| Summary: | libsndfile new security issues CVE-2015-7805 and CVE-2015-8075 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/664646/ | ||
| Whiteboard: | has_procedure MGA5-64-OK MGA5-32-OK advisory | ||
| Source RPM: | libsndfile-1.0.25-9.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
Perl script for PoC
strace capture from paplay with PoC file |
||
|
Description
David Walser
2015-11-16 23:29:45 CET
David Walser
2015-11-16 23:29:58 CET
Whiteboard:
(none) =>
MGA5TOO As I suspected, CVE-2014-9756 is one of the issues we fixed in Bug 14961. Summary:
libsndfile new security issues CVE-2014-9756, CVE-2015-7805, CVE-2015-8075 =>
libsndfile new security issues CVE-2015-7805 and CVE-2015-8075 The CVE entry for CVE-2015-8075 says that the CVE was rejected because it was later determined to not be a security issue. I have included the patch to fix it, but won't cite it in the advisory. There should be PoC information for CVE-2015-7805 in one of the references on the SuSE bug: https://bugzilla.suse.com/show_bug.cgi?id=953516 Advisory: ======================== Updated libsndfile packages fix security vulnerability: Due to a heap overflow in libsndfile, a specially crafted AIFF header can manage index values in order to use memcpy to overwrite memory the heap (CVE-2015-7805). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7805 http://www.nemux.org/2015/10/13/libsndfile-1-0-25-heap-overflow/ https://packetstormsecurity.com/files/133926/libsndfile-1.0.25-Heap-Overflow.html http://lists.opensuse.org/opensuse-updates/2015-11/msg00077.html ======================== Updated packages in core/updates_testing: ======================== libsndfile1-1.0.25-9.1.mga5 libsndfile-devel-1.0.25-9.1.mga5 libsndfile-static-devel-1.0.25-9.1.mga5 libsndfile-progs-1.0.25-9.1.mga5 from libsndfile-1.0.25-9.1.mga5.src.rpm Version:
Cauldron =>
5
David Walser
2015-11-18 17:11:26 CET
URL:
http://lwn.net/Vulnerabilities/664650/ =>
http://lwn.net/Vulnerabilities/664646/ Oops, forgot to assign to QA. See comment 2 for advisory, packages, and PoC link. Assignee:
bugsquad =>
qa-bugs Testing this on x86_64 in mga5. https://bugzilla.sus.com/show_bug.cgi?id=953516 leads to: https://packetstormsecurity.com/files/133926/libsndfile-1.0.25-Heap-Overflow.html The latter contains a perl script (see attachment above) which can be used to generate an AIFF (Audio Interchange File Format) file called nemux.aiff. $ perl poc.pl To demonstrate the proof of concept: $ paplay nemux.aiff Result = Segmentation fault Installed lib64sndfile1 lib64sndfile-devel lib64sndfile-static-devel libsndfile-progs $ paplay nemux.aiff Failed to open audio file. CC:
(none) =>
tarazed25 Created attachment 7219 [details]
Perl script for PoC
$ perl poc.pl # generates nemux.aiff
$ paplay nemux.aiff
Looking back at bug 14961 was useful. $ sox marseillaise.wav anthem.aiff $ paplay anthem.aiff No problem. This seems a better, i.e. easier approach than nemux.aiff. Marking this as good for 64 bits. Moving over to vbox to test i586.
Len Lawrence
2015-11-20 01:27:16 CET
Whiteboard:
(none) =>
has_procedure MGA5-64-OK mga5 i586 in vbox Mate When I used the poc.pl script it came up with an error: Invalid type 'Q' in pack at poc.pl line 113. So I used the nemux.aiff file copied from the host system. $ paplay nemux.aiff Segmentation fault $ sox OrganConcerto_7.2_A_major.wav handel.aiff $ paplay handel.aiff That works fine. Updates installed. $ paplay nemux.aiff Failed to open audio file. $ paplay handel.aiff That runs fine. I am uploading an strace of 'paplay nemux.aiff' in case it is of any interest. It looks like it opens all the library files OK, then goes into a very long seek loop of some kind and finishes up trying to find pulseaudio.mo (does not exist here). Created attachment 7220 [details]
strace capture from paplay with PoC file
$ strace -o strace.out paplay nemux.aiff
In audacity there is no waveform for nemux so I suppose, as it is not an audio file, we should not expect it to play. Passing this for i586 as well. Leaving the validation for the moment in case someone disagrees. Good job Len. Confirmed also that paplay uses libsndfile.. $ urpmf paplay pulseaudio-utils:/usr/bin/paplay $ urpmq --requires pulseaudio-utils | grep sndfile libsndfile.so.1()(64bit) libsndfile.so.1(libsndfile.so.1.0)(64bit) You can validate this one. Thanks Claire. Keywords:
(none) =>
validated_update
Dave Hodgins
2015-11-20 19:22:21 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0455.html Status:
NEW =>
RESOLVED |