Bug 22849 - aubio new security issue CVE-2017-17054
Summary: aubio new security issue CVE-2017-17054
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-31 22:05 CEST by David Walser
Modified: 2018-04-07 00:55 CEST (History)
4 users (show)

See Also:
Source RPM: aubio-0.4.6-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-03-31 22:05:50 CEST 
openSUSE has issued an advisory on March 30:
https://lists.opensuse.org/opensuse-updates/2018-03/msg00118.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-31 22:05:58 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-03-31 22:23:14 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 David Walser 2018-04-03 13:01:27 CEST 
aubio-0.4.2-2.1.mga6
libaubio4-0.4.2-2.1.mga6
libaubio-devel-0.4.2-2.1.mga6
python-aubio-0.4.2-2.1.mga6

from aubio-0.4.2-2.1.mga6.src.rpm

built for Mageia 6 by Shlomi.  I don't recall seeing a Cauldron build.
Comment 3 Shlomi Fish 2018-04-03 17:48:03 CEST 
(In reply to David Walser from comment #2)
> aubio-0.4.2-2.1.mga6
> libaubio4-0.4.2-2.1.mga6
> libaubio-devel-0.4.2-2.1.mga6
> python-aubio-0.4.2-2.1.mga6
> 
> from aubio-0.4.2-2.1.mga6.src.rpm
> 
> built for Mageia 6 by Shlomi.  I don't recall seeing a Cauldron build.

sorry - I submitted it for cauldron now.
Comment 4 David Walser 2018-04-03 18:48:03 CEST 
Advisory:
========================

Updated aubio packages fix security vulnerability:

Specially crafted wav files could have been used to cause an application crash
(CVE-2017-17054).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17054
https://lists.opensuse.org/opensuse-updates/2018-03/msg00118.html
========================

Updated packages in core/updates_testing:
========================
aubio-0.4.2-2.1.mga6
libaubio4-0.4.2-2.1.mga6
libaubio-devel-0.4.2-2.1.mga6
python-aubio-0.4.2-2.1.mga6

from aubio-0.4.2-2.1.mga6.src.rpm

Assignee: shlomif => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
CC: (none) => shlomif

Comment 5 Len Lawrence 2018-04-03 20:20:06 CEST 
Mageia6, x86_64

Installed aubio and looked for documentation.  It installs as a set of tools which operate on audio files, returning information on pitch and other parameters.

/bin/aubiocut*
/bin/aubiomfcc*
/bin/aubionotes*
/bin/aubioonset*
/bin/aubiopitch*
/bin/aubioquiet*
/bin/aubiotrack*

These all respond to --help.

From the aubio site https://aubio.org/

"aubio is a tool designed for the extraction of annotations from audio signals. Its features include segmenting a sound file before each of its attacks, performing pitch detection, tapping the beat and producing midi streams from live audio."

Unfamiliar territory.  There is a PoC at https://bugzilla.suse.com/show_bug.cgi?id=1070399.
CVE-2017-17054
$ aubioquiet -i id000007,sig08,src000068,opext_AO,pos48

Before updating:
$ aubioquiet -i id000007,sig08,src000068,opext_AO,pos48
AUBIO ERROR: source_sndfile: Failed opening id000007,sig08,src000068,opext_AO,pos48: Error in WAV file. No 'data' chunk marker.
AUBIO ERROR: source_wavread: data RIFF header not found in id000007,sig08,src000068,opext_AO,pos48
AUBIO ERROR: source: failed creating aubio source with id000007,sig08,src000068,opext_AO,pos48 at samplerate 0 with hop_size 256
Error: could not open input file id000007,sig08,src000068,opext_AO,pos48

After updating:
$ aubioquiet -i id000007,sig08,src000068,opext_AO,pos48
AUBIO ERROR: source_sndfile: Failed opening id000007,sig08,src000068,opext_AO,pos48: Error in WAV file. No 'data' chunk marker.
AUBIO ERROR: source_wavread: Failed opening id000007,sig08,src000068,opext_AO,pos48 (samplerate can not be 0)
AUBIO ERROR: source: failed creating aubio source with id000007,sig08,src000068,opext_AO,pos48 at samplerate 0 with hop_size 256
Error: could not open input file id000007,sig08,src000068,opext_AO,pos48

There is a difference between the output which might confirm that the fix is working.

Running some of the tools with the -i switch to indicate an input file returns numbers which would probably make sense to a sound engineer.

$ aubioquiet -i organ4-1-1.wav
NOISY: 1.160998

$ aubiotrack -i Three_Parts_upon_a_Ground.wav
1.864422
2.425351
3.011383
3.310181
3.609002
3.907800
4.206621
4.875510
5.328866
.........

$ aubiopitch -o test -i PadstowMaySong.wav
produced a binary data file called test.
$ file test
test: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
$ play test

test:

 File Size: 21.0M     Bit Rate: 706k
  Encoding: Signed PCM    
  Channels: 1 @ 16-bit   
Samplerate: 44100Hz      
Replaygain: off         
  Duration: 00:03:57.62  
...................

The original WAV file held about 42 MB.  test weighed in at about half that and the sound was considerably degraded so RIFF is probably not intended to be played as is.

This can be considered as a working package however.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Lewis Smith 2018-04-04 11:19:30 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2018-04-07 00:55:37 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0194.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.