SUSE has issued an advisory on July 26: http://lists.suse.com/pipermail/sle-security-updates/2018-July/004311.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing Mike
CC: (none) => marja11, mramboAssignee: bugsquad => pkg-bugs
openSUSE has issued an advisory for this today (August 6): https://lists.opensuse.org/opensuse-updates/2018-08/msg00024.html
Patched package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated libsndfile package fixes security vulnerabilities: The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead to a remote DoS attack (CVE-2017-17456). The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead to a remote DoS attack (CVE-2017-17457). A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file (CVE-2018-13139). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17456 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17457 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13139 http://lists.suse.com/pipermail/sle-security-updates/2018-July/004311.html ======================== Updated packages in core/updates_testing: ======================== lib64sndfile1-1.0.28-3.3.mga6 lib64sndfile-devel-1.0.28-3.3.mga6 lib64sndfile-static-devel-1.0.28-3.3.mga6 libsndfile-progs-1.0.28-3.3.mga6 from libsndfile-1.0.28-3.3.mga6.src.rpm Test procedure: https://bugs.mageia.org/show_bug.cgi?id=21138#c3
Whiteboard: MGA6TOO => (none)Assignee: pkg-bugs => qa-bugsKeywords: (none) => has_procedureVersion: Cauldron => 6
Mageia 6, x86_64 Before updating :- Ran the PoC tests - results below. No problems with these commands: $ sndfile-play organ7-2-1.wav $ sndfile-info CherryOhBaby.ogg $ sndfile-deinterleave AnElizabethanSuite.flac After updating: Experimented with libsndfile-progs: $ sndfile-deinterleave AnElizabethanSuite.flac Input file : AnElizabethanSuite Output files : AnElizabethanSuite_00.flac AnElizabethanSuite_01.flac These appeared to be valid FLAC files, basically the same music but sounding somewhat different. $ sndfile-play LaGazzaLadra.wav Playing OK... $ sndfile-info RedRedWine.ogg ======================================== File : RedRedWine.ogg Length : 3458621 Ogg stream data : Vorbis [...] Duration : 00:03:03.787 Signal Max : 0.890792 (-91.31 dB) OGG, WAV and FLAC formats play fine but MP3 files do not, which was the case before updating also. $ sndfile-play ElBarberilloDoLavaples.mp3 Playing ElBarberilloDoLavaples.mp3 File contains data in an unknown format. PoC report ---------- Before update: CVE-2017-1745{6,7} https://github.com/erikd/libsndfile/issues/344 $ sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw Error: Not able to decode input file id:000000,sig:11,src:000024,op:flip2,pos:34. One empty file generated - 1.raw. CVE-2018-13139 https://github.com/erikd/libsndfile/issues/397 $ sndfile-deinterleave poc Input file : poc Output files : poc_00 poc_01 [...] poc_243 poc_244 Segmentation fault (core dumped) All 245 58-byte output files were there. $ rm -f poc_* After the update: The CVE-2017-1745* test returned the same error; The case is handled tidily which indicates that the problem had already been fixed. $ sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw Error : Not able to decode input file id:000000,sig:11,src:000024,op:flip2,pos:34. CVE-2018-13139 $ sndfile-deinterleave poc Error : Too many channels 245 in input file 'poc'. That is a good result - issue fixed. This is fine for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
MGA6-32 MATE on IBM Thinkpad R50e No installation issues At CLI: $ sndfile-play 02\ Zapfenstreich.wav plays OK $ sndfile-play 02\ Zapfenstreich.mp3 Playing 02 Zapfenstreich.mp3 File contains data in an unknown format. which is consistent as before $ sndfile-play 02-1963-Trini\ Lopez\ -\ If\ I\ Had\ A\ Hammer.ogg plays OK $ sndfile-deinterleave 01Wellington\'s\ Sieg.wav $ sndfile-deinterleave 01Wellington\'s\ Sieg.wav Input file : 01Wellington's Sieg Output files : 01Wellington's Sieg_00.wav 01Wellington's Sieg_01.wav That's what the command is supposed to do, create two mono files from a single stereo file. $ sndfile-info 03-1971-Michel\ Delpech\ -\ Pour\ Un\ Flirt.ogg ======================================== File : 03-1971-Michel Delpech - Pour Un Flirt.ogg Length : 3990120 Ogg stream data : Vorbis Stream serialno : 1293677773 Vorbis library version : Xiph.Org libVorbis 1.3.5 Bitstream is 2 channel, -5190873559567651772 Hz Encoded by : Xiph.Org libVorbis I 20150105 (⛄⛄⛄⛄) Metadata : Title : Pour Un Flirt Album : De Pre Historie 1971 Tracknumber : 6/20 Genre : Pop End ---------------------------------------- Sample Rate : 44100 Frames : 9029376 Channels : 2 Format : 0x00200060 Sections : 1 Seekable : TRUE Duration : 00:03:24.748 Signal Max : 0.885736 (-91.36 dB) Looks all good to me.
CC: (none) => herman.viaeneWhiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
Thanks Herman - validating this.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Advisory added to svn
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0336.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
*** Bug 28227 has been marked as a duplicate of this bug. ***
This update also fixed CVE-2018-19432: https://ubuntu.com/security/notices/USN-4704-1 https://security-tracker.debian.org/tracker/CVE-2018-19432
Resolution: FIXED => (none)Status: RESOLVED => UNCONFIRMEDEver confirmed: 1 => 0
.
Status: UNCONFIRMED => RESOLVEDResolution: (none) => FIXED
$ rpm -q lib64sndfile1 lib64sndfile1-1.0.28-8.2.mga7 Too late to check the PoC before update. CVE-2018-19432 https://github.com/libsndfile/libsndfile/issues/427 $ sndfile-deinterleave oob_sf_write_int:2257 Error : Too many channels 255 in input file 'oob_sf_write_int:2257'. The downloaded test file has a different name from the one quoted in the upstream report but the result looks good anyway. Don't know if this helps.