OpenSuSE has issued an advisory today (November 16): http://lists.opensuse.org/opensuse-updates/2015-11/msg00077.html LWN reference for CVE-2015-7805: http://lwn.net/Vulnerabilities/664646/ LWN reference for CVE-2014-9756 and CVE-2015-8075: http://lwn.net/Vulnerabilities/664650/ I'm curious as to whether there's any overlap between these issues and the ones we fixed in Bug 14961. Mageia 5 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
As I suspected, CVE-2014-9756 is one of the issues we fixed in Bug 14961.
Summary: libsndfile new security issues CVE-2014-9756, CVE-2015-7805, CVE-2015-8075 => libsndfile new security issues CVE-2015-7805 and CVE-2015-8075
The CVE entry for CVE-2015-8075 says that the CVE was rejected because it was later determined to not be a security issue. I have included the patch to fix it, but won't cite it in the advisory. There should be PoC information for CVE-2015-7805 in one of the references on the SuSE bug: https://bugzilla.suse.com/show_bug.cgi?id=953516 Advisory: ======================== Updated libsndfile packages fix security vulnerability: Due to a heap overflow in libsndfile, a specially crafted AIFF header can manage index values in order to use memcpy to overwrite memory the heap (CVE-2015-7805). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7805 http://www.nemux.org/2015/10/13/libsndfile-1-0-25-heap-overflow/ https://packetstormsecurity.com/files/133926/libsndfile-1.0.25-Heap-Overflow.html http://lists.opensuse.org/opensuse-updates/2015-11/msg00077.html ======================== Updated packages in core/updates_testing: ======================== libsndfile1-1.0.25-9.1.mga5 libsndfile-devel-1.0.25-9.1.mga5 libsndfile-static-devel-1.0.25-9.1.mga5 libsndfile-progs-1.0.25-9.1.mga5 from libsndfile-1.0.25-9.1.mga5.src.rpm
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
URL: http://lwn.net/Vulnerabilities/664650/ => http://lwn.net/Vulnerabilities/664646/
Oops, forgot to assign to QA. See comment 2 for advisory, packages, and PoC link.
Assignee: bugsquad => qa-bugs
Testing this on x86_64 in mga5. https://bugzilla.sus.com/show_bug.cgi?id=953516 leads to: https://packetstormsecurity.com/files/133926/libsndfile-1.0.25-Heap-Overflow.html The latter contains a perl script (see attachment above) which can be used to generate an AIFF (Audio Interchange File Format) file called nemux.aiff. $ perl poc.pl To demonstrate the proof of concept: $ paplay nemux.aiff Result = Segmentation fault Installed lib64sndfile1 lib64sndfile-devel lib64sndfile-static-devel libsndfile-progs $ paplay nemux.aiff Failed to open audio file.
CC: (none) => tarazed25
Created attachment 7219 [details] Perl script for PoC $ perl poc.pl # generates nemux.aiff $ paplay nemux.aiff
Looking back at bug 14961 was useful. $ sox marseillaise.wav anthem.aiff $ paplay anthem.aiff No problem. This seems a better, i.e. easier approach than nemux.aiff. Marking this as good for 64 bits. Moving over to vbox to test i586.
Whiteboard: (none) => has_procedure MGA5-64-OK
mga5 i586 in vbox Mate When I used the poc.pl script it came up with an error: Invalid type 'Q' in pack at poc.pl line 113. So I used the nemux.aiff file copied from the host system. $ paplay nemux.aiff Segmentation fault $ sox OrganConcerto_7.2_A_major.wav handel.aiff $ paplay handel.aiff That works fine. Updates installed. $ paplay nemux.aiff Failed to open audio file. $ paplay handel.aiff That runs fine. I am uploading an strace of 'paplay nemux.aiff' in case it is of any interest. It looks like it opens all the library files OK, then goes into a very long seek loop of some kind and finishes up trying to find pulseaudio.mo (does not exist here).
Created attachment 7220 [details] strace capture from paplay with PoC file $ strace -o strace.out paplay nemux.aiff
In audacity there is no waveform for nemux so I suppose, as it is not an audio file, we should not expect it to play. Passing this for i586 as well. Leaving the validation for the moment in case someone disagrees.
Good job Len. Confirmed also that paplay uses libsndfile.. $ urpmf paplay pulseaudio-utils:/usr/bin/paplay $ urpmq --requires pulseaudio-utils | grep sndfile libsndfile.so.1()(64bit) libsndfile.so.1(libsndfile.so.1.0)(64bit) You can validate this one.
Thanks Claire.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0455.html
Status: NEW => RESOLVEDResolution: (none) => FIXED