Bug 23754 - audiofile new security issues CVE-2018-13440 and CVE-2018-17095
Summary: audiofile new security issues CVE-2018-13440 and CVE-2018-17095
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-10-24 18:05 CEST by David Walser
Modified: 2018-11-11 22:11 CET (History)
5 users (show)

See Also:
Source RPM: audiofile-0.3.6-9.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-10-24 18:05:56 CEST
Ubuntu has issued an advisory today (October 24):
https://usn.ubuntu.com/3800-1/

Mageia 6 is also affected.
David Walser 2018-10-24 18:06:03 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-25 17:14:56 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

Comment 2 David Walser 2018-10-26 19:35:17 CEST
Fedora has issued an advisory for this on October 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IILVUXOJMQBFB3GUWXZZXN4PLR3PV4IO/
Comment 3 Mike Rambo 2018-11-02 15:18:55 CET
Patched package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated audiofile package fixes security vulnerabilities:

A NULL pointer dereference in modules/ModuleState.cpp:ModuleState::setup() allows for denial of service via crafted file (CVE-2018-13440).

A Heap-based buffer overflow was found in Expand3To4Module::run when running sfconvert (CVE-2018-17095).


References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IILVUXOJMQBFB3GUWXZZXN4PLR3PV4IO/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13440
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-17095
========================

Updated packages in core/updates_testing:
========================
audiofile-0.3.6-8.1.mga6
lib64audiofile1-0.3.6-8.1.mga6
lib64audiofile-devel-0.3.6-8.1.mga6

from audiofile-0.3.6-8.1.mga6.src.rpm


Test procedure https://bugs.mageia.org/show_bug.cgi?id=16923#c7

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Keywords: (none) => has_procedure
Assignee: shlomif => qa-bugs
CC: (none) => mrambo

Comment 4 Len Lawrence 2018-11-06 18:39:55 CET
Mageia 6, x86_64

CVE-2018-13440
$ sfconvert poc output format aiff
Audio File Library: IMA type not set [error 47]
Segmentation fault (core dumped)
$ file output
output: IFF data, AIFF audio

CVE-2018-17095
https://github.com/fCorleone/fuzz_programs/blob/master/audiofile/test1
$ sfconvert test1 output1 format aiff
Audio File Library: file missing data -- read 0 frames, should be 5 [error 5]
Bad read of audio track data.

Updated the packages and tried the POCs again.

$ sfconvert poc.13440 output format aiff
Audio File Library: IMA type not set [error 47]
Could not open file 'poc.13440' for reading.

(Changed the name of the poc file earlier)

$ sfconvert test1 output1 format aiff
Audio File Library: file missing data -- read 0 frames, should be 5 [error 5]
Bad read of audio track data.

No segfault for the CVE-2018-17095 test, which is good.
No change in the diagnostics for the other CVE so we might conclude that the null pointer dereference problem had already been fixed.

Installed normalize, mpd and kwave.
Copied some local MP3 files to track1, track2.

$ normalize track1.mp3 track2.mp3
Computing levels...
 track2.mp3        100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) 
Applying adjustment of 2.80dB to track1.mp3...
 track1.mp3        100% done, ETA 00:00:00 (batch  70% done, ETA 00:00:00) 
Applying adjustment of 2.50dB to track2.mp3...
 track2.mp3        100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) 

Played a variety of mp3, wav and flac files through the kwave interface.  As previously noted it is a bit flaky at times.  Tried mpdin no-daemon mode but made little headway and gave up.

It looks as if the audiofile library is working.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Len Lawrence 2018-11-09 10:48:15 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Lewis Smith 2018-11-11 20:57:11 CET
Advisoried from comment 3.

Keywords: (none) => advisory
CC: (none) => lewyssmith

Comment 6 Mageia Robot 2018-11-11 22:11:02 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0441.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.