Bug 23382 - libsndfile new security issues CVE-2017-1745[67] and CVE-2018-13139
Summary: libsndfile new security issues CVE-2017-1745[67] and CVE-2018-13139
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, has_procedure, validated_update
: 28227 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-08-02 17:45 CEST by David Walser
Modified: 2021-02-09 19:48 CET (History)
6 users (show)

See Also:
Source RPM: libsndfile-1.0.28-5.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-08-02 17:45:09 CEST
SUSE has issued an advisory on July 26:
http://lists.suse.com/pipermail/sle-security-updates/2018-July/004311.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-02 17:45:19 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-02 18:39:14 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing Mike

CC: (none) => marja11, mrambo
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2018-08-06 21:58:34 CEST
openSUSE has issued an advisory for this today (August 6):
https://lists.opensuse.org/opensuse-updates/2018-08/msg00024.html
Comment 3 Mike Rambo 2018-08-08 15:58:25 CEST
Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated libsndfile package fixes security vulnerabilities:

The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead to a remote DoS attack (CVE-2017-17456).

The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead to a
remote DoS attack (CVE-2017-17457).

A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28
allows remote attackers to cause a denial of service (application crash) or
possibly have unspecified other impact via a crafted audio file (CVE-2018-13139).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17457
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13139
http://lists.suse.com/pipermail/sle-security-updates/2018-July/004311.html
========================

Updated packages in core/updates_testing:
========================
lib64sndfile1-1.0.28-3.3.mga6
lib64sndfile-devel-1.0.28-3.3.mga6
lib64sndfile-static-devel-1.0.28-3.3.mga6
libsndfile-progs-1.0.28-3.3.mga6

from libsndfile-1.0.28-3.3.mga6.src.rpm


Test procedure: https://bugs.mageia.org/show_bug.cgi?id=21138#c3

Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs
Keywords: (none) => has_procedure
Version: Cauldron => 6

Comment 4 Len Lawrence 2018-08-09 16:46:19 CEST
Mageia 6, x86_64
Before updating :-

Ran the PoC tests - results below.

No problems with these commands:
$ sndfile-play organ7-2-1.wav
$ sndfile-info CherryOhBaby.ogg
$ sndfile-deinterleave AnElizabethanSuite.flac

After updating:

Experimented with libsndfile-progs:
$ sndfile-deinterleave AnElizabethanSuite.flac
Input file : AnElizabethanSuite
Output files :
    AnElizabethanSuite_00.flac
    AnElizabethanSuite_01.flac
These appeared to be valid FLAC files, basically the same music but
sounding somewhat different.    
$ sndfile-play LaGazzaLadra.wav
Playing OK...
$ sndfile-info RedRedWine.ogg 
========================================
File : RedRedWine.ogg
Length : 3458621
Ogg stream data : Vorbis
[...]
Duration    : 00:03:03.787
Signal Max  : 0.890792 (-91.31 dB)

OGG, WAV and FLAC formats play fine but MP3 files do not, which was the
case before updating also.
$ sndfile-play ElBarberilloDoLavaples.mp3
Playing ElBarberilloDoLavaples.mp3
File contains data in an unknown format.

PoC report
----------
Before update:

CVE-2017-1745{6,7}
https://github.com/erikd/libsndfile/issues/344
$ sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
Error: Not able to decode input file id:000000,sig:11,src:000024,op:flip2,pos:34.

One empty file generated - 1.raw.

CVE-2018-13139
https://github.com/erikd/libsndfile/issues/397
$ sndfile-deinterleave poc
Input file : poc
Output files :
    poc_00
    poc_01
[...]
    poc_243
    poc_244
Segmentation fault (core dumped)
All 245 58-byte output files were there.
$ rm -f poc_*

After the update:

The CVE-2017-1745* test returned the same error;  The case is handled
tidily which indicates that the problem had already been fixed.

$ sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
Error : Not able to decode input file id:000000,sig:11,src:000024,op:flip2,pos:34.

CVE-2018-13139
$ sndfile-deinterleave poc
Error : Too many channels 245 in input file 'poc'.

That is a good result - issue fixed.

This is fine for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 5 Herman Viaene 2018-08-10 16:04:27 CEST
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
At CLI:
$ sndfile-play 02\ Zapfenstreich.wav
plays OK
$ sndfile-play 02\ Zapfenstreich.mp3 
Playing 02 Zapfenstreich.mp3
File contains data in an unknown format.
which is consistent as before
$ sndfile-play 02-1963-Trini\ Lopez\ -\ If\ I\ Had\ A\ Hammer.ogg 
plays OK
$ sndfile-deinterleave 01Wellington\'s\ Sieg.wav
$ sndfile-deinterleave 01Wellington\'s\ Sieg.wav 
Input file : 01Wellington's Sieg
Output files :
    01Wellington's Sieg_00.wav
    01Wellington's Sieg_01.wav
That's what the command is supposed to do, create two mono files from a single stereo file.
$ sndfile-info 03-1971-Michel\ Delpech\ -\ Pour\ Un\ Flirt.ogg 
========================================
File : 03-1971-Michel Delpech - Pour Un Flirt.ogg
Length : 3990120
Ogg stream data : Vorbis
Stream serialno : 1293677773
Vorbis library version : Xiph.Org libVorbis 1.3.5
Bitstream is 2 channel, -5190873559567651772 Hz
Encoded by : Xiph.Org libVorbis I 20150105 (⛄⛄⛄⛄)
Metadata :
  Title      : Pour Un Flirt
  Album      : De Pre Historie 1971
  Tracknumber : 6/20
  Genre      : Pop
End

----------------------------------------
Sample Rate : 44100
Frames      : 9029376
Channels    : 2
Format      : 0x00200060
Sections    : 1
Seekable    : TRUE
Duration    : 00:03:24.748
Signal Max  : 0.885736 (-91.36 dB)

Looks all good to me.

CC: (none) => herman.viaene
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Comment 6 Len Lawrence 2018-08-11 16:55:33 CEST
Thanks Herman - validating this.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Thomas Backlund 2018-08-12 22:14:37 CEST
Advisory added to svn

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2018-08-12 22:40:19 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0336.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2021-02-09 15:20:25 CET
*** Bug 28227 has been marked as a duplicate of this bug. ***
Comment 10 David Walser 2021-02-09 15:20:56 CET
This update also fixed CVE-2018-19432:
https://ubuntu.com/security/notices/USN-4704-1
https://security-tracker.debian.org/tracker/CVE-2018-19432

Resolution: FIXED => (none)
Status: RESOLVED => UNCONFIRMED
Ever confirmed: 1 => 0

Comment 11 Thomas Backlund 2021-02-09 17:58:26 CET
.

Status: UNCONFIRMED => RESOLVED
Resolution: (none) => FIXED

Comment 12 Len Lawrence 2021-02-09 19:48:43 CET
$ rpm -q lib64sndfile1
lib64sndfile1-1.0.28-8.2.mga7

Too late to check the PoC before update.
CVE-2018-19432
https://github.com/libsndfile/libsndfile/issues/427
$ sndfile-deinterleave oob_sf_write_int:2257
Error : Too many channels 255 in input file 'oob_sf_write_int:2257'.

The downloaded test file has a different name from the one quoted in the upstream report but the result looks good anyway.

Don't know if this helps.

Note You need to log in before you can comment on or make changes to this bug.