by Guest » Fri Dec 16, 2016 8:53 am
https://scarybeastsecurity.blogspot.com ... -snes.html
A fellow by the name of Chris Evans has released a proof-of-concept exploit for vulnerabilities in Game_Music_Emu (what ZDoom uses to play emulated music formats) that allow code execution. The proof of concept is for GStreamer, but the vulnerability just consists of feeding libgme a specially crafted SPC file that triggers a heap overflow and then executes a COP gadget ending in a call to system(). I suspect the vulnerability can be adapted easily to ZDoom on Linux, as it doesn't really matter what calls libgme as long as the poisoned SPC is played. Other platforms would be a bit trickier, but still doable.
While this isn't strictly a ZDoom issue, it would still be a good idea to push new release builds with a patched libgme as outlined in the writeup.
https://scarybeastsecurity.blogspot.com/2016/12/redux-compromising-linux-using-snes.html
A fellow by the name of Chris Evans has released a proof-of-concept exploit for vulnerabilities in Game_Music_Emu (what ZDoom uses to play emulated music formats) that allow code execution. The proof of concept is for GStreamer, but the vulnerability just consists of feeding libgme a specially crafted SPC file that triggers a heap overflow and then executes a COP gadget ending in a call to system(). I suspect the vulnerability can be adapted easily to ZDoom on Linux, as it doesn't really matter what calls libgme as long as the poisoned SPC is played. Other platforms would be a bit trickier, but still doable.
While this isn't strictly a ZDoom issue, it would still be a good idea to push new release builds with a patched libgme as outlined in the writeup.