Bug 22615 - sox new security issues CVE-2017-11332, CVE-2017-1135[89], CVE-2017-15372 and CVE-2017-15642, CVE-2017-18189
Summary: sox new security issues CVE-2017-11332, CVE-2017-1135[89], CVE-2017-15372 and...
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2018-02-16 21:47 CET by David Walser
Modified: 2018-04-15 03:13 CEST (History)
3 users (show)

See Also:
Source RPM: sox-14.4.2-7.1.mga6.src.rpm
CVE:
Status comment: Patches available from Fedora and openSUSE


Attachments

Description David Walser 2018-02-16 21:47:44 CET
Fedora has issued an advisory on February 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UH2SQ3KUA2QMA4QBGGATZPOG2AGLW7X7/

Mageia 6 is also affected.  Mageia 5 may be as well.
David Walser 2018-02-16 21:47:51 CET

Whiteboard: (none) => MGA6TOO

David Walser 2018-02-16 21:50:16 CET

Status comment: (none) => Patches available from Fedora

Marja Van Waes 2018-02-18 07:23:39 CET

CC: (none) => marja11
Assignee: bugsquad => lists.jjorge

Comment 1 David Walser 2018-02-24 23:00:39 CET
openSUSE has issued an advisory for this on February 20:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00077.html

It also fixes four new issues.

Summary: sox new security issues CVE-2017-15372 and CVE-2017-15642 => sox new security issues CVE-2017-11332, CVE-2017-1135[89], CVE-2017-15372 and CVE-2017-15642, CVE-2017-18189
Status comment: Patches available from Fedora => Patches available from Fedora and openSUSE

Comment 2 José Jorge 2018-04-11 17:34:58 CEST
Finally I have found time for this.

Suggested advisory :

This update for sox fixes the following security issues:

* CVE-2017-11332: Fixed the startread function in wav.c, which allowed
remote attackers to cause a DoS (divide-by-zero) via a crafted wav file.
* CVE-2017-11358: Fixed the read_samples function in hcom.c, which allowed
remote attackers to cause a DoS (invalid memory read) via a crafted hcom
file.
* CVE-2017-11359: Fixed the wavwritehdr function in wav.c, which allowed
remote attackers to cause a DoS (divide-by-zero) when converting a a
crafted snd file to a wav file.
* CVE-2017-15372: Fixed a stack-based buffer overflow in the
lsx_ms_adpcm_block_expand_i function of adpcm.c, which allowed remote
attackers to cause a DoS during conversion of a crafted audio file.
* CVE-2017-15642: Fixed an Use-After-Free vulnerability in
lsx_aiffstartread in aiff.c, which could be triggered by an attacker by
providing a malformed AIFF file.

RPMS:

sox-14.4.2-7.2.mga6.x86_64.rpm 
lib64sox3-14.4.2-7.2.mga6.x86_64.rpm
lib64sox-devel-14.4.2-7.2.mga6.x86_64.rpm

The same for i586, only SRPM is sox-14.4.2-7.2.mga6.srpm.

Thanks QA for testing.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
CC: (none) => lists.jjorge
Status: NEW => ASSIGNED
Assignee: lists.jjorge => qa-bugs

Comment 3 David Walser 2018-04-12 13:09:34 CEST
We're missing a patch for CVE-2017-18189, which openSUSE fixed.  It may also be the 0012-xa-validate-channel-count.patch from Debian, but compare with openSUSE.

The patches added so far do apply to Mageia 5, so adding that too.

Whiteboard: (none) => MGA5TOO
Keywords: (none) => feedback

Comment 4 Len Lawrence 2018-04-12 15:09:40 CEST
Mageia 6, x86_64
Investigating the PoCs for this.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2018-04-12 15:27:31 CEST
Hanging fire on this one until the patch referred to in comment 3 is in place.
Meanwhile, pre-updates, the PoCs generated errors in line with those posted upstream.

http://seclists.org/fulldisclosure/2017/Jul/81

CVE-2017-11332
$ sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg
Floating point exception (core dumped)

CVE-2017-11358
$ sox sox_14.4.2_invalid_memory_read.hcom out.wav
Segmentation fault (core dumped)

CVE-2017-11359
$ sox sox_14.4.2_divide_by_zero_error_2.snd out.wav
sox WARN formats_i: `sox_14.4.2_divide_by_zero_error_2.snd': file header gives the total number of samples as 1335 but file length indicates the number is in fact 1437
Floating point exception (core dumped)

CVE-2017-15372
$ sox 01-stack-overflow out.snd
Segmentation fault (core dumped)

CVE-2017-15642
https://bugzilla.suse.com/show_bug.cgi?id=1064576
$ file crash00
crash00: IFF data, AIFF audio
$ sox -D -V -V crash00 /dev/null
..............
sox INFO formats: detected file format type `aiff'
*** Error in `sox': double free or corruption (fasttop): 0x000000000081ea50 ***
..............
Aborted (core dumped)

CVE-2017-18189
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881121
$ sox poc.aiff output.aiff speed 1.027
Segmentation fault (core dumped)
Comment 6 Len Lawrence 2018-04-12 15:52:28 CEST
Mageia5, x86_64

Pre-updates:
$ rpm -qa | grep sox
sox-14.4.1-6.1.mga5
lib64sox-devel-14.4.1-6.1.mga5
lib64sox2-14.4.1-6.1.mga5

Ran the PoC tests for the six CVEs listed in comments 2 and 3.  These generated the same segfaults, FPEs and aborts as before.
Comment 7 Len Lawrence 2018-04-15 03:05:52 CEST
Continuing testing from comment 5, Mageia6

PoC tests in order of CVE numbers:

$ sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg
sox FAIL formats: can't open input file `sox_14.4.2_divide_by_zero_error_1.wav': Channel count is zero

$ sox sox_14.4.2_invalid_memory_read.hcom out.wav
sox FAIL formats: can't open input file `sox_14.4.2_invalid_memory_read.hcom': Invalid dictionary

$ sox sox_14.4.2_divide_by_zero_error_2.snd out.wav
sox WARN formats_i: `sox_14.4.2_divide_by_zero_error_2.snd': file header gives the total number of samples as 1335 but file length indicates the number is in fact 1437
sox FAIL formats: can't open output file `out.wav': Too many channels (4009754624)

$ sox 01-stack-overflow out.snd
sox WARN wav: MSADPCM bpred >= nCoef, arbitrarily using 0
sox WARN wav: Premature EOF on .wav input file

$ sox -D -V -V crash00 /dev/null
sox:      SoX v14.4.2
time:     Apr 11 2018 15:31:16
issue:    Mageia
uname:    Linux difda 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 22:17:31 UTC 2018 x86_64
compiler: gcc 5.5.0
arch:     1288 48 88 L OMP
sox INFO formats: detected file format type `aiff'
sox DBUG aiff: Comment:     ""
sox DBUG aiff: Comment:     "(null)"
sox DBUG aiff: AIFFstartread: ignoring `��' chunk
sox DBUG aiff: AIFFstartread: ignoring `' chunk
sox DBUG aiff: AIFFstartread: ignoring `' chunk
sox DBUG aiff: AIFFstartread: ignoring `' chunk
sox DBUG aiff: Annotation:   "Aion 4"
sox DBUG aiff: Name:        "mensaje.8svx"
sox DBUG aiff: Annotation:   ""
sox DBUG aiff: AIFFstartread: ignoring `diti' chunk
sox FAIL formats: can't open input file `crash00': AIFF: no sound data on input file

These tests indicate that all the fault conditions are well-handled.

Played several music files with different formats with no problems.
$ play DanseDuRoy.mp3
DanseDuRoy.mp3:
 File Size: 2.39M     Bit Rate: 128k
  Encoding: MPEG audio    
  Channels: 2 @ 16-bit   
Samplerate: 44100Hz      
Replaygain: off         
  Duration: 00:02:29.55  

In:100%  00:02:29.52 [00:00:00.03] Out:6.59M [      |      ]        Clip:0    
Done.

$ strace play RedRedWine.ogg 2> trace.1
$ grep sox trace.1
open("/lib64/libsox.so.3", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/sox", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
readlink("/proc/self/exe", "/usr/bin/sox", 99) = 12

mp3, ogg, wav, flac files all played fine.
sox also coped with the m3u playlist format:
$ play SteeleyeSpan.m3u
/home/lcl/Music/wav/steeleyespan/AllAroundMyHat.wav:
..............
..............
<Ctrl-C to skip to next track>
/home/lcl/Music/wav/steeleyespan/TheElfKnight.wav:
..............

This is OK for 64 bits.

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 8 Len Lawrence 2018-04-15 03:13:03 CEST
Urggh!  Too late at night again.  Feedback marker still in place so CVE-2017-18189 patch still needs to be applied.

s/all the fault conditions are well-handled/the first five CVEs are covered/

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO


Note You need to log in before you can comment on or make changes to this bug.