAEzcjf7xg+mY3S1UH4pnvHbie8Ra/n3vgBu3n5ZJLGhPwl9Hydph/ X4eRMGNEA+qj2oKZ =XaII -----END PGP SIGNATURE-----
--- End Message ---
