Re: Rhythmbox Vulnerability Jun 30 2008 07:40PM
wargame89 yahoo it
Application: Rhythmbox 0.11.5

OS: Linux - Ubuntu 8.04

Original Advisory: http://packetstormsecurity.org/0806-advisories/rhythmbox-dos.txt

The original author of this advisory is Juan Pablo Lopez Yacubian

Author of this advisory: WarGame - http://vx.netlux.org/wargamevx - wargame89 (at) yahoo (dot) it [email concealed]

Compiling Rhythmbox 0.11.5 with debug support (-g) and making it parse the DoS playlist file you can get this backtrace:

(gdb) run /home/wargame/prova.pls

The program being debugged has been started already.

Start it from the beginning? (y or n) y

Starting program: /home/wargame/test/bin/rhythmbox /home/wargame/prova.pls

[Thread debugging using libthread_db enabled]

[New Thread 0x7f01a0a907c0 (LWP 1757)]

[New Thread 0x41691950 (LWP 1760)]

(rhythmbox:1757): Rhythmbox-WARNING **: Unable to grab media player keys: Could not get owner of name 'org.gnome.SettingsDaemon': no such name

[New Thread 0x41e92950 (LWP 1761)]

[Thread 0x41e92950 (LWP 1761) exited]

Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7f01a0a907c0 (LWP 1757)]

0x0000000000dc8820 in ?? ()

(gdb) backtrace

#0 0x0000000000dc8820 in ?? ()

#1 0x00007f019a5306f1 in g_hash_table_lookup () from /usr/lib/libglib-2.0.so.0

#2 0x0000000000436487 in playlist_load_ended_cb (parser=0xdc1a00, uri=0xda34d0 "", metadata=0xbe7b90, mgr=0x7fffa8acd250) at rb-playlist-manager.c:576

#3 0x00007f019b32dbcf in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0

#4 0x00007f019b3416bc in ?? () from /usr/lib/libgobject-2.0.so.0

#5 0x00007f019b3430d5 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0

#6 0x00007f019b343483 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0

#7 0x00007f019ef89611 in ?? () from /usr/lib/libtotem-plparser.so.10

#8 0x00007f019ef8970e in ?? () from /usr/lib/libtotem-plparser.so.10

#9 0x00007f019ef85b2c in ?? () from /usr/lib/libtotem-plparser.so.10

#10 0x00000000004365e0 in rb_playlist_manager_parse_file (mgr=0xbe7b90, uri=0xdc8c00 "file:///home/wargame/prova.pls", error=0x7fffa8acd818)

at rb-playlist-manager.c:621

#11 0x0000000000426375 in rb_shell_load_uri (shell=0x7c81a0, uri=0xdc8c00 "file:///home/wargame/prova.pls", play=1, error=0x7fffa8acd818) at rb-shell.c:3326

#12 0x000000000041e4cf in local_load_uri (filename=0xdc8c00 "file:///home/wargame/prova.pls", shell=0x7c81a0) at main.c:414

#13 0x000000000041e32b in load_uri_args (args=0x6b2150, handler=0x41e476 <local_load_uri>, user_data=0x7c81a0) at main.c:371

#14 0x000000000041e474 in removable_media_scan_finished (shell=0x7c81a0, data=0x0) at main.c:406

#15 0x00007f019b32dbcf in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0

#16 0x00007f019b3416bc in ?? () from /usr/lib/libgobject-2.0.so.0

#17 0x00007f019b3430d5 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0

#18 0x00007f019b343483 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0

#19 0x0000000000421066 in _scan_idle (shell=0x7c81a0) at rb-shell.c:1296

#20 0x00007f019a53d262 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0

#21 0x00007f019a540516 in ?? () from /usr/lib/libglib-2.0.so.0

---Type <return> to continue, or q <return> to quit---

#22 0x00007f019a5407d7 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0

#23 0x00007f019d041f03 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0

#24 0x000000000041e1bf in main (argc=2, argv=0x7fffa8ace278) at main.c:327

(gdb)

Interesting info at rb-playlist-manager.c:576 :

title = g_hash_table_lookup (metadata, TOTEM_PL_PARSER_FIELD_TITLE);

In my opinion the crash happens around this function call.

Have fun!

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus