Bug 23382

Summary: libsndfile new security issues CVE-2017-1745[67] and CVE-2018-13139
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, marja11, mhrambo3501, sysadmin-bugs, tarazed25, tmb
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK MGA6-32-OK
Source RPM: libsndfile-1.0.28-5.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-08-02 17:45:09 CEST 
SUSE has issued an advisory on July 26:
http://lists.suse.com/pipermail/sle-security-updates/2018-July/004311.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-02 17:45:19 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-02 18:39:14 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing Mike

CC: (none) => marja11, mrambo
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2018-08-06 21:58:34 CEST 
openSUSE has issued an advisory for this today (August 6):
https://lists.opensuse.org/opensuse-updates/2018-08/msg00024.html
Comment 3 Mike Rambo 2018-08-08 15:58:25 CEST 
Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated libsndfile package fixes security vulnerabilities:

The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead to a remote DoS attack (CVE-2017-17456).

The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead to a
remote DoS attack (CVE-2017-17457).

A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28
allows remote attackers to cause a denial of service (application crash) or
possibly have unspecified other impact via a crafted audio file (CVE-2018-13139).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17457
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13139
http://lists.suse.com/pipermail/sle-security-updates/2018-July/004311.html
========================

Updated packages in core/updates_testing:
========================
lib64sndfile1-1.0.28-3.3.mga6
lib64sndfile-devel-1.0.28-3.3.mga6
lib64sndfile-static-devel-1.0.28-3.3.mga6
libsndfile-progs-1.0.28-3.3.mga6

from libsndfile-1.0.28-3.3.mga6.src.rpm


Test procedure: https://bugs.mageia.org/show_bug.cgi?id=21138#c3

Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs
Keywords: (none) => has_procedure
Version: Cauldron => 6

Comment 4 Len Lawrence 2018-08-09 16:46:19 CEST 
Mageia 6, x86_64
Before updating :-

Ran the PoC tests - results below.

No problems with these commands:
$ sndfile-play organ7-2-1.wav
$ sndfile-info CherryOhBaby.ogg
$ sndfile-deinterleave AnElizabethanSuite.flac

After updating:

Experimented with libsndfile-progs:
$ sndfile-deinterleave AnElizabethanSuite.flac
Input file : AnElizabethanSuite
Output files :
    AnElizabethanSuite_00.flac
    AnElizabethanSuite_01.flac
These appeared to be valid FLAC files, basically the same music but
sounding somewhat different.    
$ sndfile-play LaGazzaLadra.wav
Playing OK...
$ sndfile-info RedRedWine.ogg 
========================================
File : RedRedWine.ogg
Length : 3458621
Ogg stream data : Vorbis
[...]
Duration    : 00:03:03.787
Signal Max  : 0.890792 (-91.31 dB)

OGG, WAV and FLAC formats play fine but MP3 files do not, which was the
case before updating also.
$ sndfile-play ElBarberilloDoLavaples.mp3
Playing ElBarberilloDoLavaples.mp3
File contains data in an unknown format.

PoC report
----------
Before update:

CVE-2017-1745{6,7}
https://github.com/erikd/libsndfile/issues/344
$ sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
Error: Not able to decode input file id:000000,sig:11,src:000024,op:flip2,pos:34.

One empty file generated - 1.raw.

CVE-2018-13139
https://github.com/erikd/libsndfile/issues/397
$ sndfile-deinterleave poc
Input file : poc
Output files :
    poc_00
    poc_01
[...]
    poc_243
    poc_244
Segmentation fault (core dumped)
All 245 58-byte output files were there.
$ rm -f poc_*

After the update:

The CVE-2017-1745* test returned the same error;  The case is handled
tidily which indicates that the problem had already been fixed.

$ sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
Error : Not able to decode input file id:000000,sig:11,src:000024,op:flip2,pos:34.

CVE-2018-13139
$ sndfile-deinterleave poc
Error : Too many channels 245 in input file 'poc'.

That is a good result - issue fixed.

This is fine for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 5 Herman Viaene 2018-08-10 16:04:27 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
At CLI:
$ sndfile-play 02\ Zapfenstreich.wav
plays OK
$ sndfile-play 02\ Zapfenstreich.mp3 
Playing 02 Zapfenstreich.mp3
File contains data in an unknown format.
which is consistent as before
$ sndfile-play 02-1963-Trini\ Lopez\ -\ If\ I\ Had\ A\ Hammer.ogg 
plays OK
$ sndfile-deinterleave 01Wellington\'s\ Sieg.wav
$ sndfile-deinterleave 01Wellington\'s\ Sieg.wav 
Input file : 01Wellington's Sieg
Output files :
    01Wellington's Sieg_00.wav
    01Wellington's Sieg_01.wav
That's what the command is supposed to do, create two mono files from a single stereo file.
$ sndfile-info 03-1971-Michel\ Delpech\ -\ Pour\ Un\ Flirt.ogg 
========================================
File : 03-1971-Michel Delpech - Pour Un Flirt.ogg
Length : 3990120
Ogg stream data : Vorbis
Stream serialno : 1293677773
Vorbis library version : Xiph.Org libVorbis 1.3.5
Bitstream is 2 channel, -5190873559567651772 Hz
Encoded by : Xiph.Org libVorbis I 20150105 (⛄⛄⛄⛄)
Metadata :
  Title      : Pour Un Flirt
  Album      : De Pre Historie 1971
  Tracknumber : 6/20
  Genre      : Pop
End

----------------------------------------
Sample Rate : 44100
Frames      : 9029376
Channels    : 2
Format      : 0x00200060
Sections    : 1
Seekable    : TRUE
Duration    : 00:03:24.748
Signal Max  : 0.885736 (-91.36 dB)

Looks all good to me.

CC: (none) => herman.viaene
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Comment 6 Len Lawrence 2018-08-11 16:55:33 CEST 
Thanks Herman - validating this.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Thomas Backlund 2018-08-12 22:14:37 CEST 
Advisory added to svn

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2018-08-12 22:40:19 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0336.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2021-02-09 15:20:25 CET 
*** Bug 28227 has been marked as a duplicate of this bug. ***
Comment 10 David Walser 2021-02-09 15:20:56 CET 
This update also fixed CVE-2018-19432:
https://ubuntu.com/security/notices/USN-4704-1
https://security-tracker.debian.org/tracker/CVE-2018-19432

Resolution: FIXED => (none)
Status: RESOLVED => UNCONFIRMED
Ever confirmed: 1 => 0

Comment 11 Thomas Backlund 2021-02-09 17:58:26 CET 
.

Status: UNCONFIRMED => RESOLVED
Resolution: (none) => FIXED

Comment 12 Len Lawrence 2021-02-09 19:48:43 CET 
$ rpm -q lib64sndfile1
lib64sndfile1-1.0.28-8.2.mga7

Too late to check the PoC before update.
CVE-2018-19432
https://github.com/libsndfile/libsndfile/issues/427
$ sndfile-deinterleave oob_sf_write_int:2257
Error : Too many channels 255 in input file 'oob_sf_write_int:2257'.

The downloaded test file has a different name from the one quoted in the upstream report but the result looks good anyway.

Don't know if this helps.