[Mageia-dev] taglib CVE for MP4 files

Shlomi Fish shlomif at shlomifish.org
Mon May 14 22:40:19 CEST 2012 

Hi David,

On Mon, 14 May 2012 12:50:38 -0700 (PDT)
David Walser <luigiwalser at yahoo.com> wrote:

> --- On Mon, 5/14/12, Shlomi Fish <shlomif at shlomifish.org> wrote:
> > From: Shlomi Fish <shlomif at shlomifish.org>
> > Subject: Re: [Mageia-dev] taglib CVE for MP4 files
> > To: "Mageia development mailing-list" <mageia-dev at mageia.org>
> > Cc: luigiwalser at yahoo.com
> > Date: Monday, May 14, 2012, 3:21 PM
> > Hi David,
> > 
> > On Mon, 14 May 2012 11:43:46 -0700 (PDT)
> > David Walser <luigiwalser at yahoo.com>
> > wrote:
> > 
> > > taglib 1.7.2 was issued to fix a minor security DoS
> > issue due to a divide by zero error in the MP4 file
> > decoder.
> > > 
> > > I built it in updates_testing but I don't have an MP4
> > file to test it with.
> > > 
> > > If interested people could test it, it could be pushed
> > to updates.  Thanks.
> > > 
> > 
> > Thanks for your work. I have some .mp4s files (mostly
> > videos) around, which I
> > have downloaded from YouTube using youtube-dl (and you can
> > too). But what
> > should I do to test that the bug was fixed? Can you provide
> > instructions?
> 
> Thanks for your interest.
> 
> Basically all you need to do is use an application that uses taglib and make sure it can read the metadata (mainly the length) from mp4 files without regressions from the previous version.  You can find such applications with the command:
> urpmq --whatrequires libtaglib1 (or lib64taglib1 on x86_64).
> 
> Examples include amarok, clementine, juk, and vlc.
> 
> If you really want to do a deep investigation you can see if there are any Proof of Concept files out there.  The CVE affects the reading of the media header (mdhd) portion of the MP4 file.  You don't really need to worry about this though.

Using VLC and the lib64taglib1 from x86_64 I was able to save the tags header on
an .mp4 file and load it again correctly. The length of the track also seemed
fine.

Is that OK?

Regards,

	Shlomi Fish

-- 
-----------------------------------------------------------------
Shlomi Fish       http://www.shlomifish.org/
What Makes Software Apps High Quality -  http://shlom.in/sw-quality

The bad thing about hardware is that it sometimes works and it sometimes
doesn’t. The good thing about software is that it’s consistent: it always 
does not work, and it always does not work in exactly the same way.

Please reply to list if it's a mailing list post - http://shlom.in/reply .

More information about the Mageia-dev mailing list