| Summary: | libsndfile new security issues CVE-2017-758[56], CVE-2017-774[12], and CVE-2017-836[1235] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | herman.viaene, lewyssmith, marja11, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5-32-OK advisory MGA5-64-OK | ||
| Source RPM: | libsndfile-1.0.27-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-04-14 21:36:10 CEST
David Walser
2017-04-14 21:37:07 CEST
Whiteboard:
(none) =>
MGA5TOO Two more security issues fixed in libsndfile 1.0.28 have been announced: http://openwall.com/lists/oss-security/2017/04/13/3 Summary:
libsndfile new security issues CVE-2017-7585 and CVE-2017-7586 =>
libsndfile new security issues CVE-2017-758[56] and CVE-2017-774[12] Assigning to all packagers collectively, since there is no registered maintainer for this package. CC:
(none) =>
marja11 openSUSE has issued an advisory for this on April 26: https://lists.opensuse.org/opensuse-updates/2017-04/msg00096.html CVE-2017-836[1235]: http://openwall.com/lists/oss-security/2017/05/01/1 http://openwall.com/lists/oss-security/2017/05/01/2 http://openwall.com/lists/oss-security/2017/05/01/3 http://openwall.com/lists/oss-security/2017/05/01/5 Summary:
libsndfile new security issues CVE-2017-758[56] and CVE-2017-774[12] =>
libsndfile new security issues CVE-2017-758[56], CVE-2017-774[12], and CVE-2017-836[1235] openSUSE has issued an advisory for this today (May 28): https://lists.opensuse.org/opensuse-updates/2017-05/msg00095.html Ubuntu has issued an advisory for this on June 1: https://www.ubuntu.com/usn/usn-3306-1/ CVE-2017-758[56] and CVE-2017-774[12] fixed in 1.0.28 and this openSUSE commit: https://build.opensuse.org/package/rdiff/openSUSE:Leap:42.3/libsndfile?linkrev=base&rev=9 CVE-2017-836[1235] fixed post-1.0.28 and in this openSUSE commit: https://build.opensuse.org/package/rdiff/openSUSE:Leap:42.2:Update/libsndfile?linkrev=base&rev=2 Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated libsndfile packages fix security vulnerabilities: A stack-based buffer overflow via a specially crafted FLAC file due to an error in the header_read() function (CVE-2017-7586). Several stack-based buffer overflows via a specially crafted FLAC file due to an error in the flac_buffer_copy() function (CVE-2017-7585, CVE-2017-7741, CVE-2017-7742). Global buffer overflow in flac_buffer_copy() (CVE-2017-8361). Invalid memory read in flac_buffer_copy() (CVE-2017-8362). Heap-based buffer overflow in flac_buffer_copy() (CVE-2017-8363). Stack-based buffer overflows via specially crafted FLAC files (CVE-2017-7585, CVE-2017-7741, CVE-2017-7742). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7585 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7586 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7741 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7742 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8361 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8362 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8365 https://lists.opensuse.org/opensuse-updates/2017-04/msg00096.html https://lists.opensuse.org/opensuse-updates/2017-05/msg00095.html ======================== Updated packages in core/updates_testing: ======================== libsndfile1-1.0.25-9.2.mga5 libsndfile-devel-1.0.25-9.2.mga5 libsndfile-static-devel-1.0.25-9.2.mga5 libsndfile-progs-1.0.25-9.2.mga5 from libsndfile-1.0.25-9.2.mga5.src.rpm Whiteboard:
MGA5TOO =>
(none) MGA-32on Asus A6000VM Xfce No installation issues Note: for some reason,pulseaudio does not run on this rig, too lazy to find out why. Took inspiration from bug 17163 Comment 7, so at CLI: $ sox Yorkscher\ Marsch.wav York.aiff $ strace -o /home/tester5/Documenten/parole.txt parole York.aiff plays music OK and checked in trace that libsnd was called upon: OK Whiteboard:
(none) =>
MGA5-32-OK Advisory taken from Comment 8. Note: - CVE-2017-7585, CVE-2017-7741, CVE-2017-7742 were cited twice. Corrected. - CVE-2017-8365 has no equivalent text in the description. Await same. Whiteboard:
MGA5-32-OK =>
MGA5-32-OK advisory Hehe. Whoops. Advisory: ======================== Updated libsndfile packages fix security vulnerabilities: A stack-based buffer overflow via a specially crafted FLAC file due to an error in the header_read() function (CVE-2017-7586). Several stack-based buffer overflows via a specially crafted FLAC file due to an error in the flac_buffer_copy() function (CVE-2017-7585, CVE-2017-7741, CVE-2017-7742). Global buffer overflow in flac_buffer_copy() (CVE-2017-8361). Invalid memory read in flac_buffer_copy() (CVE-2017-8362). Heap-based buffer overflow in flac_buffer_copy() (CVE-2017-8363). The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file (CVE-2017-8365). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7585 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7586 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7741 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7742 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8361 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8362 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8365 https://lists.opensuse.org/opensuse-updates/2017-04/msg00096.html https://lists.opensuse.org/opensuse-updates/2017-05/msg00095.html Thanks David. Advisory description updated with the last paragraph. Testing M5 64-bit
I installed the progs for their programs: sndfile-cmp, sndfile-concat, sndfile-convert, sndfile-deinterleave, sndfile-info, sndfile-interleave, sndfile-metadata-get, sndfile-metadata-set, sndfile-play, sndfile-regtest, sndfile-salvage
all of which have man entries; with more detailed info for some commands --help.
BEFORE update: libsndfile-progs-1.0.25-9.1.mga5 lib64sndfile1-1.0.25-9.1.mga5
$ sndfile-info BachKBconcerto.ogg
$ sndfile-info BachKBconcerto.wav
$ sndfile-info track1.flac
All produced good info.
$ sndfile-info track2.mp3
Version : libsndfile-1.0.25
Error : Not able to open input file track2.mp3.
File : track2.mp3
Length : 3611989
File contains data in an unknown format.
$ sndfile-play BachKBconcerto.ogg
$ sndfile-play BachKBconcerto.wav
$ sndfile-play track1.flac
All played correctly.
Playing with some conversions was less good. Without going overboard, I only got WAV-to-something accepted.
$ sndfile-convert BachKBconcerto.ogg ~/tmp/BachKBconcerto.aif
Error : output file format is invalid (0x00020060).
$ sndfile-convert BachKBconcerto.ogg ~/tmp/BachKBconcerto.flac
Error : output file format is invalid (0x00170060).
$ sndfile-convert BachKBconcerto.wav ~/tmp/BachKBconcerto.oga [in --help]
Error : output file format is invalid (0x00200002).
$ sndfile-convert BachKBconcerto.wav ~/tmp/BachKBconcerto.aif
$ sndfile-convert BachKBconcerto.wav ~/tmp/BachKBconcerto.ogg
Both converted files played correctly.
All 3 programs tried *do* call the library:
open("/lib64/libsndfile.so.1", O_RDONLY|O_CLOEXEC) = 3
------------------------------------------------------
AFTER update: lib64sndfile1-1.0.25-9.2.mga5 libsndfile-progs-1.0.25-9.2.mga5
Repeating exactly all the previosu commands, failures included, produced identical output. The update looks good. OK and validating.Keywords:
(none) =>
validated_update
Lewis Smith
2017-06-10 20:48:27 CEST
Whiteboard:
MGA5-32-OK advisory MGA5664-OK =>
MGA5-32-OK advisory MGA5-64-OK An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0168.html Resolution:
(none) =>
FIXED |