Bug 25275

Summary: libsndfile new security issue CVE-2019-3832
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, marja11, mhrambo3501, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libsndfile-1.0.28-8.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-08-11 22:48:07 CEST 
Ubuntu has issued an advisory on June 10:
https://usn.ubuntu.com/4013-1/

The last fix (in Bug 24752) was incomplete.

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-08-11 22:48:15 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-08-11 22:50:40 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing two submitters.

CC: (none) => geiger.david68210, marja11, mrambo
Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2019-10-22 15:57:24 CEST 
Patched package uploaded for cauldron and Mageia 7.

Advisory:
========================

Updated libsndfile package fixes security vulnerability:

It was discovered that libsndfile incorrectly handled certain malformed files. A remote attacker could use this issue to cause libsndfile to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2019-3832).


References:
https://www.cvedetails.com/cve/CVE-2019-3832/
https://usn.ubuntu.com/4013-1/
========================

Updated packages in core/updates_testing:
========================
lib64sndfile1-1.0.28-8.1.mga7.x86_64.rpm
lib64sndfile-devel-1.0.28-8.1.mga7.x86_64.rpm
libsndfile-progs-1.0.28-8.1.mga7.x86_64.rpm

from libsndfile-1.0.28-8.1.mga7.src.rpm


Test procedure: https://bugs.mageia.org/show_bug.cgi?id=21138#c3

Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO, MGA6TOO => (none)
Version: Cauldron => 7
Keywords: (none) => has_procedure

Comment 3 Len Lawrence 2019-10-22 20:40:43 CEST 
Mageia 7, x86_64

There is a PoC for this but the result does not confirm the issue for the pre-update software so it may have been fixed already.  Some of the discussion hints that the PoC may or may not work.

CVE-2018-19758
https://github.com/erikd/libsndfile/issues/456
Before update:
$ sndfile-convert ./incomplete-fix-CVE-2018-19758 out.wav
No errors and an output file was produced.  Nor were any errors reported under valgrind.
$ file out.wav
out.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 22001 Hz

Updated the three packages.
Ran the PoC.  New output file generated.

Referred to earlier bug for tests.

$ sndfile-info LaProcession.mp3
Error : Not able to open input file LaProcession.mp3.
File : LaProcession.mp3
Length : 5172869

File contains data in an unknown format.
 sndfile-info JoyToTheWorld.ogg 
========================================
File : JoyToTheWorld.ogg
Length : 1569245
Ogg stream data : Vorbis
Stream serialno : 446343195
Vorbis library version : Xiph.Org libVorbis 1.3.6
Bitstream is 2 channel, 44100 Hz
Encoded by : Xiph.Org libVorbis I 20070622
End
----------------------------------------
Sample Rate : 44100
Frames      : 4050732
Channels    : 2
Format      : 0x00200060
Sections    : 1
Seekable    : TRUE
Duration    : 00:01:31.853
Signal Max  : 0.359192 (-99.20 dB)

Similar good data returned for flac and wav files.

Conversions:
$ sndfile-convert RedRedWine.ogg RedRedWine.aif
Error : output file format is invalid.
The 'AIFF' container does not support 'Vorbis' codec data.
Run 'sndfile-convert --help' for clues.

$ sndfile-convert LammasTide.wav LammasTide.flac
The conversion worked and the output flac file played perfectly.

wav to ogg conversions fail - The 'OGG' container does not support '16 bit PCM' codec data.  The -pcm16 switch does not help.
$ sndfile-convert LongLankin.wav LongLankin.aif
That works - output plays fine.
$ sndfile-convert --help
That lists all the supported encodings and output formats.
$ sndfile-convert -vorbis 'Bad Moon Rising.wav' BadMoonRising.ogg
$ sndfile-play BadMoonRising.wav
That worked fine so did a MAT4 formatted file.

It all works well.  64-bit OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 4 Len Lawrence 2019-10-22 20:44:01 CEST 
Garrh!  Comment #3 should have said CVE-2019-3832.  Cut and paste error - the earlier CVE was refferred to.
Thomas Backlund 2019-10-23 20:23:34 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 5 Mageia Robot 2019-10-23 23:08:35 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0300.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED