Ubuntu has issued an advisory today (October 24): https://usn.ubuntu.com/3800-1/ Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
Fedora has issued an advisory for this on October 18: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IILVUXOJMQBFB3GUWXZZXN4PLR3PV4IO/
Patched package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated audiofile package fixes security vulnerabilities: A NULL pointer dereference in modules/ModuleState.cpp:ModuleState::setup() allows for denial of service via crafted file (CVE-2018-13440). A Heap-based buffer overflow was found in Expand3To4Module::run when running sfconvert (CVE-2018-17095). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IILVUXOJMQBFB3GUWXZZXN4PLR3PV4IO/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13440 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-17095 ======================== Updated packages in core/updates_testing: ======================== audiofile-0.3.6-8.1.mga6 lib64audiofile1-0.3.6-8.1.mga6 lib64audiofile-devel-0.3.6-8.1.mga6 from audiofile-0.3.6-8.1.mga6.src.rpm Test procedure https://bugs.mageia.org/show_bug.cgi?id=16923#c7
CC: (none) => mramboAssignee: shlomif => qa-bugsKeywords: (none) => has_procedureVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
Mageia 6, x86_64 CVE-2018-13440 $ sfconvert poc output format aiff Audio File Library: IMA type not set [error 47] Segmentation fault (core dumped) $ file output output: IFF data, AIFF audio CVE-2018-17095 https://github.com/fCorleone/fuzz_programs/blob/master/audiofile/test1 $ sfconvert test1 output1 format aiff Audio File Library: file missing data -- read 0 frames, should be 5 [error 5] Bad read of audio track data. Updated the packages and tried the POCs again. $ sfconvert poc.13440 output format aiff Audio File Library: IMA type not set [error 47] Could not open file 'poc.13440' for reading. (Changed the name of the poc file earlier) $ sfconvert test1 output1 format aiff Audio File Library: file missing data -- read 0 frames, should be 5 [error 5] Bad read of audio track data. No segfault for the CVE-2018-17095 test, which is good. No change in the diagnostics for the other CVE so we might conclude that the null pointer dereference problem had already been fixed. Installed normalize, mpd and kwave. Copied some local MP3 files to track1, track2. $ normalize track1.mp3 track2.mp3 Computing levels... track2.mp3 100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) Applying adjustment of 2.80dB to track1.mp3... track1.mp3 100% done, ETA 00:00:00 (batch 70% done, ETA 00:00:00) Applying adjustment of 2.50dB to track2.mp3... track2.mp3 100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) Played a variety of mp3, wav and flac files through the kwave interface. As previously noted it is a bit flaky at times. Tried mpdin no-daemon mode but made little headway and gave up. It looks as if the audiofile library is working.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisoried from comment 3.
Keywords: (none) => advisoryCC: (none) => lewyssmith
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0441.html
Status: NEW => RESOLVEDResolution: (none) => FIXED