Bug 24752

Summary: libsndfile new security issue CVE-2018-19758
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, geiger.david68210, marja11, mhrambo3501, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: libsndfile-1.0.28-7.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-05-03 20:39:45 CEST 
SUSE has issued an advisory on April 2:
http://lists.suse.com/pipermail/sle-security-updates/2019-April/005286.html

CVE-2018-19758 fix here: https://bugzilla.suse.com/show_bug.cgi?id=1117954

Mageia 6 is also affected.
David Walser 2019-05-03 20:39:51 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-05-03 21:14:09 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing Mike

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, mrambo

Comment 2 David GEIGER 2019-05-04 05:07:13 CEST 
Fixed both mga6 and Cauldron!

CC: (none) => geiger.david68210

Comment 3 David Walser 2019-05-04 23:08:24 CEST 
Advisory:
========================

Updated libsndfile packages fix security vulnerability:

A heap-based buffer over-read at wav.c in wav_write_header that could be used
for a denial of service attack (CVE-2018-19758).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19758
http://lists.suse.com/pipermail/sle-security-updates/2019-April/005286.html
========================

Updated packages in core/updates_testing:
========================
libsndfile1-1.0.28-3.4.mga6
libsndfile-devel-1.0.28-3.4.mga6
libsndfile-static-devel-1.0.28-3.4.mga6
libsndfile-progs-1.0.28-3.4.mga6

from libsndfile-1.0.28-3.4.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Assignee: pkg-bugs => qa-bugs

Comment 4 Len Lawrence 2019-05-08 23:29:26 CEST 
mga6, x86_64

*before updates*
CVE-2018-19758
https://bugzilla.redhat.com/show_bug.cgi?id=1643812
$ unrar e poc0.rar
$ sndfile-convert poc0 a.wav
Segmentation fault (core dumped)

*after updates*
$ sndfile-convert poc0 a.wav
$

Tested libsndfile-progs:
$ sndfile-play WachetAuf.wav 
Playing WachetAuf.wav
$ sndfile-play AnElizabethanSuite.flac
Playing AnElizabethanSuite.flac
$ sndfile-play TheEarthDiesScreaming.ogg
Playing TheEarthDiesScreaming.ogg

mp3 files are not recognized.

Not all of the many file formats upported by libsndfile can be inter-converted.
Tried a few and found some that worked.
$ sndfile-convert TheWifeOfUshersWell.wav TheWifeOfUshersWell.aif
$ sndfile-play TheWifeOfUshersWell.aif
Playing TheWifeOfUshersWell.aif
$ sndfile-convert LongLankin.wav LongLankin.snd
lcl@difda:steeleyespan $ sndfile-play LongLankin.snd
Playing LongLankin.snd
$ sndfile-convert LammasTide.wav LammasTide.mat4
$ sndfile-play LammasTide.mat4
Playing LammasTide.mat4

$ sndfile-metadata-get --str-artist CherryOhBaby.ogg 
Artist               : UB40

$ sndfile-info Brandenburg-1-minuetto.wav
========================================
File : Brandenburg-1-minuetto.wav
Length : 88552844
RIFF : 88552836
[...]

$ sndfile-deinterleave SingSingAllTheEarth.wav
Input file : SingSingAllTheEarth
Output files :
    SingSingAllTheEarth_00.wav
    SingSingAllTheEarth_01.wav

Passing this for 64-bits.

CC: (none) => tarazed25

Len Lawrence 2019-05-08 23:30:11 CEST

Whiteboard: (none) => MGA6-64-OK

Comment 5 Dave Hodgins 2019-05-19 09:21:40 CEST 
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2019-05-19 13:28:48 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0182.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED