openSUSE has issued an advisory on February 8: https://lists.opensuse.org/opensuse-updates/2018-02/msg00018.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
CVE-2017-16942 only affects Mageia 5.
Status comment: (none) => Patches available from openSUSE and upstream
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron. Advisory: ======================== Updated libsndfile packages fix security vulnerabilities: An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values (CVE-2017-14245). An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values (CVE-2017-14246). In libsndfile 1.0.28, a divide-by-zero error exists in the function double64_init() in double64.c, which may lead to DoS when playing a crafted audio file (CVE-2017-14634). Divide-by-zero in the function wav_w64_read_fmt_chunk(), which may lead to Denial of service (CVE-2017-16942). Note that CVE-2017-16942 only affected Mageia 5. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14245 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14246 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14634 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16942 https://lists.opensuse.org/opensuse-updates/2018-02/msg00018.html ======================== Updated packages in core/updates_testing: ======================== libsndfile1-1.0.25-9.5.mga5 libsndfile-devel-1.0.25-9.5.mga5 libsndfile-static-devel-1.0.25-9.5.mga5 libsndfile-progs-1.0.25-9.5.mga5 libsndfile1-1.0.28-3.2.mga6 libsndfile-devel-1.0.28-3.2.mga6 libsndfile-static-devel-1.0.28-3.2.mga6 libsndfile-progs-1.0.28-3.2.mga6 from SRPMS: libsndfile-1.0.25-9.5.mga5.src.rpm libsndfile-1.0.28-3.2.mga6.src.rpm
Version: Cauldron => 6Assignee: pkg-bugs => qa-bugsWhiteboard: MGA6TOO, MGA5TOO => MGA5TOOStatus comment: Patches available from openSUSE and upstream => (none)
MGA5-32 on Dell Latitude D600 Xfce No installation issues. Ref. test in bug 21618 Comment 4 , at CLI $ sndfile-play 01\ Welington\'s\ Sieg.wav Playing 01 Welington's Sieg.wav The file plays OK $ sndfile-metadata-get 01\ Welington\'s\ Sieg.wav Usage : sndfile-metadata-get [options] <file> Options: --bext-description Print the 'bext' description. --bext-originator Print the 'bext; originator info. --bext-orig-ref Print the 'bext' origination reference. --bext-umid Print the 'bext' UMID. --bext-orig-date Print the 'bext' origination date. and some more. But $ sndfile-metadata-get --str-title 01\ Welington\'s\ Sieg.wav Name : Wellington's Sieg Seems options are not optional anymore. Is that on purpose??? $ sndfile-info 01\ Welington\'s\ Sieg.wav Version : libsndfile-1.0.25 ======================================== File : 01 Welington's Sieg.wav Length : 149110744 RIFF : 149110736 WAVE fmt : 16 Format : 0x1 => WAVE_FORMAT_PCM Channels : 2 Sample Rate : 44100 Block Align : 4 Bit Width : 16 Bytes/sec : 176400 LIST : 48 INFO INAM : Wellington's Sieg IART : Beethoven data : 149110644 End ---------------------------------------- Sample Rate : 44100 Frames : 37277661 Channels : 2 Format : 0x00010002 Sections : 1 Seekable : TRUE Duration : 00:14:05.298 Signal Max : 32754 (-0.00 dB) That is OK $ sndfile-play Zapf.mp3 Playing Zapf.mp3 Also OK$ sndfile-info Zapf.mp3 Version : libsndfile-1.0.25 ======================================== File : Zapf.mp3 Length : 51580836 RIFF : 51580828 WAVE fmt : 16 Format : 0x1 => WAVE_FORMAT_PCM Channels : 2 Sample Rate : 44100 Block Align : 6 Bit Width : 24 Bytes/sec : 264600 LIST : 44 INFO INAM : Zapfenstreich IART : Beethoven data : 51580740 End ---------------------------------------- Sample Rate : 44100 Frames : 8596790 Channels : 2 Format : 0x00010003 Sections : 1 Seekable : TRUE Duration : 00:03:14.939 Signal Max : 8.38016e+06 (-0.01 dB) This is better than the previous versions Apart from the hickup on the sndfile-metadata-get command, this is OK for me. I'll leave the decision to others to finally OK it, but I will not object.
CC: (none) => herman.viaene
You could OK this Herman. If you are thinking PoCs, there do appear to be one or two so I shall have a look at them on 64-bits to round this off.
CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
Mageia 6, x86_64 Found some PoCs for this but certain how to test all of them. *Before* the updates: CVE-2017-14245 CVE-2017-14246 https://github.com/erikd/libsndfile/issues/317 samples.zip $ sndfile-convert -ulaw crash1-get-nan-from-host xxx.vox Segmentation fault (core dumped) $ sndfile-convert -ulaw 'crash_max=inf_2_nan' xxy.vox Segmentation fault (core dumped) $ sndfile-convert -ulaw crash-get_inf_from_host_read_d xxw.vox Segmentation fault (core dumped) $ sndfile-convert -ulaw crash3-0div0-nan xxz.vox $ CVE-2017-14634 https://github.com/erikd/libsndfile/issues/318 $ sndfile-play crash-div0 Playing crash-div0 Floating point exception (core dumped) CVE-2017-16942 https://github.com/erikd/libsndfile/issues/341 $ file hfl-crash-1-\{rva_0x1ED01\}\{code_0x8\}\{libsndfile.so.1\} hfl-crash-1-{rva_0x1ED01}{code_0x8}{libsndfile.so.1}: RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, mono 8000 Hz Let's try playing it: $ sndfile-play hfl-crash-1-\{rva_0x1ED01\}\{code_0x8\}\{libsndfile.so.1\} Playing hfl-crash-1-{rva_0x1ED01}{code_0x8}{libsndfile.so.1} Error in ADPCM WAV file. Invalid number of samples per block. *After* the updates: 14245, 14246 $ sndfile-convert -ulaw crash1-get-nan-from-host xxx.vox Error : Not able to decode input file crash1-get-nan-from-host. $ sndfile-convert -ulaw 'crash_max=inf_2_nan' xxy.vox Error : Not able to decode input file crash_max=inf_2_nan. $ sndfile-convert -ulaw crash-get_inf_from_host_read_d xxw.vox Error : Not able to decode input file crash-get_inf_from_host_read_d. $ sndfile-convert -ulaw crash3-0div0-nan xxz.vox $ This last one produced a new 1-byte file. No differnce from before. 14634 sndfile-play crash-div0 Playing crash-div0 Unspecified internal error. 16942 $ sndfile-play hfl-crash-1-\{rva_0x1ED01\}\{code_0x8\}\{libsndfile.so.1\} Playing hfl-crash-1-{rva_0x1ED01}{code_0x8}{libsndfile.so.1} Error in ADPCM WAV file. Invalid number of samples per block. No change for the last one. On the whole the outcomes look OK after the updates. Utility tests follow Herman's examples. $ sndfile-metadata-get --bext-description LItalianainAlgeri.wav Description : Hmm! $ sndfile-info LItalianainAlgeri.wav======================================== File : LItalianainAlgeri.wav Length : 72648620 .............. other information .................. Seekable : TRUE Duration : 00:06:51.840 Signal Max : 28346 (-1.26 dB) Not so comfortable with MP3: $ sndfile-info UnaVocePocoFa.mp3 Error : Not able to open input file UnaVocePocoFa.mp3. File : UnaVocePocoFa.mp3 Length : 5402123 File contains data in an unknown format. [lcl@difda Rossini]$ sndfile-play UnaVocePocoFa.mp3 Playing UnaVocePocoFa.mp3 File contains data in an unknown format. Tried other MP3s with the same result. $ sndfile-info TimeAfterTime.mp3 Error : Not able to open input file TimeAfterTime.mp3. File : TimeAfterTime.mp3 Length : 3858182 File contains data in an unknown format. $ sndfile-info Contrapunctus_IX-JSBach.flac ................. $ sndfile-play Contrapunctus_IX-JSBach.flac Playing Contrapunctus_IX-JSBach.flac Those worked fine, so did OGG files. Went back to the pre-update system to check a few things. $ sndfile-metadata-get 'Toccata and Fugue in D minor.wav' Description : Originator : Origination ref : UMID : Origination date : Origination time : Coding history : Name : Copyright : Artist : Comment : Create date : Album : License : $ sndfile-metadata-get Contrapunctus_IX-JSBach.mp3 Error : Open of file 'Contrapunctus_IX-JSBach.mp3' failed : File contains data in an unknown format. $ sndfile-info Contrapunctus_IX-JSBach.mp3 Error : Not able to open input file Contrapunctus_IX-JSBach.mp3. File : Contrapunctus_IX-JSBach.mp3 Length : 3573262 File contains data in an unknown format. So the problems with MP3 and sndfile-metadata-get are not regressions. The 32-bit version seems to be OK but I don't know what to do about 64-bit because of the MP3 problem. As there is no regression maybe we should just push it. Adding the OK.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
libsndfile isn't supposed to be able to open MP3 files according to its description.
@Herman, Len: thanks for your tests.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0236.html
Status: NEW => RESOLVEDResolution: (none) => FIXED