Debian distributes Mark R. Boyns's rplay 3.3.2. I've had
a very quick look at the source and found at least:
* In rplay/rplay.c line 600, the use of atoi() on something that
looks like unsanitized data from a remote server:
remote_size = -1;
p = rptp_parse(response, "size");
if (p)
remote_size = atoi(p);
* Various malloc() without a check of failure, such as:
contrib/rplaytool-1.1/misc.c: INFO *info = (INFO *) malloc (sizeof (INFO));
contrib/rplaytool-1.1/misc.c-
contrib/rplaytool-1.1/misc.c- info->filename[0] = '\0';
contrib/rplaytool-1.1/rplaytool_stubs.c: sp = (SPOOL *) malloc
(sizeof (SPOOL));
contrib/rplaytool-1.1/rplaytool_stubs.c- sp->id = id;
contrib/xjukebox-0.9/xjukebox.c- if (*list != NULL)
contrib/xjukebox-0.9/xjukebox.c- *list = (spool_info **)realloc(*list,
(*items_count + 1) *
--
contrib/xjukebox-0.9/xjukebox.c: *list = (spool_info
**)malloc(sizeof(spool_info *));
contrib/xjukebox-0.9/xjukebox.c- }
contrib/xjukebox-0.9/xjukebox.c- (*list)[*items_count] = new_item;
contrib/xjukebox-0.9/xjukebox.c- if ((*nlist != NULL) && (*nlist !=
empty_list))
contrib/xjukebox-0.9/xjukebox.c- *nlist = (String *)realloc(*nlist,
(*items_count + 1) * sizeof(String));
contrib/xjukebox-0.9/xjukebox.c- else
contrib/xjukebox-0.9/xjukebox.c: *nlist = (String *)malloc(sizeof(String));
contrib/xjukebox-0.9/xjukebox.c- (*nlist)[*items_count] = new_item->sound;
contrib/xjukebox-0.9/xjukebox.c: new_item = (spool_info
*)malloc(sizeof(spool_info));
contrib/xjukebox-0.9/xjukebox.c-
contrib/xjukebox-0.9/xjukebox.c- new_item->sid = atoi (1 + rptp_parse
(new_info, "id"));
librplay/async.c: new->data = malloc(nbytes);
librplay/async.c- memcpy(new->data, ptr, nbytes);
librplay/async.c: new = (ibuf *) malloc(sizeof(ibuf));
librplay/async.c- new->next = NULL;
librplay/rplay.c: rp->data = (char *) malloc(rp->data_size);
librplay/rplay.c- memcpy(rp->data, packet, rp->data_size);
rplay/rplay.c: name = (char *) malloc(strlen(cwd) +
strlen(argv[optind]) + 2);
rplay/rplay.c- strcpy(name, cwd);
rplayd/rplayd.c: s = (SERVER *) malloc(sizeof(SERVER));
rplayd/rplayd.c- s->next = NULL;
rx/rxanal.c: *subexps = (struct rexp_node **)malloc (sizeof (struct
rexp_node *) * *re_nsub);
rx/rxanal.c- else
rx/rxanal.c- *subexps = (struct rexp_node **)realloc (*subexps,
rx/rxanal.c- sizeof (struct
rexp_node *) * *re_nsub);
rx/rxanal.c- }
rx/rxanal.c- }
rx/rxanal.c- if (node->params.pair.left)
rx/rxanal.c- id = rx_posix_analyze_rexp (subexps, re_nsub,
node->params.pair.left, id);
rx/rxnfa.c: consed = (struct rx_se_list *) malloc (sizeof (*consed));
rx/rxnfa.c- *consed = template;
rx/rxnode.c: n = (struct rexp_node *) malloc (sizeof (*n));
rx/rxnode.c- rx_bzero ((char *)n, sizeof (*n));
rx/rxunfa.c: cr = (struct rx_cached_rexp *)malloc (sizeof (*cr));
rx/rxunfa.c- rx_bzero ((char *)cr, sizeof (*cr));
My bug report in the Debian BTS:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118224
The upstream version was released in 1999, thus 26 years ago!
And the rplay homepage no longer exists.
Has anyone looked at this more closely?
Are there CVEs?
--
Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
