Ubuntu
dvd+rw-tools package

dvd+rw-format crashes due to buffer overflow

Bug #235381 reported by cariboo
44
Affects Status Importance Assigned to Milestone
dvd+rw-tools (Ubuntu)
Fix Released
High
Kees Cook
Ubuntu intrepid-alpha-6

Bug Description

I just installed k3b version 1.0.4 in intrepid and it is reporting that it can't find dvd+rw-format, even though dvd+rw-tools is installed. I tried setting the permission of the file to 777 and even after a reboot it still can't find the program.

-----------------

Using dvd+rw-format from the command line interface it crashes immediately and this prevents k3b from being able to burn DVDs.

8:27:21 - flash:[~] apt-cache policy dvd+rw-tools
dvd+rw-tools:
  Installed: 7.1-2
  Candidate: 7.1-2

See original description

Related branches

lp:ubuntu/natty/dvd+rw-tools
Revision history for this message
Nicola Rosati (supernaicol) wrote :

I can confirm: this bug occurs also with v. 1.0.5-1ubuntu1.
Trying to download source and compile by myself...

Revision history for this message
Nicola Rosati (supernaicol) wrote :

I tried to compile and use the original sources from http://k3b.plainblack.com, and the problem persisted, so I eventually noticed that the bug is not related to k3b, but to the package "dvd+rw-tools". Just downgrading dvd+rw-tools to an older version (i.e. hardy's 7.0-9ubuntu1) resolved the problem. I'm triaging the bug...

Nicola Rosati (supernaicol)
Changed in k3b:
status: New → Confirmed
Revision history for this message
Gianfranco Liporace (dr.kabuto) wrote :

Hi all,
I can confirm this bug.
launching dvd+rw-format from cli I get this output:

*** buffer overflow detected ***: dvd+rw-format terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f29388]
/lib/tls/i686/cmov/libc.so.6[0xb7f274b0]
/lib/tls/i686/cmov/libc.so.6[0xb7f27eec]
dvd+rw-format[0x8049138]
dvd+rw-format[0x804acd5]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e45685]
dvd+rw-format[0x8048d01]
======= Memory map: ========
08048000-08052000 r-xp 00000000 08:01 344779 /usr/bin/dvd+rw-format
08052000-08053000 r--p 00009000 08:01 344779 /usr/bin/dvd+rw-format
08053000-08054000 rw-p 0000a000 08:01 344779 /usr/bin/dvd+rw-format
099c1000-099e2000 rw-p 099c1000 00:00 0 [heap]
b7def000-b7e2e000 r--p 00000000 08:01 441605 /usr/lib/locale/it_IT.utf8/LC_CTYPE
b7e2e000-b7e2f000 rw-p b7e2e000 00:00 0
b7e2f000-b7f87000 r-xp 00000000 08:01 981666 /lib/tls/i686/cmov/libc-2.8.90.so
b7f87000-b7f89000 r--p 00158000 08:01 981666 /lib/tls/i686/cmov/libc-2.8.90.so
b7f89000-b7f8a000 rw-p 0015a000 08:01 981666 /lib/tls/i686/cmov/libc-2.8.90.so
b7f8a000-b7f8d000 rw-p b7f8a000 00:00 0
b7f8d000-b7f99000 r-xp 00000000 08:01 981192 /lib/libgcc_s.so.1
b7f99000-b7f9a000 r--p 0000b000 08:01 981192 /lib/libgcc_s.so.1
b7f9a000-b7f9b000 rw-p 0000c000 08:01 981192 /lib/libgcc_s.so.1
b7f9b000-b7fbf000 r-xp 00000000 08:01 981670 /lib/tls/i686/cmov/libm-2.8.90.so
b7fbf000-b7fc0000 r--p 00023000 08:01 981670 /lib/tls/i686/cmov/libm-2.8.90.so
b7fc0000-b7fc1000 rw-p 00024000 08:01 981670 /lib/tls/i686/cmov/libm-2.8.90.so
b7fc1000-b7fc2000 rw-p b7fc1000 00:00 0
b7fc2000-b80a5000 r-xp 00000000 08:01 344286 /usr/lib/libstdc++.so.6.0.10
b80a5000-b80a9000 r--p 000e3000 08:01 344286 /usr/lib/libstdc++.so.6.0.10
b80a9000-b80aa000 rw-p 000e7000 08:01 344286 /usr/lib/libstdc++.so.6.0.10
b80aa000-b80b0000 rw-p b80aa000 00:00 0
b80b0000-b80c5000 r-xp 00000000 08:01 981682 /lib/tls/i686/cmov/libpthread-2.8.90.so
b80c5000-b80c6000 r--p 00014000 08:01 981682 /lib/tls/i686/cmov/libpthread-2.8.90.so
b80c6000-b80c7000 rw-p 00015000 08:01 981682 /lib/tls/i686/cmov/libpthread-2.8.90.so
b80c7000-b80c9000 rw-p b80c7000 00:00 0
b80d8000-b80df000 r--s 00000000 08:01 348135 /usr/lib/gconv/gconv-modules.cache
b80df000-b80e0000 rw-s 00000000 08:01 866776 /tmp/dvd+rw-format.60kBaX (deleted)
b80e0000-b80e2000 rw-p b80e0000 00:00 0
b80e2000-b80e3000 r-xp b80e2000 00:00 0 [vdso]
b80e3000-b80fd000 r-xp 00000000 08:01 1178023 /lib/ld-2.8.90.so
b80fd000-b80fe000 r--p 0001a000 08:01 1178023 /lib/ld-2.8.90.so
b80fe000-b80ff000 rw-p 0001b000 08:01 1178023 /lib/ld-2.8.90.so
bfcea000-bfcff000 rw-p bffeb000 00:00 0 [stack]

Revision history for this message
Martin Vysny (vyzivus) wrote :
Download full text (3.7 KiB)

My stacktrace looks a bit different (dvd+rw-tools 7.1-2)
$ dvd+rw-format
*** buffer overflow detected ***: dvd+rw-format terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7ff93d38a7d7]
/lib/libc.so.6[0x7ff93d3886a0]
/lib/libc.so.6[0x7ff93d389073]
dvd+rw-format[0x4015ce]
dvd+rw-format[0x403125]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7ff93d2a9466]
dvd+rw-format[0x4011b9]
======= Memory map: ========
00400000-0040b000 r-xp 00000000 08:02 125033770 /usr/bin/dvd+rw-format
0060a000-0060b000 r--p 0000a000 08:02 125033770 /usr/bin/dvd+rw-format
0060b000-0060c000 rw-p 0000b000 08:02 125033770 /usr/bin/dvd+rw-format
00cc6000-00ce7000 rw-p 00cc6000 00:00 0 [heap]
7ff93d28b000-7ff93d3f4000 r-xp 00000000 08:02 201481140 /lib/libc-2.8.90.so
7ff93d3f4000-7ff93d5f3000 ---p 00169000 08:02 201481140 /lib/libc-2.8.90.so
7ff93d5f3000-7ff93d5f7000 r--p 00168000 08:02 201481140 /lib/libc-2.8.90.so
7ff93d5f7000-7ff93d5f8000 rw-p 0016c000 08:02 201481140 /lib/libc-2.8.90.so
7ff93d5f8000-7ff93d5fd000 rw-p 7ff93d5f8000 00:00 0
7ff93d5fd000-7ff93d613000 r-xp 00000000 08:02 201449254 /lib/libgcc_s.so.1
7ff93d613000-7ff93d812000 ---p 00016000 08:02 201449254 /lib/libgcc_s.so.1
7ff93d812000-7ff93d813000 r--p 00015000 08:02 201449254 /lib/libgcc_s.so.1
7ff93d813000-7ff93d814000 rw-p 00016000 08:02 201449254 /lib/libgcc_s.so.1
7ff93d814000-7ff93d898000 r-xp 00000000 08:02 201481144 /lib/libm-2.8.90.so
7ff93d898000-7ff93da97000 ---p 00084000 08:02 201481144 /lib/libm-2.8.90.so
7ff93da97000-7ff93da98000 r--p 00083000 08:02 201481144 /lib/libm-2.8.90.so
7ff93da98000-7ff93da99000 rw-p 00084000 08:02 27ff93da99000-7ff93db8a000 r-xp 00000000 08:02 359249180 /usr/lib/libstdc++.so.6.0.10
7ff93db8a000-7ff93dd8a000 ---p 000f1000 08:02 359249180 /usr/lib/libstdc++.so.6.0.10
7ff93dd8a000-7ff93dd91000 r--p 000f1000 08:02 359249180 /usr/lib/libstdc++.so.6.0.10
7ff93dd91000-7ff93dd93000 rw-p 000f8000 08:02 359249180 /usr/lib/libstdc++.so.6.0.10
7ff93dd93000-7ff93dda6000 rw-p 7ff93dd93000 00:00 0
7ff93dda6000-7ff93ddbd000 r-xp 00000000 08:02 201397487 /lib/libpthread-2.8.90.so
7ff93ddbd000-7ff93dfbc000 ---p 00017000 08:02 201397487 /lib/libpthread-2.8.90.so
7ff93dfbc000-7ff93dfbd000 r--p 00016000 08:02 201397487 /lib/libpthread-2.8.90.so
7ff93dfbd000-7ff93dfbe000 rw-p 00017000 08:02 201397487 /lib/libpthread-2.8.90.so
7ff93dfbe000-7ff93dfc2000 rw-p 7ff93dfbe000 00:00 0
7ff93dfc2000-7ff93dfe1000 r-xp 00000000 08:02 201481137 /lib/ld-2.8.90.so
7ff93e188000-7ff93e1c7000 r--p 00000000 08:02 523364879 /usr/lib/locale/en_US.utf8/LC_CTYPE
7ff93e1c7000-7ff93e1ca000 rw-p 7ff93e1c7000 00:00 0
7ff93e1d5000-7ff93e1dc000 r--s 00000000 08:02 393181376 /usr/lib/gconv/gconv-modules.cache
7ff93e1dc00...

Read more...

Revision history for this message
Markus Jonskog (omljud) wrote :

dvd+rw-tools 7.1-2
$ dvd+rw-format
*** buffer overflow detected ***: dvd+rw-format terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7e44388]
/lib/tls/i686/cmov/libc.so.6[0xb7e424b0]
/lib/tls/i686/cmov/libc.so.6[0xb7e42eec]
dvd+rw-format[0x8049138]
dvd+rw-format[0x804acd5]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7d60685]
dvd+rw-format[0x8048d01]
======= Memory map: ========
08048000-08052000 r-xp 00000000 08:06 1204129 /usr/bin/dvd+rw-format
08052000-08053000 r--p 00009000 08:06 1204129 /usr/bin/dvd+rw-format
08053000-08054000 rw-p 0000a000 08:06 1204129 /usr/bin/dvd+rw-format
09234000-09255000 rw-p 09234000 00:00 0 [heap]
b7d0a000-b7d49000 r--p 00000000 08:06 106732 /usr/lib/locale/en_US.utf8/LC_CTYPE
b7d49000-b7d4a000 rw-p b7d49000 00:00 0
b7d4a000-b7ea2000 r-xp 00000000 08:06 214608 /lib/tls/i686/cmov/libc-2.8.90.so
b7ea2000-b7ea4000 r--p 00158000 08:06 214608 /lib/tls/i686/cmov/libc-2.8.90.so
b7ea4000-b7ea5000 rw-p 0015a000 08:06 214608 /lib/tls/i686/cmov/libc-2.8.90.so
b7ea5000-b7ea8000 rw-p b7ea5000 00:00 0
b7ea8000-b7eb4000 r-xp 00000000 08:06 1099538 /lib/libgcc_s.so.1
b7eb4000-b7eb5000 r--p 0000b000 08:06 1099538 /lib/libgcc_s.so.1
b7eb5000-b7eb6000 rw-p 0000c000 08:06 1099538 /lib/libgcc_s.so.1
b7eb6000-b7eda000 r-xp 00000000 08:06 214612 /lib/tls/i686/cmov/libm-2.8.90.so
b7eda000-b7edb000 r--p 00023000 08:06 214612 /lib/tls/i686/cmov/libm-2.8.90.so
b7edb000-b7edc000 rw-p 00024000 08:06 214612 /lib/tls/i686/cmov/libm-2.8.90.so
b7edc000-b7edd000 rw-p b7edc000 00:00 0
b7edd000-b7fc0000 r-xp 00000000 08:06 543544 /usr/lib/libstdc++.so.6.0.10
b7fc0000-b7fc4000 r--p 000e3000 08:06 543544 /usr/lib/libstdc++.so.6.0.10
b7fc4000-b7fc5000 rw-p 000e7000 08:06 543544 /usr/lib/libstdc++.so.6.0.10
b7fc5000-b7fcb000 rw-p b7fc5000 00:00 0
b7fcb000-b7fe0000 r-xp 00000000 08:06 214623 /lib/tls/i686/cmov/libpthread-2.8.90.so
b7fe0000-b7fe1000 r--p 00014000 08:06 214623 /lib/tls/i686/cmov/libpthread-2.8.90.so
b7fe1000-b7fe2000 rw-p 00015000 08:06 214623 /lib/tls/i686/cmov/libpthread-2.8.90.so
b7fe2000-b7fe4000 rw-p b7fe2000 00:00 0
b7ff8000-b7fff000 r--s 00000000 08:06 214578 /usr/lib/gconv/gconv-modules.cache
b7fff000-b8000000 rw-s 00000000 08:06 1285687 /tmp/dvd+rw-format.oLtD5s (deleted)
b8000000-b8002000 rw-p b8000000 00:00 0
b8002000-b8003000 r-xp b8002000 00:00 0 [vdso]
b8003000-b801d000 r-xp 00000000 08:06 1172856 /lib/ld-2.8.90.so
b801d000-b801e000 r--p 0001a000 08:06 1172856 /lib/ld-2.8.90.so
b801e000-b801f000 rw-p 0001b000 08:06 1172856 /lib/ld-2.8.90.so
bfe09000-bfe1e000 rw-p bffeb000 00:00 0 [stack]

Brian Murray (brian-murray)
Changed in dvd+rw-tools:
importance: Undecided → High
status: Confirmed → Triaged
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote :

I installed dvd+rw-tools version 7.1-3 from Lenny and it resolves this particular bug. I'll try to get it into Intrepid.

Revision history for this message
Kees Cook (kees) wrote :

Thanks for digging down into this. I found[1] the un-upstreamed patch from Fedora that fixes[2] this. A new package will be uploaded after the current Alpha freeze clears.

[1] http://daniel.holba.ch/harvest/handler.py?pkg=dvd+rw-tools
[2] http://cvs.fedoraproject.org/viewvc//devel/dvd+rw-tools/dvd+rw-tools-7.0-wctomb.patch?view=markup

Changed in dvd+rw-tools:
assignee: nobody → kees
milestone: none → intrepid-alpha-6
status: Triaged → Fix Committed
Revision history for this message
Kees Cook (kees) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dvd+rw-tools - 7.1-2ubuntu1

---------------
dvd+rw-tools (7.1-2ubuntu1) intrepid; urgency=low

  * Add debian/patches/20-wctomb.patch: fix unsafe buffer length in
    call to wctomb (debian bug 497833, LP: #235381).

 -- Kees Cook <email address hidden> Thu, 04 Sep 2008 09:58:00 -0700

Changed in dvd+rw-tools:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.