Fedora has issued an advisory on February 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UH2SQ3KUA2QMA4QBGGATZPOG2AGLW7X7/ Mageia 6 is also affected. Mageia 5 may be as well.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Patches available from Fedora
Assignee: bugsquad => lists.jjorgeCC: (none) => marja11
openSUSE has issued an advisory for this on February 20: https://lists.opensuse.org/opensuse-updates/2018-02/msg00077.html It also fixes four new issues.
Summary: sox new security issues CVE-2017-15372 and CVE-2017-15642 => sox new security issues CVE-2017-11332, CVE-2017-1135[89], CVE-2017-15372 and CVE-2017-15642, CVE-2017-18189Status comment: Patches available from Fedora => Patches available from Fedora and openSUSE
Finally I have found time for this. Suggested advisory : This update for sox fixes the following security issues: * CVE-2017-11332: Fixed the startread function in wav.c, which allowed remote attackers to cause a DoS (divide-by-zero) via a crafted wav file. * CVE-2017-11358: Fixed the read_samples function in hcom.c, which allowed remote attackers to cause a DoS (invalid memory read) via a crafted hcom file. * CVE-2017-11359: Fixed the wavwritehdr function in wav.c, which allowed remote attackers to cause a DoS (divide-by-zero) when converting a a crafted snd file to a wav file. * CVE-2017-15372: Fixed a stack-based buffer overflow in the lsx_ms_adpcm_block_expand_i function of adpcm.c, which allowed remote attackers to cause a DoS during conversion of a crafted audio file. * CVE-2017-15642: Fixed an Use-After-Free vulnerability in lsx_aiffstartread in aiff.c, which could be triggered by an attacker by providing a malformed AIFF file. RPMS: sox-14.4.2-7.2.mga6.x86_64.rpm lib64sox3-14.4.2-7.2.mga6.x86_64.rpm lib64sox-devel-14.4.2-7.2.mga6.x86_64.rpm The same for i586, only SRPM is sox-14.4.2-7.2.mga6.srpm. Thanks QA for testing.
Version: Cauldron => 6CC: (none) => lists.jjorgeWhiteboard: MGA6TOO => (none)Assignee: lists.jjorge => qa-bugsStatus: NEW => ASSIGNED
We're missing a patch for CVE-2017-18189, which openSUSE fixed. It may also be the 0012-xa-validate-channel-count.patch from Debian, but compare with openSUSE. The patches added so far do apply to Mageia 5, so adding that too.
Whiteboard: (none) => MGA5TOOKeywords: (none) => feedback
Mageia 6, x86_64 Investigating the PoCs for this.
CC: (none) => tarazed25
Hanging fire on this one until the patch referred to in comment 3 is in place. Meanwhile, pre-updates, the PoCs generated errors in line with those posted upstream. http://seclists.org/fulldisclosure/2017/Jul/81 CVE-2017-11332 $ sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg Floating point exception (core dumped) CVE-2017-11358 $ sox sox_14.4.2_invalid_memory_read.hcom out.wav Segmentation fault (core dumped) CVE-2017-11359 $ sox sox_14.4.2_divide_by_zero_error_2.snd out.wav sox WARN formats_i: `sox_14.4.2_divide_by_zero_error_2.snd': file header gives the total number of samples as 1335 but file length indicates the number is in fact 1437 Floating point exception (core dumped) CVE-2017-15372 $ sox 01-stack-overflow out.snd Segmentation fault (core dumped) CVE-2017-15642 https://bugzilla.suse.com/show_bug.cgi?id=1064576 $ file crash00 crash00: IFF data, AIFF audio $ sox -D -V -V crash00 /dev/null .............. sox INFO formats: detected file format type `aiff' *** Error in `sox': double free or corruption (fasttop): 0x000000000081ea50 *** .............. Aborted (core dumped) CVE-2017-18189 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881121 $ sox poc.aiff output.aiff speed 1.027 Segmentation fault (core dumped)
Mageia5, x86_64 Pre-updates: $ rpm -qa | grep sox sox-14.4.1-6.1.mga5 lib64sox-devel-14.4.1-6.1.mga5 lib64sox2-14.4.1-6.1.mga5 Ran the PoC tests for the six CVEs listed in comments 2 and 3. These generated the same segfaults, FPEs and aborts as before.
Continuing testing from comment 5, Mageia6 PoC tests in order of CVE numbers: $ sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg sox FAIL formats: can't open input file `sox_14.4.2_divide_by_zero_error_1.wav': Channel count is zero $ sox sox_14.4.2_invalid_memory_read.hcom out.wav sox FAIL formats: can't open input file `sox_14.4.2_invalid_memory_read.hcom': Invalid dictionary $ sox sox_14.4.2_divide_by_zero_error_2.snd out.wav sox WARN formats_i: `sox_14.4.2_divide_by_zero_error_2.snd': file header gives the total number of samples as 1335 but file length indicates the number is in fact 1437 sox FAIL formats: can't open output file `out.wav': Too many channels (4009754624) $ sox 01-stack-overflow out.snd sox WARN wav: MSADPCM bpred >= nCoef, arbitrarily using 0 sox WARN wav: Premature EOF on .wav input file $ sox -D -V -V crash00 /dev/null sox: SoX v14.4.2 time: Apr 11 2018 15:31:16 issue: Mageia uname: Linux difda 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 22:17:31 UTC 2018 x86_64 compiler: gcc 5.5.0 arch: 1288 48 88 L OMP sox INFO formats: detected file format type `aiff' sox DBUG aiff: Comment: "" sox DBUG aiff: Comment: "(null)" sox DBUG aiff: AIFFstartread: ignoring `��' chunk sox DBUG aiff: AIFFstartread: ignoring `' chunk sox DBUG aiff: AIFFstartread: ignoring `' chunk sox DBUG aiff: AIFFstartread: ignoring `' chunk sox DBUG aiff: Annotation: "Aion 4" sox DBUG aiff: Name: "mensaje.8svx" sox DBUG aiff: Annotation: "" sox DBUG aiff: AIFFstartread: ignoring `diti' chunk sox FAIL formats: can't open input file `crash00': AIFF: no sound data on input file These tests indicate that all the fault conditions are well-handled. Played several music files with different formats with no problems. $ play DanseDuRoy.mp3 DanseDuRoy.mp3: File Size: 2.39M Bit Rate: 128k Encoding: MPEG audio Channels: 2 @ 16-bit Samplerate: 44100Hz Replaygain: off Duration: 00:02:29.55 In:100% 00:02:29.52 [00:00:00.03] Out:6.59M [ | ] Clip:0 Done. $ strace play RedRedWine.ogg 2> trace.1 $ grep sox trace.1 open("/lib64/libsox.so.3", O_RDONLY|O_CLOEXEC) = 3 open("/usr/lib64/sox", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or directory) readlink("/proc/self/exe", "/usr/bin/sox", 99) = 12 mp3, ogg, wav, flac files all played fine. sox also coped with the m3u playlist format: $ play SteeleyeSpan.m3u /home/lcl/Music/wav/steeleyespan/AllAroundMyHat.wav: .............. .............. <Ctrl-C to skip to next track> /home/lcl/Music/wav/steeleyespan/TheElfKnight.wav: .............. This is OK for 64 bits.
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Urggh! Too late at night again. Feedback marker still in place so CVE-2017-18189 patch still needs to be applied. s/all the fault conditions are well-handled/the first five CVEs are covered/
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO
(In reply to Len Lawrence from comment #8) > Urggh! Too late at night again. Feedback marker still in place so > CVE-2017-18189 patch still needs to be applied. > > s/all the fault conditions are well-handled/the first five CVEs are covered/ Well, I cannot find SUSE patch for CVE-2017-18189 upstream, looks like their site does not return anything from the link they give. I suggest we push this update as is.
Keywords: feedback => (none)
Len showed a segfault, and openSUSE patches are not hard to find: https://build.opensuse.org/ Search for sox and look for 42.3:Update. and like I said there's even a Debian patch you clearly skipped which should be compared to the openSUSE one.
Keywords: (none) => feedback
Fair enough David. I was going to do as you said but shall wait a little longer.
José added the patch in sox-14.4.1-6.3.mga5 and sox-14.4.2-7.3.mga6. Thanks!
Created attachment 10103 [details] 6 test files for the CVEs in this bug Additional to Len's invaluable PoC list in comment 5, the bug URL for CVE-2017-15372 is https://bugzilla.redhat.com/show_bug.cgi?id=1500553 This attachment has all 6 test files. See comment 5 for their use and pre-update results.
Testing M6/64 for the new package versions. This basically re-runs all that already done by Len c7. BEFORE update: sox-14.4.2-7.1.mga6 All 6 tests failed exactly as in comment 5. I was misled by comment 12, so overlooked the library... Everything failed as before until that was updated as well. AFTER update: lib64sox3-14.4.2-7.3.mga6 sox-14.4.2-7.3.mga6 All the test results were then as per comment 7, plus that for CVE-2017-18189. They are all good. c7 has extra usage testing which I did not repeat. $ sox -D -V -V crash00 /dev/null See c7. $ sox poc.aiff output.aiff speed 1.027 sox FAIL formats: can't open input file `poc.aiff': invalid channel count 0 (This is the only one not in comment 7). $ sox 01-stack-overflow out.snd sox WARN wav: MSADPCM bpred >= nCoef, arbitrarily using 0 sox WARN wav: Premature EOF on .wav input file $ sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg sox FAIL formats: can't open input file `sox_14.4.2_divide_by_zero_error_1.wav': Channel count is zero $ sox sox_14.4.2_divide_by_zero_error_2.snd out.wav See c7. $ sox sox_14.4.2_invalid_memory_read.hcom out.wav sox FAIL formats: can't open input file `sox_14.4.2_invalid_memory_read.hcom': Invalid dictionary So the M6/64 OK is valid for all the CVEs.
Thanks for the rerun and extra research Lewis. I shall do mga5 tomorrow.
M5 x64 I do not think you will mind seeing it done. You had lined up everything so well, done all the work. BEFORE update: lib64sox2-14.4.1-6.1.mga5 sox-14.4.1-6.1.mga5 Copying comment 5, all 6 PoCs failed similarly. AFTER update: - lib64sox2-14.4.1-6.3.mga5.x86_64 - sox-14.4.1-6.3.mga5.x86_64 Re-running all six tests gave 'correct' results as per c5 and c14. OKing & validating. Advisory to come.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OKCC: (none) => sysadmin-bugs
Advisory done from comment 2 + bug RPMs link + the page for CVE-2017-18189.
Keywords: (none) => advisory
I ran the mga5 tests before seeing your comment Lewis. They confirm your results anyway. Thanks.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0211.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED