23323 – soundtouch new security issues CVE-2017-9258, CVE-2017-9259, CVE-2017-9260

Bug 23323 - soundtouch new security issues CVE-2017-9258, CVE-2017-9259, CVE-2017-9260

Summary: soundtouch new security issues CVE-2017-9258, CVE-2017-9259, CVE-2017-9260

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2018-07-17 16:19 CEST by David Walser
Modified:	2018-08-10 16:39 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	soundtouch-2.0.0-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-07-17 16:19:37 CEST

Fedora has issued an advisory on July 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DBNLS5JI6AFPGYDJHBRYWMSVRPRNVQCN/

Mageia 6 is also affected (Mageia 5 may be as well).

David Walser 2018-07-17 16:19:49 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-07-17 19:25:24 CEST

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11, smelror

Comment 2 Marja Van Waes 2018-07-19 13:41:33 CEST

(In reply to Marja Van Waes from comment #1)
> Assigning to all packagers collectively, since there is no registered
> maintainer for this package.

now really assigning :-[

Assignee: bugsquad => pkg-bugs

Comment 3 Mike Rambo 2018-07-31 15:02:48 CEST

Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated soundtouch package fixes security vulnerabilities:

The TDStretch::processSamples function in source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted wav file (CVE-2017-9258).

The TDStretch::acceptNewOverlapLength function in source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 allows remote attackers to cause a denial of service (memory allocation error and application crash) via a crafted wav file (CVE-2017-9259).

The TDStretchSSE::calcCrossCorr function in source/SoundTouch/sse_optimized.cpp in SoundTouch 1.9.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted wav file (CVE-2017-9260).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9258
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9259
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9260
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DBNLS5JI6AFPGYDJHBRYWMSVRPRNVQCN/
========================

Updated packages in core/updates_testing:
========================
lib64soundtouch1-1.9.2-2.1.mga6
lib64soundtouch-devel-1.9.2-2.1.mga6
soundtouch-1.9.2-2.1.mga6

from soundtouch-1.9.2-2.1.mga6.src.rpm

Version: Cauldron => 6
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA6TOO => (none)
CC: (none) => mrambo

Comment 4 Len Lawrence 2018-07-31 20:23:24 CEST

Mageia 6, x86_64

PoCs at http://seclists.org/fulldisclosure/2017/Jul/62
Analyzed using ASAN - not an option for us.

CVE-2017-9258
Before:
$ soundstretch SoundTouch_1.9.2_memory_allocation_error.wav out
[...]
Segmentation fault (core dumped)

CVE-2017-9259
Before:
$ soundstretch SoundTouch_1.9.2_infinite_loop.wav out
[...]
Working...
<Hung forever with one core running 100%.>
$ ll out
-rw-r--r-- 1 lcl lcl 56 Jul 31 16:28 out

CVE-2017-9260
Before:
$ soundstretch SoundTouch_1.9.2_heap_buffer_overflow.wav out
[...]
Working...Segmentation fault (core dumped)

$ soundstretch Corries.wav out.1 -tempo=-50 -pitch=+8

   SoundStretch v1.9.2 -  Written by Olli Parviainen 2001 - 2015
==================================================================
author e-mail: <oparviai@iki.fi> - WWW: http://www.surina.net/soundtouch

This program is subject to (L)GPL license. Run "soundstretch -license" for
more information.

Uses 32bit floating point sample type in processing.

Processing the file with the following changes:
  tempo change = -50 %
  pitch change = +8 semitones
  rate change  = +0 %

Working...Done!
$ aplay out.1
It definitely worked - terrible thing to do to the Corries though.

Updated from testing.

PoC tests, afterwards:

$ soundstretch SoundTouch_1.9.2_memory_allocation_error.wav out
[...]
Error: Excessive samplerate

$ soundstretch SoundTouch_1.9.2_infinite_loop.wav out
[...]
Error: Excessive samplerate

$ soundstretch SoundTouch_1.9.2_heap_buffer_overflow.wav out
[...]
Error: Excessive samplerate

That validates the patches.

$ soundstretch -license
Displays the software licence.

$ soundstretch LammasTide.wav out.2 -tempo=+10 -pitch=-2

   SoundStretch v1.9.2 -  Written by Olli Parviainen 2001 - 2015
==================================================================
author e-mail: <oparviai@iki.fi> - WWW: http://www.surina.net/soundtouch

This program is subject to (L)GPL license. Run "soundstretch -license" for
more information.

Uses 32bit floating point sample type in processing.

Processing the file with the following changes:
  tempo change = +10 %
  pitch change = -2 semitones
  rate change  = +0 %

Working...Done!

$ aplay out.2
The changes were applied - a subtler effect.

All good for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Len Lawrence 2018-08-03 08:21:58 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2018-08-10 15:36:22 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2018-08-10 16:39:58 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0331.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.