[security-report]Lame multi memory error bug && CVE Request

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

[security-report]Lame multi memory error bug && CVE Request

ChenQin


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

hi,

reproduce:
lame 2
lame 3

Case1:
LAME 3.99.5 64bits (http://lame.sf.net)
Resampling:  input -2.14698e+06 kHz  output 8 kHz
Using polyphase lowpass filter, transition band:  3903 Hz -  4000 Hz
Encoding 2 to 2.mp3
Encoding as 8 kHz j-stereo MPEG-2.5 Layer III (10.7x)  24 kbps qval=3
    Frame          |  CPU time/estim | REAL time/estim | play/CPU |    ETA
     0/       ( 0%)|    0:00/     :  |    0:00/     :  |         x|     :
00:03----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
   kbps      %     %
    0.0           ASAN:SIGSEGV
=================================================================
==523==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000053e651 sp 0x7ffda3f33c20 bp 0x000000000000 T0)
    #0 0x53e650 in fill_buffer_resample /home/k/a/lame-3.99.5/libmp3lame/util.c:608
    #1 0x53e650 in fill_buffer /home/k/a/lame-3.99.5/libmp3lame/util.c:676
    #2 0x495550 in lame_encode_buffer_sample_t /home/k/a/lame-3.99.5/libmp3lame/lame.c:1736    #3 0x407127 in lame_encoder_loop /home/k/a/lame-3.99.5/frontend/lame_main.c:462
    #4 0x4094b6 in lame_encoder /home/k/a/lame-3.99.5/frontend/lame_main.c:531
    #5 0x4094b6 in lame_main /home/k/a/lame-3.99.5/frontend/lame_main.c:707
    #6 0x4042c3 in c_main /home/k/a/lame-3.99.5/frontend/main.c:470
    #7 0x4042c3 in main /home/k/a/lame-3.99.5/frontend/main.c:438
    #8 0x7f7e77bfea3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #9 0x405a98 in _start (/usr/local/bin/lame+0x405a98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/k/a/lame-3.99.5/libmp3lame/util.c:608 fill_buffer_resample
==523==ABORTING


Case2:
==1484==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bf78 at pc 0x5408cc bp 0x7ffff7f747d0 sp 0x7ffff7f747c0
READ of size 4 at 0x60c00000bf78 thread T0
    #0 0x5408cb in fill_buffer_resample /home/k/a/lame-3.99.5/libmp3lame/util.c:606
    #1 0x5408cb in fill_buffer /home/k/a/lame-3.99.5/libmp3lame/util.c:676
    #2 0x495550 in lame_encode_buffer_sample_t /home/k/a/lame-3.99.5/libmp3lame/lame.c:1736
    #3 0x407127 in lame_encoder_loop /home/k/a/lame-3.99.5/frontend/lame_main.c:462
    #4 0x4094b6 in lame_encoder /home/k/a/lame-3.99.5/frontend/lame_main.c:531
    #5 0x4094b6 in lame_main /home/k/a/lame-3.99.5/frontend/lame_main.c:707
    #6 0x4042c3 in c_main /home/k/a/lame-3.99.5/frontend/main.c:470
    #7 0x4042c3 in main /home/k/a/lame-3.99.5/frontend/main.c:438
    #8 0x7f37b4618a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #9 0x405a98 in _start (/usr/local/bin/lame+0x405a98)

0x60c00000bf78 is located 8 bytes to the left of 128-byte region [0x60c00000bf80,0x60c00000c000)
allocated by thread T0 here:
    #0 0x7f37b516e985 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x57985)
    #1 0x53fa9c in fill_buffer_resample /home/k/a/lame-3.99.5/libmp3lame/util.c:558
    #2 0x53fa9c in fill_buffer /home/k/a/lame-3.99.5/libmp3lame/util.c:676

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/k/a/lame-3.99.5/libmp3lame/util.c:606 fill_buffer_resample
Shadow bytes around the buggy address:
  0x0c187fff9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff97a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff97b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c187fff97e0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa[fa]
  0x0c187fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff9800: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff9810: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fff9820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff9830: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==1484==ABORTING

thanks


Chen Qin / Topsec Product Security Team
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJWg4i6AAoJEIVElDCpqHYPAs8QAMQn5fQgqHfRQ1Z2TQpK29vT
00IWmcti7/g6PJSF6I3NBJuyT7PPPVecsLQBvkuvYVBm2sz482DBZghNpWwnLaiL
qvAaf/GgUQKrnhd6SSR/L9PUwA/pZ+OGB2Fy4gqC8/SBtEC35WY+3pj7oIbzfYYp
QRdEX0O3DZrPAhUM3DH9DTyqYR8VlGosg3iXnQZ3Zqa3xRq0daOip9izTx6Mu4Is
FalOJfyUoUtTcY7PCnZ7c8I5OU7xpqiLsXIGlqVMKz0tJAcSFJJnDQDDegcf1+pS
1xsz3Cu1jrIqwnK2bvbJGTEOyPbKc9AdXh9PBBV9csJ6wGEvsfwCrJZB9BRqLdrp
vvQ6CzjLK3+SQrerUOUbEUR/p99I/GkmP/cEIb2/vukDiMwDncvjvHFasgA3qD9R
w1Ny8F38PlweESyvZQwMqCnrGOnqXtga8L/SxGnT8W10n4UUrRP3h8NtPWcQmu4v
3/T9383yNUq7RZdUgv2jOHNerjjTPL9QWbquyOHYKXi5pLSJOB6DEHt1BjN++/vM
ZkiTC3iCcaR/3M/UPs31Q09LGDgE1zARO+hrFrQqs6Ha5irWS/sfF33yGai9Zc3/
zKRHP1k870FfkpMECEODK9BsXi19HCklL1KuyPfDrGYQD6n9htqWd8/2ziNA4gP1
x7aJk8dGIhqYDBVcTL+q
=Uyb4
-----END PGP SIGNATURE-----



------------------------------------------------------------------------------

_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: [security-report]Lame multi memory error bug && CVE Request

Alexander Leidinger
On Wed, 30 Dec 2015 15:33:20 +0800
ChenQin <[hidden email]> wrote:

> reproduce:
> lame 2
> lame 3
[segfault and heap overflow]

Thanks for your report / security review.

Could you please explain where 2 and 3 comes from? I assume it is a
specially crafted input file to cause issues in LAME.

After looking at the code I have to say that we already have code to
make sure we don't go to a negative offset (2 "assert" before line 606),
so I would have expected a SEGV instead of the heap overflow. Could you
please explain which configure options you used to compile LAME? Could
you please repeat the same test with a LAME compiled with
"--enable-debug=norm" (I hope you can understand that I do not want to
run LAME on my system with "unknown input"). I suspect we do the wrong
thing in the no-debug case (= we should have the asserts always active).

Regarding your request for a CVE I would like to share my personal
opinion (= other project members may think differently).
 - LAME was not developed with security in mind (= trusted input).
 - As such I would be positively surprised if this is the only issues
   in the code.
 - Using a specially crafted input to cause issues inside LAME means to
   use untrusted input (instead of your own audio files).
 - There's a big legal minefield if you use anything which is not "your
   audio files", which means either illegal activity (which the LAME
   project doesn't support), or you need to have had already legal
   advice = this is a business case.
 - In case of business involved, it is responsible to make sure that
   the input is well formed for the use in LAME (= to make the input
   trusted).
 - Given above, I would consider your report as a robustness issues of
   LAME, not a security issue (I could imagine that there could be
   legal implications if we consider anything else than "our own audio
   files" as a valid input and asking for a CVE could be understood
   that we do that to the extend that it requires immediate action).

Bye,
Alexander.

--
http://www.Leidinger.net [hidden email]: PGP 0xC773696B3BAC17DC
http://www.FreeBSD.org    [hidden email]  : PGP 0xC773696B3BAC17DC

------------------------------------------------------------------------------
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: [security-report]Lame multi memory error bug && CVE Request

Eric Stargardt
I'm sorry, but I just feel it necessary to give my opinion here.  It is absolutely legal and tested in the courts, for any individual or entity to copy and convert copyrighted media for which they hold a license to (ie, a CD) into alternate formats for backup and playback that does not copy beyond the original license holder.


That said, it is a poor argument to excuse a security flaw as some kind of moral reckoning for those who would break the law.  Especially when we know all too well how certain media producers (ie, Sony) have and continue to infect malicious code into their commercial works.


The last thing LAME needs is for all desktop, mobile and embedded devices that rely on LAME to become target of the next Sony Root Kit™.


Respectfully,

- I. Digress


From:"Alexander Leidinger" <[hidden email]>
Date:Sat, Jan 2, 2016 at 1:11 AM
Subject:Re: [Lame-dev] [security-report]Lame multi memory error bug && CVE Request

On Wed, 30 Dec 2015 15:33:20 +0800
ChenQin <[hidden email]> wrote:

> reproduce:
> lame 2
> lame 3
[segfault and heap overflow]

Thanks for your report / security review.

Could you please explain where 2 and 3 comes from? I assume it is a
specially crafted input file to cause issues in LAME.

After looking at the code I have to say that we already have code to
make sure we don't go to a negative offset (2 "assert" before line 606),
so I would have expected a SEGV instead of the heap overflow. Could you
please explain which configure options you used to compile LAME? Could
you please repeat the same test with a LAME compiled with
"--enable-debug=norm" (I hope you can understand that I do not want to
run LAME on my system with "unknown input"). I suspect we do the wrong
thing in the no-debug case (= we should have the asserts always active).

Regarding your request for a CVE I would like to share my personal
opinion (= other project members may think differently).
- LAME was not developed with security in mind (= trusted input).
- As such I would be positively surprised if this is the only issues
  in the code.
- Using a specially crafted input to cause issues inside LAME means to
  use untrusted input (instead of your own audio files).
- There's a big legal minefield if you use anything which is not "your
  audio files", which means either illegal activity (which the LAME
  project doesn't support), or you need to have had already legal
  advice = this is a business case.
- In case of business involved, it is responsible to make sure that
  the input is well formed for the use in LAME (= to make the input
  trusted).
- Given above, I would consider your report as a robustness issues of
  LAME, not a security issue (I could imagine that there could be
  legal implications if we consider anything else than "our own audio
  files" as a valid input and asking for a CVE could be understood
  that we do that to the extend that it requires immediate action).

Bye,
Alexander.

--
http://www.Leidinger.net [hidden email]: PGP 0xC773696B3BAC17DC
http://www.FreeBSD.org   [hidden email]  : PGP 0xC773696B3BAC17DC



------------------------------------------------------------------------------
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev

------------------------------------------------------------------------------
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: [security-report]Lame multi memory error bug && CVE Request

Alexander Leidinger
On Sat, 2 Jan 2016 00:31:05 -0800
Eric Stargardt <[hidden email]> wrote:

> I'm sorry, but I just feel it necessary to give my opinion here.  It
> is absolutely legal and tested in the courts, for any individual or
> entity to copy and convert copyrighted media for which they hold a
> license to (ie, a CD) into alternate formats for backup and playback
> that does not copy beyond the original license holder.

I would hope that a ripped CD I bought will be trusted input. If a
company publishes an audio CD which will install malicious software via
a LAME code bug when an audio track is encoded, then we are in a very
bad world (this would go far far far far beyond what Sony did with the
"root-kit copy protection").

The report was not about such files. To me it looks the input in
the report which triggers the issue is specially crafted to cause this
issue.

What I had in mind are not normal audio files you get when you buy
copyrighted material. What I had in mind was illegally downloading
audio/movies from a source you know nothing about and then re-encode
it. So it is really about someone manipulating the input in a malicious
way which would not happen with a normal audio input.


>
> That said, it is a poor argument to excuse a security flaw as some
> kind of moral reckoning for those who would break the law.

LAME is not a remotely exposed software like a webserver, a mail user
agent, a mail server or a web-application. All those programs are
exposed to input you can't control by definition and need to be able
to cope with that. Any security issue there calls for a CVE.

LAME is not in the same security class. It is not designed to handle
untrusted input. Yes, it would be nice if it could, unfortunately the
reality is different. Any legal audio input from an audio CD or
blue-ray or DVD will not trigger this issue. Again, I only speak for
me, not for other project members.

Yes, we want to fix this issue. If you look at the activity of the LAME
project, I would not expect a fast fix within a day.

Bye,
Alexander.

--
http://www.Leidinger.net [hidden email]: PGP 0xC773696B3BAC17DC
http://www.FreeBSD.org    [hidden email]  : PGP 0xC773696B3BAC17DC

------------------------------------------------------------------------------
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: [security-report]Lame multi memory error bug && CVE Request

ChenQin
In reply to this post by Alexander Leidinger
Come from our testing project,just prototype now.

> 在 2016年1月2日,下午3:52,Alexander Leidinger <[hidden email] <mailto:[hidden email]>> 写道:
>
> Could you please explain where 2 and 3 comes from? I assume it is a
> Could you please explain where 2 and 3 comes from?

Got it.More document provided are welcomed.
> I assume it is aAny legal audio input from an audio CD or
> blue-ray or DVD will not trigger this issue.

thanks,
Qin.

------------------------------------------------------------------------------

_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: [security-report]Lame multi memory error bug && CVE Request

Mike Brown
In reply to this post by Alexander Leidinger
> > absolutely legal and tested in the courts, for any individual or
> > entity to copy and convert copyrighted media for which they hold a
> > license to (ie, a CD) into alternate formats for backup and playback
> > that does not copy beyond the original license holder.

Citation needed. This kind of copying is widely believed to fall under fair
use, but AFAIK there have been no cases in the U.S. courts where such a
determination has been made. The Betamax case was about recording broadcasts
for the purpose of time shifting. The Diamond Rio case had some interesting
yet non-binding commentary from the judge, and was really only about the
manufacturer's royalty obligations under the Audio Home Recording Act, and
which served more to clarify that portable digital media players aren't
"digital recording devices" covered by the AHRA at all, therefore they enjoy
no special allowances w.r.t. copyright, and in that regard their use is
restricted by the usual licensing requirements.

When pressed on this issue in an NPR interview in 2008, the RIAA was quite
cagey about it, saying only "we haven't sued anyone for it yet." And in the
UK, the public's ignorance and disregard for the illegality of this kind of
copying is what led to the Hargreaves Review and the recently struck-down
attempt to craft a personal-use exception for what people have long been
assuming was legal, when in fact it was not.[1][2]

The developers should always maintain a position of not supporting any uses of
the software for which they could be held vicariously liable. If someone drags
them into court, they can't very well say "some guy on lame-dev said..." (and
that goes for what I say, too; IANAL!)

[1] https://web.archive.org/web/20140812121709/www.gov.uk/government/uploads/system/uploads/attachment_data/file/314995/copyright-guidance-consumers.pdf
[2] http://www.theguardian.com/uk-news/2015/jul/17/high-court-quashes-regulations-copy-cds-musicians
   
> LAME is not a remotely exposed software like a webserver, a mail user
> agent, a mail server or a web-application.

Just off the top of my head, LAME is used by BandCamp and SoundCloud to
process whatever people upload to those services. I wouldn't be surprised if
it is also used by online vendors and digital content distribution networks
(the legal ones like 7Digital) to process arbitrary input supplied by record
companies, publishers, and artists. I would not want to wager on whether any
of thse places have safeguards against specially crafted files crashing their
encoders and whatever can happen as a result of that.

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: [security-report]Lame multi memory error bug && CVE Request

Eric Stargardt
Citation:  The RIAA says "it's Okay" and "may not be a 'right' but generally won't raise concerns" to make personal copies and digital format conversions.


https://www.riaa.com/resources-learning/about-piracy/


Also, the very legitimacy of the CD-R disc was called into question, the legality for stores to sell blank CDs capable of copying music and copying software, which was held up as legitimate, like floppy disks, for "personal backups."  It's during this time the RIAA arm in Canada won a victory taxation on blank CDs, to cover incidental illegal copying of the nearly legitimized CD-R.


Eric


From:"Mike Brown" <[hidden email]>
Date:Sun, Jan 10, 2016 at 10:50 PM
Subject:Re: [Lame-dev] [security-report]Lame multi memory error bug && CVE Request

> > absolutely legal and tested in the courts, for any individual or
> > entity to copy and convert copyrighted media for which they hold a
> > license to (ie, a CD) into alternate formats for backup and playback
> > that does not copy beyond the original license holder.

Citation needed. This kind of copying is widely believed to fall under fair
use, but AFAIK there have been no cases in the U.S. courts where such a
determination has been made. The Betamax case was about recording broadcasts
for the purpose of time shifting. The Diamond Rio case had some interesting
yet non-binding commentary from the judge, and was really only about the
manufacturer's royalty obligations under the Audio Home Recording Act, and
which served more to clarify that portable digital media players aren't
"digital recording devices" covered by the AHRA at all, therefore they enjoy
no special allowances w.r.t. copyright, and in that regard their use is
restricted by the usual licensing requirements.

When pressed on this issue in an NPR interview in 2008, the RIAA was quite
cagey about it, saying only "we haven't sued anyone for it yet." And in the
UK, the public's ignorance and disregard for the illegality of this kind of
copying is what led to the Hargreaves Review and the recently struck-down
attempt to craft a personal-use exception for what people have long been
assuming was legal, when in fact it was not.[1][2]

The developers should always maintain a position of not supporting any uses of
the software for which they could be held vicariously liable. If someone drags
them into court, they can't very well say "some guy on lame-dev said..." (and
that goes for what I say, too; IANAL!)

[1] https://web.archive.org/web/20140812121709/www.gov.uk/government/uploads/system/uploads/attachment_data/file/314995/copyright-guidance-consumers.pdf
[2] http://www.theguardian.com/uk-news/2015/jul/17/high-court-quashes-regulations-copy-cds-musicians
   
> LAME is not a remotely exposed software like a webserver, a mail user
> agent, a mail server or a web-application.

Just off the top of my head, LAME is used by BandCamp and SoundCloud to
process whatever people upload to those services. I wouldn't be surprised if
it is also used by online vendors and digital content distribution networks
(the legal ones like 7Digital) to process arbitrary input supplied by record
companies, publishers, and artists. I would not want to wager on whether any
of thse places have safeguards against specially crafted files crashing their
encoders and whatever can happen as a result of that.

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140


_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: [security-report]Lame multi memory error bug && CVE Request

Eric Stargardt
* s/nearly/newly/

From:"Eric Stargardt" <[hidden email]>
Date:Sun, Jan 10, 2016 at 11:20 PM
Subject:Re: [Lame-dev] [security-report]Lame multi memory error bug && CVE Request

Citation:  The RIAA says "it's Okay" and "may not be a 'right' but generally won't raise concerns" to make personal copies and digital format conversions.


https://www.riaa.com/resources-learning/about-piracy/


Also, the very legitimacy of the CD-R disc was called into question, the legality for stores to sell blank CDs capable of copying music and copying software, which was held up as legitimate, like floppy disks, for "personal backups."  It's during this time the RIAA arm in Canada won a victory taxation on blank CDs, to cover incidental illegal copying of the nearly legitimized CD-R.


Eric


From:"Mike Brown" <[hidden email]>
Date:Sun, Jan 10, 2016 at 10:50 PM
Subject:Re: [Lame-dev] [security-report]Lame multi memory error bug && CVE Request

> > absolutely legal and tested in the courts, for any individual or
> > entity to copy and convert copyrighted media for which they hold a
> > license to (ie, a CD) into alternate formats for backup and playback
> > that does not copy beyond the original license holder.

Citation needed. This kind of copying is widely believed to fall under fair
use, but AFAIK there have been no cases in the U.S. courts where such a
determination has been made. The Betamax case was about recording broadcasts
for the purpose of time shifting. The Diamond Rio case had some interesting
yet non-binding commentary from the judge, and was really only about the
manufacturer's royalty obligations under the Audio Home Recording Act, and
which served more to clarify that portable digital media players aren't
"digital recording devices" covered by the AHRA at all, therefore they enjoy
no special allowances w.r.t. copyright, and in that regard their use is
restricted by the usual licensing requirements.

When pressed on this issue in an NPR interview in 2008, the RIAA was quite
cagey about it, saying only "we haven't sued anyone for it yet." And in the
UK, the public's ignorance and disregard for the illegality of this kind of
copying is what led to the Hargreaves Review and the recently struck-down
attempt to craft a personal-use exception for what people have long been
assuming was legal, when in fact it was not.[1][2]

The developers should always maintain a position of not supporting any uses of
the software for which they could be held vicariously liable. If someone drags
them into court, they can't very well say "some guy on lame-dev said..." (and
that goes for what I say, too; IANAL!)

[1] https://web.archive.org/web/20140812121709/www.gov.uk/government/uploads/system/uploads/attachment_data/file/314995/copyright-guidance-consumers.pdf
[2] http://www.theguardian.com/uk-news/2015/jul/17/high-court-quashes-regulations-copy-cds-musicians
   
> LAME is not a remotely exposed software like a webserver, a mail user
> agent, a mail server or a web-application.

Just off the top of my head, LAME is used by BandCamp and SoundCloud to
process whatever people upload to those services. I wouldn't be surprised if
it is also used by online vendors and digital content distribution networks
(the legal ones like 7Digital) to process arbitrary input supplied by record
companies, publishers, and artists. I would not want to wager on whether any
of thse places have safeguards against specially crafted files crashing their
encoders and whatever can happen as a result of that.

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140


_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: [security-report]Lame multi memory error bug && CVE Request

Mike Brown
In reply to this post by Eric Stargardt
On Sun, Jan 10, 2016 at 10:20:24PM -0800, Eric Stargardt wrote:
> Citation: The RIAA says "it's Okay" and "may not be a 'right' but generally
> won't raise concerns" to make personal copies and digital format
> conversions.

The claim was that ripping is "absolutely legal and tested in the courts". The
citation given does not support the claim and is really no better than "we
haven't sued anyone for it yet". IIRC this is covered in the NPR interview I
mentioned: http://www.npr.org/sections/talk/2008/01/rip_this_and_sue_that.html

I'm not saying they are really going to go after rippers or that the LAME
developers could be liable for what users do. I really don't know. I'm just
saying that it's not so simple as ripping being absolutely legal everywhere.
At best, it's tolerated.

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: [security-report]Lame multi memory error bug && CVE Request

Dave Yeo
In reply to this post by Eric Stargardt
On 01/10/16 10:21 PM, Eric Stargardt wrote:
> It's during this time the RIAA arm in Canada won a victory taxation on blank CDs, to cover incidental illegal copying of the nearly legitimized CD-R.

Which led to the Canadian courts ruling that since we're paying the
levy, it is legal to copy CDs for personal use, even if you don't own
them, with a pretty liberal ruling on making available as well. The
CRIAA was not very happy about their victory.
I don't think there has ever been a ruling about encoding wav files as MP3s.
Dave

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: [security-report]Lame multi memory error bug && CVE Request

Fabian Greffrath
In reply to this post by ChenQin
Hi there,

during the last year or so, a lot of crashes like the one you
experienced have been reported against the "lame" package in Debian.
They were all triggered by fuzzed input data and led to segmentation
faults and stack corruption. Meanwhile, we have been able to fix all of
them (i.e. the ones that were reported). The individual patches can be
found here, they have all been already applied to the lame CVS head
(thanks to rbrito):

http://anonscm.debian.org/cgit/pkg-multimedia/lame.git/tree/debian/patches

(Check the last four patches in the "series" file.)

I assume that you have experienced the crahes with the latest released
version of the lame sources, right? I am asking, because I doubt that
the crashes you have seen could be triggered with either the lame
version packaged in Debian or with lame compiled from current CVS head.
Could you please confirm this? I would check for myself, but
unfortunately you did not provide the samples with which you triggered
the crashes.

Best regards,

Fabian


Am Mittwoch, den 30.12.2015, 15:33 +0800 schrieb ChenQin:

>
> hi,
>
> reproduce:
> lame 2
> lame 3
>
> Case1:
> LAME 3.99.5 64bits (http://lame.sf.net)
> Resampling:  input -2.14698e+06 kHz  output 8 kHz
> Using polyphase lowpass filter, transition band:  3903 Hz -  4000 Hz
> Encoding 2 to 2.mp3
> Encoding as 8 kHz j-stereo MPEG-2.5 Layer III (10.7x)  24 kbps qval=3
>     Frame          |  CPU time/estim | REAL time/estim | play/CPU
> |    ETA
>      0/       (
> 0%)|    0:00/     :  |    0:00/     :  |         x|     :
> 00:03--------------------------------------------------------------
> -------------------------------------------------------------------
> -------------------------------------------
>    kbps      %     %
>     0.0           ASAN:SIGSEGV
> =================================================================
> ==523==ERROR: AddressSanitizer: SEGV on unknown address
> 0x000000000000 (pc 0x00000053e651 sp 0x7ffda3f33c20 bp 0x000000000000
> T0)
>     #0 0x53e650 in fill_buffer_resample /home/k/a/lame-
> 3.99.5/libmp3lame/util.c:608
>     #1 0x53e650 in fill_buffer /home/k/a/lame-
> 3.99.5/libmp3lame/util.c:676
>     #2 0x495550 in lame_encode_buffer_sample_t /home/k/a/lame-
> 3.99.5/libmp3lame/lame.c:1736    #3 0x407127 in lame_encoder_loop
> /home/k/a/lame-3.99.5/frontend/lame_main.c:462
>     #4 0x4094b6 in lame_encoder /home/k/a/lame-
> 3.99.5/frontend/lame_main.c:531
>     #5 0x4094b6 in lame_main /home/k/a/lame-
> 3.99.5/frontend/lame_main.c:707
>     #6 0x4042c3 in c_main /home/k/a/lame-3.99.5/frontend/main.c:470
>     #7 0x4042c3 in main /home/k/a/lame-3.99.5/frontend/main.c:438
>     #8 0x7f7e77bfea3f in __libc_start_main (/lib/x86_64-linux-
> gnu/libc.so.6+0x20a3f)
>     #9 0x405a98 in _start (/usr/local/bin/lame+0x405a98)
>
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV /home/k/a/lame-
> 3.99.5/libmp3lame/util.c:608 fill_buffer_resample
> ==523==ABORTING
>
>
> Case2:
> ==1484==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x60c00000bf78 at pc 0x5408cc bp 0x7ffff7f747d0 sp 0x7ffff7f747c0
> READ of size 4 at 0x60c00000bf78 thread T0
>     #0 0x5408cb in fill_buffer_resample /home/k/a/lame-
> 3.99.5/libmp3lame/util.c:606
>     #1 0x5408cb in fill_buffer /home/k/a/lame-
> 3.99.5/libmp3lame/util.c:676
>     #2 0x495550 in lame_encode_buffer_sample_t /home/k/a/lame-
> 3.99.5/libmp3lame/lame.c:1736
>     #3 0x407127 in lame_encoder_loop /home/k/a/lame-
> 3.99.5/frontend/lame_main.c:462
>     #4 0x4094b6 in lame_encoder /home/k/a/lame-
> 3.99.5/frontend/lame_main.c:531
>     #5 0x4094b6 in lame_main /home/k/a/lame-
> 3.99.5/frontend/lame_main.c:707
>     #6 0x4042c3 in c_main /home/k/a/lame-3.99.5/frontend/main.c:470
>     #7 0x4042c3 in main /home/k/a/lame-3.99.5/frontend/main.c:438
>     #8 0x7f37b4618a3f in __libc_start_main (/lib/x86_64-linux-
> gnu/libc.so.6+0x20a3f)
>     #9 0x405a98 in _start (/usr/local/bin/lame+0x405a98)
>
> 0x60c00000bf78 is located 8 bytes to the left of 128-byte region
> [0x60c00000bf80,0x60c00000c000)
> allocated by thread T0 here:
>     #0 0x7f37b516e985 in __interceptor_calloc (/usr/lib/x86_64-linux-
> gnu/libasan.so.1+0x57985)
>     #1 0x53fa9c in fill_buffer_resample /home/k/a/lame-
> 3.99.5/libmp3lame/util.c:558
>     #2 0x53fa9c in fill_buffer /home/k/a/lame-
> 3.99.5/libmp3lame/util.c:676
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow /home/k/a/lame-
> 3.99.5/libmp3lame/util.c:606 fill_buffer_resample
> Shadow bytes around the buggy address:
>   0x0c187fff9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c187fff97a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
>   0x0c187fff97b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
>   0x0c187fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c187fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> =>0x0c187fff97e0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa[fa]
>   0x0c187fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c187fff9800: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
>   0x0c187fff9810: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
>   0x0c187fff9820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c187fff9830: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Contiguous container OOB:fc
>   ASan internal:           fe
> ==1484==ABORTING
>
> thanks
>
> —
> Chen Qin / Topsec Product Security Team
>
>
> -------------------------------------------------------------------
> -----------
> _______________________________________________
> Lame-dev mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/lame-dev
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: [security-report]Lame multi memory error bug && CVE Request

Alexander Leidinger
On Sun, 07 Feb 2016 17:17:15 +0100
Fabian Greffrath <[hidden email]> wrote:

> Hi there,
>
> during the last year or so, a lot of crashes like the one you
> experienced have been reported against the "lame" package in Debian.
> They were all triggered by fuzzed input data and led to segmentation
> faults and stack corruption. Meanwhile, we have been able to fix all
> of them (i.e. the ones that were reported). The individual patches
> can be found here, they have all been already applied to the lame CVS
> head (thanks to rbrito):

Hi Fabian,
are there some patches which are not in CVS but would be important to
have in CVs (not only for debian)?

In the LAME CVS I changed configure to not silence the assert()s in the
code when doing a release-build. Not a nice error message when a
corrupt input is detected, but at least a defined one. Maybe you want
to check if this is something to add to debian until we have a new
release.

Bye,
Alexander.

--
http://www.Leidinger.net [hidden email]: PGP 0xC773696B3BAC17DC
http://www.FreeBSD.org    [hidden email]  : PGP 0xC773696B3BAC17DC

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: [security-report]Lame multi memory error bug && CVE Request

Fabian Greffrath
Hi Alexander,

Am Montag, den 08.02.2016, 11:01 +0100 schrieb Alexander Leidinger:
> are there some patches which are not in CVS but would be important to
> have in CVs (not only for debian)?

we apply two other sets of changes to the release tarball that I have
initially mentioned here:

https://sourceforge.net/p/lame/mailman/message/34111857/

And then there is the -ltinfo patch provided here, but I have no
further information about it:

https://sourceforge.net/p/lame/bugs/436/

Cheers,

Fabian
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev