Bug 14961

Summary: libsndfile new security issues CVE-2014-9496 and CVE-2014-9756
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/628834/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: libsndfile-1.0.25-3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-01-06 00:38:05 CET 
CVEs were requested for a divide-by-zero and buffer overread in libsndfile:
http://openwall.com/lists/oss-security/2014/12/24/3
http://openwall.com/lists/oss-security/2014/12/25/2

The first request got no response.

A CVE was allocated for the buffer overread(s):
http://openwall.com/lists/oss-security/2015/01/04/4

I've added the upstream patches for both issues in Mageia 4 and Cauldron.

Advisory:
========================

Updated libsndfile packages fix security vulnerabilities:

libsndfile contains multiple buffer-overflow vulnerabilities in src/sd2.c
because it fails to properly bounds-check user supplied input, which may
allow an attacker to execute arbitrary code or cause a denial of service
(CVE-2014-9496).

libsndfile contains a divide-by-zero error in src/file_io.c which may allow
an attacker to cause a denial of service.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9496
http://openwall.com/lists/oss-security/2014/12/24/3
http://openwall.com/lists/oss-security/2015/01/04/4
http://www.securityfocus.com/bid/71796
========================

Updated packages in core/updates_testing:
========================
libsndfile1-1.0.25-3.1.mga4
libsndfile-devel-1.0.25-3.1.mga4
libsndfile-static-devel-1.0.25-3.1.mga4
libsndfile-progs-1.0.25-3.1.mga4

from libsndfile-1.0.25-3.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-01-06 04:58:29 CET 
It looks like the affected code is in reading SD2 (Sound Designer II) files and writing AIFF files, so perhaps using sox or audacity (which use libsndfile) to convert an SD2 file to an AIFF can test the affected code paths.  I don't know where you'd get an SD2 file though.  It sounds like it was an old format used on Macs in the past.

I did use sox to convert a WAV file to an aiff and that worked just fine (Mageia 4 i586).
Comment 2 Herman Viaene 2015-01-08 12:08:48 CET 
MGA4-64 on HP Probook 6555b KDE.
No installation issues.
At CLI:
strace -o libsnd sox Rimsky.wav Rimsky.aiff
produces an aiff file that plays in audacity
File libsnd shows that libsndfile.so.1 is called.

Whiteboard: (none) => MGA4-64-OK
CC: (none) => herman.viaene

Comment 3 Herman Viaene 2015-01-08 12:19:27 CET 
MGA4-32 on AcerD620 Xfce.
Same test and result as Comment 2.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA4-32-OK

Comment 4 claire robinson 2015-01-08 13:22:27 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK

Comment 5 Mageia Robot 2015-01-08 13:36:51 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0015.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-01-08 18:10:37 CET

URL: (none) => http://lwn.net/Vulnerabilities/628834/

Comment 6 David Walser 2015-11-17 22:12:18 CET 
(In reply to David Walser from comment #0)
> CVEs were requested for a divide-by-zero and buffer overread in libsndfile:
> http://openwall.com/lists/oss-security/2014/12/24/3
> 
> The first request got no response.

Almost a year later, it was assigned CVE-2014-9756:
http://openwall.com/lists/oss-security/2015/11/03/9

Updated advisory below.  Could we update it in SVN?

Advisory:
========================

Updated libsndfile packages fix security vulnerabilities:

libsndfile contains multiple buffer-overflow vulnerabilities in src/sd2.c
because it fails to properly bounds-check user supplied input, which may
allow an attacker to execute arbitrary code or cause a denial of service
(CVE-2014-9496).

libsndfile contains a divide-by-zero error in src/file_io.c which may allow
an attacker to cause a denial of service (CVE-2014-9756).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9496
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9756
http://openwall.com/lists/oss-security/2015/01/04/4
http://openwall.com/lists/oss-security/2015/11/03/9
http://www.securityfocus.com/bid/71796

Summary: libsndfile new security issue CVE-2014-9496 => libsndfile new security issues CVE-2014-9496 and CVE-2014-9756