Bug 20672 - libsamplerate new security issue CVE-2017-7697
Summary: libsamplerate new security issue CVE-2017-7697
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-04-14 22:39 CEST by David Walser
Modified: 2017-05-07 22:29 CEST (History)
5 users (show)

See Also:
Source RPM: libsamplerate-0.1.8-5.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-04-14 22:39:27 CEST
A security issue fixed upstream in libsamplerate 0.1.9 has been announced:
http://openwall.com/lists/oss-security/2017/04/12/1
Comment 1 Marja Van Waes 2017-04-15 09:51:26 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

David Walser 2017-04-17 22:39:21 CEST

QA Contact: (none) => security
Component: RPM Packages => Security

Comment 2 Mike Rambo 2017-04-26 21:25:13 CEST
Updated package uploaded for Mageia 5.

Advisory:
========================

Updated libsamplerate package fixes security vulnerability:

It was discovered that libsamplerate contained a global buffer overflow in calc_output_single (CVE-20176-5223).

References:
http://openwall.com/lists/oss-security/2017/04/12/1
https://blogs.gentoo.org/ago/2017/04/11/libsamplerate-global-buffer-overflow-in-calc_output_single-src_sinc-c/
========================

Updated packages in core/updates_testing:
========================
lib64samplerate0-0.1.9-1.mga6.x86_64.rpm
lib64samplerate-devel-0.1.9-1.mga6.x86_64.rpm
libsamplerate-debuginfo-0.1.9-1.mga6.x86_64.rpm
libsamplerate-progs-0.1.9-1.mga6.x86_64.rpm

from libsamplerate-0.1.9-1.mga5.src.rpm


Reproducer: https://github.com/asarubbo/poc/blob/master/00262-libsamplerate-globaloverflow-calc_output_single

Assignee: pkg-bugs => qa-bugs
CC: (none) => mrambo

Comment 3 Herman Viaene 2017-05-03 14:54:36 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues
From comments in MCC:
Secret Rabbit Code (aka libsamplerate) is a Sample Rate Converter for audio. One example of where such a thing would be useful is converting audio from the CD sample rate of 44.1kHz to the 48kHz sample rate used by DAT players.
So at CLI:
$ sndfile-resample -to 48000 Zapfenstreich.wav Zapf1.wav
Input File    : Zapfenstreich.wav
Sample Rate   : 44100
Input Frames  : 8596790

SRC Ratio     : 1.088435
Converter     : Medium Sinc Interpolator

Output file   : Zapf1.wav
Sample Rate   : 48000
Output Frames : 9357051
 resulting file is a bit larger than original one, that was to be expected. Plays equally well in Parole.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Comment 4 Lewis Smith 2017-05-04 10:11:43 CEST
Advisory uploaded ex Comment 2; but I corrected the CVE-id in the text to that in the title (which I checked): CVE-2017-7697

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 5 Lewis Smith 2017-05-07 11:33:03 CEST
Testing M5 64 bit

Needed to install the 'progs' pkg.
 $ sndfile-resample -h
gives useful info; but -by <amount> is not explained.

BEFORE the update:-
 lib64samplerate0-0.1.8-5.mga5
 libsamplerate-progs-0.1.8-5.mga5
Tried the PoC and its demonstration given in Comment 2:
 https://blogs.gentoo.org/ago/2017/04/11/libsamplerate-global-buffer-overflow-in-calc_output_single-src_sinc-c/
 https://github.com/asarubbo/poc/blob/master/00262-libsamplerate-globaloverflow-calc_output_single
but it did *not* fail as ilustrated in the first link above:
 $ sndfile-resample -to 24000 -c 1 sampleratePoC out
 Input File    : sampleratePoC
 Sample Rate   : 152690
 Input Frames  : 38388006656
 SRC Ratio     : 0.157181
 Converter     : Medium Sinc Interpolator
 Output file   : out
 Sample Rate   : 24000
 Output Frames : 1287

UPDATEd to:
- lib64samplerate0-0.1.9-1.mga5.x86_64
- libsamplerate-progs-0.1.9-1.mga5.x86_64
Result with the PoC identical.

 $ sndfile-resample -to 36000 BachKBconcerto.wav out
 $ sndfile-resample -to 36000 track1.flac out
produced a good output files (listened to with Parole).

FWIW:
 $ sndfile-resample -to 36000 BachKBconcerto.ogg out
hogged the processor for a very long time, but finished. However, the output was not good. It does not accept .mp3 files.

Update looks good, validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-05-07 22:29:35 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0131.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.