Bug 23382 - libsndfile new security issues CVE-2017-1745[67] and CVE-2018-13139
Summary: libsndfile new security issues CVE-2017-1745[67] and CVE-2018-13139
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-08-02 17:45 CEST by David Walser
Modified: 2018-08-12 22:40 CEST (History)
6 users (show)

See Also:
Source RPM: libsndfile-1.0.28-5.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-08-02 17:45:09 CEST
SUSE has issued an advisory on July 26:
http://lists.suse.com/pipermail/sle-security-updates/2018-July/004311.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-02 17:45:19 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-02 18:39:14 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing Mike

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, mrambo

Comment 2 David Walser 2018-08-06 21:58:34 CEST
openSUSE has issued an advisory for this today (August 6):
https://lists.opensuse.org/opensuse-updates/2018-08/msg00024.html
Comment 3 Mike Rambo 2018-08-08 15:58:25 CEST
Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated libsndfile package fixes security vulnerabilities:

The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead to a remote DoS attack (CVE-2017-17456).

The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead to a
remote DoS attack (CVE-2017-17457).

A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28
allows remote attackers to cause a denial of service (application crash) or
possibly have unspecified other impact via a crafted audio file (CVE-2018-13139).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17457
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13139
http://lists.suse.com/pipermail/sle-security-updates/2018-July/004311.html
========================

Updated packages in core/updates_testing:
========================
lib64sndfile1-1.0.28-3.3.mga6
lib64sndfile-devel-1.0.28-3.3.mga6
lib64sndfile-static-devel-1.0.28-3.3.mga6
libsndfile-progs-1.0.28-3.3.mga6

from libsndfile-1.0.28-3.3.mga6.src.rpm


Test procedure: https://bugs.mageia.org/show_bug.cgi?id=21138#c3

Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Keywords: (none) => has_procedure

Comment 4 Len Lawrence 2018-08-09 16:46:19 CEST
Mageia 6, x86_64
Before updating :-

Ran the PoC tests - results below.

No problems with these commands:
$ sndfile-play organ7-2-1.wav
$ sndfile-info CherryOhBaby.ogg
$ sndfile-deinterleave AnElizabethanSuite.flac

After updating:

Experimented with libsndfile-progs:
$ sndfile-deinterleave AnElizabethanSuite.flac
Input file : AnElizabethanSuite
Output files :
    AnElizabethanSuite_00.flac
    AnElizabethanSuite_01.flac
These appeared to be valid FLAC files, basically the same music but
sounding somewhat different.    
$ sndfile-play LaGazzaLadra.wav
Playing OK...
$ sndfile-info RedRedWine.ogg 
========================================
File : RedRedWine.ogg
Length : 3458621
Ogg stream data : Vorbis
[...]
Duration    : 00:03:03.787
Signal Max  : 0.890792 (-91.31 dB)

OGG, WAV and FLAC formats play fine but MP3 files do not, which was the
case before updating also.
$ sndfile-play ElBarberilloDoLavaples.mp3
Playing ElBarberilloDoLavaples.mp3
File contains data in an unknown format.

PoC report
----------
Before update:

CVE-2017-1745{6,7}
https://github.com/erikd/libsndfile/issues/344
$ sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
Error: Not able to decode input file id:000000,sig:11,src:000024,op:flip2,pos:34.

One empty file generated - 1.raw.

CVE-2018-13139
https://github.com/erikd/libsndfile/issues/397
$ sndfile-deinterleave poc
Input file : poc
Output files :
    poc_00
    poc_01
[...]
    poc_243
    poc_244
Segmentation fault (core dumped)
All 245 58-byte output files were there.
$ rm -f poc_*

After the update:

The CVE-2017-1745* test returned the same error;  The case is handled
tidily which indicates that the problem had already been fixed.

$ sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
Error : Not able to decode input file id:000000,sig:11,src:000024,op:flip2,pos:34.

CVE-2018-13139
$ sndfile-deinterleave poc
Error : Too many channels 245 in input file 'poc'.

That is a good result - issue fixed.

This is fine for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 5 Herman Viaene 2018-08-10 16:04:27 CEST
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
At CLI:
$ sndfile-play 02\ Zapfenstreich.wav
plays OK
$ sndfile-play 02\ Zapfenstreich.mp3 
Playing 02 Zapfenstreich.mp3
File contains data in an unknown format.
which is consistent as before
$ sndfile-play 02-1963-Trini\ Lopez\ -\ If\ I\ Had\ A\ Hammer.ogg 
plays OK
$ sndfile-deinterleave 01Wellington\'s\ Sieg.wav
$ sndfile-deinterleave 01Wellington\'s\ Sieg.wav 
Input file : 01Wellington's Sieg
Output files :
    01Wellington's Sieg_00.wav
    01Wellington's Sieg_01.wav
That's what the command is supposed to do, create two mono files from a single stereo file.
$ sndfile-info 03-1971-Michel\ Delpech\ -\ Pour\ Un\ Flirt.ogg 
========================================
File : 03-1971-Michel Delpech - Pour Un Flirt.ogg
Length : 3990120
Ogg stream data : Vorbis
Stream serialno : 1293677773
Vorbis library version : Xiph.Org libVorbis 1.3.5
Bitstream is 2 channel, -5190873559567651772 Hz
Encoded by : Xiph.Org libVorbis I 20150105 (⛄⛄⛄⛄)
Metadata :
  Title      : Pour Un Flirt
  Album      : De Pre Historie 1971
  Tracknumber : 6/20
  Genre      : Pop
End

----------------------------------------
Sample Rate : 44100
Frames      : 9029376
Channels    : 2
Format      : 0x00200060
Sections    : 1
Seekable    : TRUE
Duration    : 00:03:24.748
Signal Max  : 0.885736 (-91.36 dB)

Looks all good to me.

CC: (none) => herman.viaene
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Comment 6 Len Lawrence 2018-08-11 16:55:33 CEST
Thanks Herman - validating this.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2018-08-12 22:14:37 CEST
Advisory added to svn

CC: (none) => tmb
Keywords: (none) => advisory

Comment 8 Mageia Robot 2018-08-12 22:40:19 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0336.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.