<<< Date Index >>>     <<< Thread Index >>>

Re: Rhythmbox Vulnerability



Application: Rhythmbox 0.11.5
OS: Linux - Ubuntu 8.04

Original Advisory: 
http://packetstormsecurity.org/0806-advisories/rhythmbox-dos.txt
The original author of this advisory is Juan Pablo Lopez Yacubian
Author of this advisory: WarGame - http://vx.netlux.org/wargamevx - 
wargame89@xxxxxxxx

Compiling Rhythmbox 0.11.5 with debug support (-g) and making it parse the DoS 
playlist file you can get this backtrace:

(gdb) run /home/wargame/prova.pls
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/wargame/test/bin/rhythmbox /home/wargame/prova.pls
[Thread debugging using libthread_db enabled]
[New Thread 0x7f01a0a907c0 (LWP 1757)]
[New Thread 0x41691950 (LWP 1760)]

(rhythmbox:1757): Rhythmbox-WARNING **: Unable to grab media player keys: Could 
not get owner of name 'org.gnome.SettingsDaemon': no such name
[New Thread 0x41e92950 (LWP 1761)]
[Thread 0x41e92950 (LWP 1761) exited]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f01a0a907c0 (LWP 1757)]
0x0000000000dc8820 in ?? ()
(gdb) backtrace
#0  0x0000000000dc8820 in ?? ()
#1  0x00007f019a5306f1 in g_hash_table_lookup () from /usr/lib/libglib-2.0.so.0
#2  0x0000000000436487 in playlist_load_ended_cb (parser=0xdc1a00, uri=0xda34d0 
"", metadata=0xbe7b90, mgr=0x7fffa8acd250) at rb-playlist-manager.c:576
#3  0x00007f019b32dbcf in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#4  0x00007f019b3416bc in ?? () from /usr/lib/libgobject-2.0.so.0
#5  0x00007f019b3430d5 in g_signal_emit_valist () from 
/usr/lib/libgobject-2.0.so.0
#6  0x00007f019b343483 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#7  0x00007f019ef89611 in ?? () from /usr/lib/libtotem-plparser.so.10
#8  0x00007f019ef8970e in ?? () from /usr/lib/libtotem-plparser.so.10
#9  0x00007f019ef85b2c in ?? () from /usr/lib/libtotem-plparser.so.10
#10 0x00000000004365e0 in rb_playlist_manager_parse_file (mgr=0xbe7b90, 
uri=0xdc8c00 "file:///home/wargame/prova.pls", error=0x7fffa8acd818)
    at rb-playlist-manager.c:621
#11 0x0000000000426375 in rb_shell_load_uri (shell=0x7c81a0, uri=0xdc8c00 
"file:///home/wargame/prova.pls", play=1, error=0x7fffa8acd818) at 
rb-shell.c:3326
#12 0x000000000041e4cf in local_load_uri (filename=0xdc8c00 
"file:///home/wargame/prova.pls", shell=0x7c81a0) at main.c:414
#13 0x000000000041e32b in load_uri_args (args=0x6b2150, handler=0x41e476 
<local_load_uri>, user_data=0x7c81a0) at main.c:371
#14 0x000000000041e474 in removable_media_scan_finished (shell=0x7c81a0, 
data=0x0) at main.c:406
#15 0x00007f019b32dbcf in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#16 0x00007f019b3416bc in ?? () from /usr/lib/libgobject-2.0.so.0
#17 0x00007f019b3430d5 in g_signal_emit_valist () from 
/usr/lib/libgobject-2.0.so.0
#18 0x00007f019b343483 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#19 0x0000000000421066 in _scan_idle (shell=0x7c81a0) at rb-shell.c:1296
#20 0x00007f019a53d262 in g_main_context_dispatch () from 
/usr/lib/libglib-2.0.so.0
#21 0x00007f019a540516 in ?? () from /usr/lib/libglib-2.0.so.0
---Type <return> to continue, or q <return> to quit---
#22 0x00007f019a5407d7 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#23 0x00007f019d041f03 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#24 0x000000000041e1bf in main (argc=2, argv=0x7fffa8ace278) at main.c:327
(gdb) 

Interesting info at rb-playlist-manager.c:576 :
title = g_hash_table_lookup (metadata, TOTEM_PL_PARSER_FIELD_TITLE);

In my opinion the crash happens around this function call.
Have fun!