*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Marc Deslauriers (mdeslaur):
Dhanesh K. and myself had performed a vulnerability assessment of the taglib library(http://developer.kde.org/~wheeler/taglib.html) used by various media players. Tested out with the latest version of vlc. Comparing the "head" libtag version at github shows that these issues have not be addressed before/patched. - Sanity checks are not performed for fields read from a media file, which are used to allocate memory later on. Causes DoS due to application crash at the very least, exploitability is unconfirmed. An example :- apeitem.cpp APE::Item::parse(const ByteVector &data) d->key = String(data.mid(8), String::UTF8); - ogg/xiphcomment.cpp, Ogg::XiphComment::parse(const ByteVector &data) Control over "vendorLength" and can cause a string allocation with that size. Control over "commentFields" which is the number of times, "commentLength" is read and a string of size "commandLength" is allocated. Causes DoS due to application crash at the very least, exploitability is unconfirmed. - ape/apeproperties.cpp, APE::Properties::analyzeCurrent() Specially crafted ape media files with sampleRate being "0" could lead to application crash, division by zero error. d->sampleRate = header.mid(20, 4).toUInt(false); d->length = totalBlocks / d->sampleRate; - crafted ogg file with a 1 bit change(0=>1) at 0x0000007f leads to an infinite loop in the thread processing the tags. Please find the file attached. ** Affects: taglib (Ubuntu) Importance: Undecided Status: New -- multiple security vulnerabilities in taglib https://bugs.launchpad.net/bugs/945415 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
