Bug 14871

Summary: sox new security issue CVE-2014-8145
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/627589/
Whiteboard: advisory MGA4-32-OK has_procedure MGA4-64-OK
Source RPM: sox-14.4.1-3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-22 18:54:14 CET 
An advisory has been issued today (December 22):
http://www.ocert.org/advisories/ocert-2014-010.html

Patches are available in upstream git.

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated sox packages fix security vulnerability:

The sox command line tool is affected by two heap-based buffer overflows,
respectively located in functions start_read() and AdpcmReadBlock(). A
specially crafted wav file can be used to trigger the vulnerabilities
(CVE-2014-8145).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8145
http://www.ocert.org/advisories/ocert-2014-010.html
========================

Updated packages in core/updates_testing:
========================
sox-14.4.1-3.1.mga4
libsox2-14.4.1-3.1.mga4
libsox-devel-14.4.1-3.1.mga4

from sox-14.4.1-3.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-24 18:45:23 CET 
Debian has issued an advisory for this on December 23:
https://www.debian.org/security/2014/dsa-3112

I'll add their reference to the advisory.

Advisory:
========================

Updated sox packages fix security vulnerability:

The sox command line tool is affected by two heap-based buffer overflows,
respectively located in functions start_read() and AdpcmReadBlock(). A
specially crafted wav file can be used to trigger the vulnerabilities
(CVE-2014-8145).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8145
http://www.ocert.org/advisories/ocert-2014-010.html
https://www.debian.org/security/2014/dsa-3112

URL: (none) => http://lwn.net/Vulnerabilities/627589/

Comment 2 David Walser 2014-12-25 00:13:14 CET 
Testing complete Mageia 4 i586.

I don't see a PoC for this, so I just used some commands that use sox to read wav files, with a wav file I have (an old clip of "Welcome to your doom!" from Homestar Runner).

$ play welcome.wav # play the audio file
(plays fine)
$ sox welcome.wav foo.wav stat -v # check how much the volume can be raised
1.026
$ sox -v 1.025 welcome.wav foo.wav # raise the volume
$ play foo.wav # play the louder copy
(plays fine)

Whiteboard: (none) => MGA4-32-OK has_procedure

Comment 3 olivier charles 2014-12-28 09:46:26 CET 
Testing on Mageia 4x64 real hardware

From current packages :
---------------------
sox-14.4.1-3.mga4
lib64sox2-14.4.1-3.mga4

To updated testing packages :
---------------------------
- lib64sox2-14.4.1-3.1.mga4.x86_64
- sox-14.4.1-3.1.mga4.x86_64

Tried some commands in each case :
$ play Yamaha-SY-35-Clarinet-C5.wav
$ play Yamaha-SY-35-Clarinet-C5.wav vol 2
$ sox Yamaha-SY-35-Clarinet-C5.wav Yamaha.ogg
$ sox Yamaha-SY-35-Clarinet-C5.wav Yamaha2.wav vol 10db
$ sox Yamaha-SY-35-Clarinet-C5.wav Yamaha3.wav vol -6db bass +6
$ sox Yamaha-SY-35-Clarinet-C5.wav -n stat

All OK.

CC: (none) => olchal
Whiteboard: MGA4-32-OK has_procedure => MGA4-32-OK has_procedure MGA4-64-OK

Comment 4 claire robinson 2014-12-29 22:06:27 CET 
Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK has_procedure MGA4-64-OK => advisory MGA4-32-OK has_procedure MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2014-12-31 13:28:50 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0561.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED