Vorbis Tools Ogg123 Buffer Underflow Vulnerability Allowing Application Crash and Potential Code Execution

A buffer underflow vulnerability has been identified in the ogg123 utility of the Vorbis Tools package version 1.4.3. The issue arises in the remote control functionality, specifically within the 'remotethread' function of 'remote.c'. When the application processes malformed input, it leads to a stack buffer underflow, which can cause the application to crash and potentially allow for arbitrary code execution.

Impact

Exploitation of this vulnerability causes the application to crash. However, the stack buffer underflow could be manipulated to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by compiling Vorbis Tools 1.4.3 with Clang, using AddressSanitizer to detect memory errors. After compiling the application, the ogg123 utility can be executed with the '-R' option, which activates the remote control feature. By sending a crafted input that includes a null byte, the 'remotethread' function processes the input incorrectly, causing a buffer underflow. This exploitation can be verified by the AddressSanitizer, which reports the stack-buffer-underflow error.

Remediation

Users can update to Vorbis Tools version 1.4.3 or apply a patch that checks the input buffer's length before processing. This patch is available as a merge request in the Vorbis Tools GitLab repository.