Bug 22615

openSUSE has issued an advisory for this on February 20:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00077.html

It also fixes four new issues.

Summary: sox new security issues CVE-2017-15372 and CVE-2017-15642 => sox new security issues CVE-2017-11332, CVE-2017-1135[89], CVE-2017-15372 and CVE-2017-15642, CVE-2017-18189
Status comment: Patches available from Fedora => Patches available from Fedora and openSUSE

Finally I have found time for this.

Suggested advisory :

This update for sox fixes the following security issues:

* CVE-2017-11332: Fixed the startread function in wav.c, which allowed
remote attackers to cause a DoS (divide-by-zero) via a crafted wav file.
* CVE-2017-11358: Fixed the read_samples function in hcom.c, which allowed
remote attackers to cause a DoS (invalid memory read) via a crafted hcom
file.
* CVE-2017-11359: Fixed the wavwritehdr function in wav.c, which allowed
remote attackers to cause a DoS (divide-by-zero) when converting a a
crafted snd file to a wav file.
* CVE-2017-15372: Fixed a stack-based buffer overflow in the
lsx_ms_adpcm_block_expand_i function of adpcm.c, which allowed remote
attackers to cause a DoS during conversion of a crafted audio file.
* CVE-2017-15642: Fixed an Use-After-Free vulnerability in
lsx_aiffstartread in aiff.c, which could be triggered by an attacker by
providing a malformed AIFF file.

RPMS:

sox-14.4.2-7.2.mga6.x86_64.rpm 
lib64sox3-14.4.2-7.2.mga6.x86_64.rpm
lib64sox-devel-14.4.2-7.2.mga6.x86_64.rpm

The same for i586, only SRPM is sox-14.4.2-7.2.mga6.srpm.

Thanks QA for testing.

Version: Cauldron => 6
CC: (none) => lists.jjorge
Whiteboard: MGA6TOO => (none)
Assignee: lists.jjorge => qa-bugs
Status: NEW => ASSIGNED

We're missing a patch for CVE-2017-18189, which openSUSE fixed.  It may also be the 0012-xa-validate-channel-count.patch from Debian, but compare with openSUSE.

The patches added so far do apply to Mageia 5, so adding that too.

Whiteboard: (none) => MGA5TOO
Keywords: (none) => feedback

Mageia 6, x86_64
Investigating the PoCs for this.

CC: (none) => tarazed25

Hanging fire on this one until the patch referred to in comment 3 is in place.
Meanwhile, pre-updates, the PoCs generated errors in line with those posted upstream.

http://seclists.org/fulldisclosure/2017/Jul/81

CVE-2017-11332
$ sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg
Floating point exception (core dumped)

CVE-2017-11358
$ sox sox_14.4.2_invalid_memory_read.hcom out.wav
Segmentation fault (core dumped)

CVE-2017-11359
$ sox sox_14.4.2_divide_by_zero_error_2.snd out.wav
sox WARN formats_i: `sox_14.4.2_divide_by_zero_error_2.snd': file header gives the total number of samples as 1335 but file length indicates the number is in fact 1437
Floating point exception (core dumped)

CVE-2017-15372
$ sox 01-stack-overflow out.snd
Segmentation fault (core dumped)

CVE-2017-15642
https://bugzilla.suse.com/show_bug.cgi?id=1064576
$ file crash00
crash00: IFF data, AIFF audio
$ sox -D -V -V crash00 /dev/null
..............
sox INFO formats: detected file format type `aiff'
*** Error in `sox': double free or corruption (fasttop): 0x000000000081ea50 ***
..............
Aborted (core dumped)

CVE-2017-18189
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881121
$ sox poc.aiff output.aiff speed 1.027
Segmentation fault (core dumped)

Mageia5, x86_64

Pre-updates:
$ rpm -qa | grep sox
sox-14.4.1-6.1.mga5
lib64sox-devel-14.4.1-6.1.mga5
lib64sox2-14.4.1-6.1.mga5

Ran the PoC tests for the six CVEs listed in comments 2 and 3.  These generated the same segfaults, FPEs and aborts as before.

Continuing testing from comment 5, Mageia6

PoC tests in order of CVE numbers:

$ sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg
sox FAIL formats: can't open input file `sox_14.4.2_divide_by_zero_error_1.wav': Channel count is zero

$ sox sox_14.4.2_invalid_memory_read.hcom out.wav
sox FAIL formats: can't open input file `sox_14.4.2_invalid_memory_read.hcom': Invalid dictionary

$ sox sox_14.4.2_divide_by_zero_error_2.snd out.wav
sox WARN formats_i: `sox_14.4.2_divide_by_zero_error_2.snd': file header gives the total number of samples as 1335 but file length indicates the number is in fact 1437
sox FAIL formats: can't open output file `out.wav': Too many channels (4009754624)

$ sox 01-stack-overflow out.snd
sox WARN wav: MSADPCM bpred >= nCoef, arbitrarily using 0
sox WARN wav: Premature EOF on .wav input file

$ sox -D -V -V crash00 /dev/null
sox:      SoX v14.4.2
time:     Apr 11 2018 15:31:16
issue:    Mageia
uname:    Linux difda 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 22:17:31 UTC 2018 x86_64
compiler: gcc 5.5.0
arch:     1288 48 88 L OMP
sox INFO formats: detected file format type `aiff'
sox DBUG aiff: Comment:     ""
sox DBUG aiff: Comment:     "(null)"
sox DBUG aiff: AIFFstartread: ignoring `��' chunk
sox DBUG aiff: AIFFstartread: ignoring `' chunk
sox DBUG aiff: AIFFstartread: ignoring `' chunk
sox DBUG aiff: AIFFstartread: ignoring `' chunk
sox DBUG aiff: Annotation:   "Aion 4"
sox DBUG aiff: Name:        "mensaje.8svx"
sox DBUG aiff: Annotation:   ""
sox DBUG aiff: AIFFstartread: ignoring `diti' chunk
sox FAIL formats: can't open input file `crash00': AIFF: no sound data on input file

These tests indicate that all the fault conditions are well-handled.

Played several music files with different formats with no problems.
$ play DanseDuRoy.mp3
DanseDuRoy.mp3:
 File Size: 2.39M     Bit Rate: 128k
  Encoding: MPEG audio    
  Channels: 2 @ 16-bit   
Samplerate: 44100Hz      
Replaygain: off         
  Duration: 00:02:29.55  

In:100%  00:02:29.52 [00:00:00.03] Out:6.59M [      |      ]        Clip:0    
Done.

$ strace play RedRedWine.ogg 2> trace.1
$ grep sox trace.1
open("/lib64/libsox.so.3", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/sox", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
readlink("/proc/self/exe", "/usr/bin/sox", 99) = 12

mp3, ogg, wav, flac files all played fine.
sox also coped with the m3u playlist format:
$ play SteeleyeSpan.m3u
/home/lcl/Music/wav/steeleyespan/AllAroundMyHat.wav:
..............
..............
<Ctrl-C to skip to next track>
/home/lcl/Music/wav/steeleyespan/TheElfKnight.wav:
..............

This is OK for 64 bits.

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Urggh!  Too late at night again.  Feedback marker still in place so CVE-2017-18189 patch still needs to be applied.

s/all the fault conditions are well-handled/the first five CVEs are covered/

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO

(In reply to Len Lawrence from comment #8)
> Urggh!  Too late at night again.  Feedback marker still in place so
> CVE-2017-18189 patch still needs to be applied.
> 
> s/all the fault conditions are well-handled/the first five CVEs are covered/

Well, I cannot find SUSE patch for CVE-2017-18189 upstream, looks like their site does not return anything from the link they give.

I suggest we push this update as is.

Keywords: feedback => (none)

Len showed a segfault, and openSUSE patches are not hard to find:
https://build.opensuse.org/

Search for sox and look for 42.3:Update.

and like I said there's even a Debian patch you clearly skipped which should be compared to the openSUSE one.

Keywords: (none) => feedback

Fair enough David.  I was going to do as you said but shall wait a little longer.

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

José added the patch in sox-14.4.1-6.3.mga5 and sox-14.4.2-7.3.mga6.  Thanks!

Keywords: feedback => (none)

Created attachment 10103 [details]
6 test files for the CVEs in this bug

Additional to Len's invaluable PoC list in comment 5, the bug URL for CVE-2017-15372 is
 https://bugzilla.redhat.com/show_bug.cgi?id=1500553
This attachment has all 6 test files. See comment 5 for their use and pre-update results.

Testing M6/64 for the new package versions. This basically re-runs all that already done by Len c7.

BEFORE update: sox-14.4.2-7.1.mga6
All 6 tests failed exactly as in comment 5.

I was misled by comment 12, so overlooked the library... Everything failed as before until that was updated as well.
AFTER update:
 lib64sox3-14.4.2-7.3.mga6
 sox-14.4.2-7.3.mga6
All the test results were then as per comment 7, plus that for CVE-2017-18189.
They are all good. c7 has extra usage testing which I did not repeat.

$ sox -D -V -V crash00 /dev/null
See c7.

$ sox poc.aiff output.aiff speed 1.027
sox FAIL formats: can't open input file `poc.aiff': invalid channel count 0
(This is the only one not in comment 7).

$ sox 01-stack-overflow out.snd
sox WARN wav: MSADPCM bpred >= nCoef, arbitrarily using 0
sox WARN wav: Premature EOF on .wav input file

$ sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg
sox FAIL formats: can't open input file `sox_14.4.2_divide_by_zero_error_1.wav': Channel count is zero

$ sox sox_14.4.2_divide_by_zero_error_2.snd out.wav
See c7.

$ sox sox_14.4.2_invalid_memory_read.hcom out.wav
sox FAIL formats: can't open input file `sox_14.4.2_invalid_memory_read.hcom': Invalid dictionary

So the M6/64 OK is valid for all the CVEs.

Thanks for the rerun  and extra research Lewis.  I shall do mga5 tomorrow.

M5 x64
I do not think you will mind seeing it done. You had lined up everything so well, done all the work.

BEFORE update: 
 lib64sox2-14.4.1-6.1.mga5
 sox-14.4.1-6.1.mga5

Copying comment 5, all 6 PoCs failed similarly.

AFTER update:
- lib64sox2-14.4.1-6.3.mga5.x86_64
- sox-14.4.1-6.3.mga5.x86_64

Re-running all six tests gave 'correct' results as per c5 and c14.
OKing & validating. Advisory to come.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Advisory done from comment 2 + bug RPMs link + the page for CVE-2017-18189.

Keywords: (none) => advisory

I ran the mga5 tests before seeing your comment Lewis.  They confirm your results anyway.  Thanks.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0211.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED