Fedora has issued an advisory today (April 14): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PG6B4TWZZ2YTHTEQHBVQFADDUHMSICUV/ The issues are fixed upstream in 1.0.28. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Two more security issues fixed in libsndfile 1.0.28 have been announced: http://openwall.com/lists/oss-security/2017/04/13/3
Summary: libsndfile new security issues CVE-2017-7585 and CVE-2017-7586 => libsndfile new security issues CVE-2017-758[56] and CVE-2017-774[12]
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
openSUSE has issued an advisory for this on April 26: https://lists.opensuse.org/opensuse-updates/2017-04/msg00096.html
CVE-2017-836[1235]: http://openwall.com/lists/oss-security/2017/05/01/1 http://openwall.com/lists/oss-security/2017/05/01/2 http://openwall.com/lists/oss-security/2017/05/01/3 http://openwall.com/lists/oss-security/2017/05/01/5
Summary: libsndfile new security issues CVE-2017-758[56] and CVE-2017-774[12] => libsndfile new security issues CVE-2017-758[56], CVE-2017-774[12], and CVE-2017-836[1235]
openSUSE has issued an advisory for this today (May 28): https://lists.opensuse.org/opensuse-updates/2017-05/msg00095.html
Ubuntu has issued an advisory for this on June 1: https://www.ubuntu.com/usn/usn-3306-1/
CVE-2017-758[56] and CVE-2017-774[12] fixed in 1.0.28 and this openSUSE commit: https://build.opensuse.org/package/rdiff/openSUSE:Leap:42.3/libsndfile?linkrev=base&rev=9 CVE-2017-836[1235] fixed post-1.0.28 and in this openSUSE commit: https://build.opensuse.org/package/rdiff/openSUSE:Leap:42.2:Update/libsndfile?linkrev=base&rev=2
Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated libsndfile packages fix security vulnerabilities: A stack-based buffer overflow via a specially crafted FLAC file due to an error in the header_read() function (CVE-2017-7586). Several stack-based buffer overflows via a specially crafted FLAC file due to an error in the flac_buffer_copy() function (CVE-2017-7585, CVE-2017-7741, CVE-2017-7742). Global buffer overflow in flac_buffer_copy() (CVE-2017-8361). Invalid memory read in flac_buffer_copy() (CVE-2017-8362). Heap-based buffer overflow in flac_buffer_copy() (CVE-2017-8363). Stack-based buffer overflows via specially crafted FLAC files (CVE-2017-7585, CVE-2017-7741, CVE-2017-7742). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7585 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7586 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7741 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7742 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8361 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8362 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8365 https://lists.opensuse.org/opensuse-updates/2017-04/msg00096.html https://lists.opensuse.org/opensuse-updates/2017-05/msg00095.html ======================== Updated packages in core/updates_testing: ======================== libsndfile1-1.0.25-9.2.mga5 libsndfile-devel-1.0.25-9.2.mga5 libsndfile-static-devel-1.0.25-9.2.mga5 libsndfile-progs-1.0.25-9.2.mga5 from libsndfile-1.0.25-9.2.mga5.src.rpm
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5Assignee: pkg-bugs => qa-bugs
MGA-32on Asus A6000VM Xfce No installation issues Note: for some reason,pulseaudio does not run on this rig, too lazy to find out why. Took inspiration from bug 17163 Comment 7, so at CLI: $ sox Yorkscher\ Marsch.wav York.aiff $ strace -o /home/tester5/Documenten/parole.txt parole York.aiff plays music OK and checked in trace that libsnd was called upon: OK
Whiteboard: (none) => MGA5-32-OKCC: (none) => herman.viaene
Advisory taken from Comment 8. Note: - CVE-2017-7585, CVE-2017-7741, CVE-2017-7742 were cited twice. Corrected. - CVE-2017-8365 has no equivalent text in the description. Await same.
Whiteboard: MGA5-32-OK => MGA5-32-OK advisoryCC: (none) => lewyssmith
Hehe. Whoops. Advisory: ======================== Updated libsndfile packages fix security vulnerabilities: A stack-based buffer overflow via a specially crafted FLAC file due to an error in the header_read() function (CVE-2017-7586). Several stack-based buffer overflows via a specially crafted FLAC file due to an error in the flac_buffer_copy() function (CVE-2017-7585, CVE-2017-7741, CVE-2017-7742). Global buffer overflow in flac_buffer_copy() (CVE-2017-8361). Invalid memory read in flac_buffer_copy() (CVE-2017-8362). Heap-based buffer overflow in flac_buffer_copy() (CVE-2017-8363). The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file (CVE-2017-8365). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7585 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7586 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7741 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7742 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8361 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8362 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8365 https://lists.opensuse.org/opensuse-updates/2017-04/msg00096.html https://lists.opensuse.org/opensuse-updates/2017-05/msg00095.html
Thanks David. Advisory description updated with the last paragraph.
Testing M5 64-bit I installed the progs for their programs: sndfile-cmp, sndfile-concat, sndfile-convert, sndfile-deinterleave, sndfile-info, sndfile-interleave, sndfile-metadata-get, sndfile-metadata-set, sndfile-play, sndfile-regtest, sndfile-salvage all of which have man entries; with more detailed info for some commands --help. BEFORE update: libsndfile-progs-1.0.25-9.1.mga5 lib64sndfile1-1.0.25-9.1.mga5 $ sndfile-info BachKBconcerto.ogg $ sndfile-info BachKBconcerto.wav $ sndfile-info track1.flac All produced good info. $ sndfile-info track2.mp3 Version : libsndfile-1.0.25 Error : Not able to open input file track2.mp3. File : track2.mp3 Length : 3611989 File contains data in an unknown format. $ sndfile-play BachKBconcerto.ogg $ sndfile-play BachKBconcerto.wav $ sndfile-play track1.flac All played correctly. Playing with some conversions was less good. Without going overboard, I only got WAV-to-something accepted. $ sndfile-convert BachKBconcerto.ogg ~/tmp/BachKBconcerto.aif Error : output file format is invalid (0x00020060). $ sndfile-convert BachKBconcerto.ogg ~/tmp/BachKBconcerto.flac Error : output file format is invalid (0x00170060). $ sndfile-convert BachKBconcerto.wav ~/tmp/BachKBconcerto.oga [in --help] Error : output file format is invalid (0x00200002). $ sndfile-convert BachKBconcerto.wav ~/tmp/BachKBconcerto.aif $ sndfile-convert BachKBconcerto.wav ~/tmp/BachKBconcerto.ogg Both converted files played correctly. All 3 programs tried *do* call the library: open("/lib64/libsndfile.so.1", O_RDONLY|O_CLOEXEC) = 3 ------------------------------------------------------ AFTER update: lib64sndfile1-1.0.25-9.2.mga5 libsndfile-progs-1.0.25-9.2.mga5 Repeating exactly all the previosu commands, failures included, produced identical output. The update looks good. OK and validating.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5664-OKCC: (none) => sysadmin-bugs
Whiteboard: MGA5-32-OK advisory MGA5664-OK => MGA5-32-OK advisory MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0168.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED