Bug 25289 - sox new security issues CVE-2019-835[4-7]
Summary: sox new security issues CVE-2019-835[4-7]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-12 01:57 CEST by David Walser
Modified: 2020-01-22 11:38 CET (History)
6 users (show)

See Also:
Source RPM: sox-14.4.2-11.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-08-12 01:57:01 CEST
Ubuntu has issued an advisory on July 30:
https://usn.ubuntu.com/4079-1/

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-08-12 01:57:11 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-08-12 13:23:38 CEST
Assigning to our registered sox maintainer.

CC: (none) => marja11
Assignee: bugsquad => lists.jjorge

David Walser 2020-01-14 18:02:41 CET

Status comment: (none) => Patches available from Ubuntu

Comment 2 José Jorge 2020-01-15 11:04:25 CET
sox-14.4.2-12.mga8 fixes this bug for cauldron with upstream commits

Status: NEW => ASSIGNED

Comment 3 José Jorge 2020-01-15 11:21:32 CET
Removing MGA6 as it is EOL.

Suggested advisory:
It was discovered that SoX incorrectly handled certain MP3 files. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-8354, CVE-2019-8355, CVE-2019-8356, CVE-2019-8357)

Refs:
https://sourceforge.net/p/sox/bugs/319/
https://sourceforge.net/p/sox/bugs/320/
https://sourceforge.net/p/sox/bugs/321/

SRPM:
sox-14.4.2-12.mga7

RPMS:
sox-14.4.2-12.mga7.i586.rpm
libsox3-14.4.2-12.mga7.i586.rpm
libsox-devel-14.4.2-12.mga7.i586.rpm

Whiteboard: MGA7TOO, MGA6TOO => (none)
Assignee: lists.jjorge => qa-bugs
CC: (none) => lists.jjorge
Version: Cauldron => 7

David Walser 2020-01-15 13:29:30 CET

Summary: sox new security issues CVE-2019-835[47] => sox new security issues CVE-2019-835[4-7]
Status comment: Patches available from Ubuntu => (none)

Comment 4 Len Lawrence 2020-01-15 22:31:08 CET
Mageia7, x86_64

CVE-2019-8354
https://sourceforge.net/p/sox/bugs/319/
$ sox --single-threaded crash_effect_i_dsp_c_367_heap_buffer_overflow.mp3 -t aiff /dev/null channels 1 rate 16k fade 3 norm
sox: effects_i_dsp.c:188: update_fft_cache: Assertion `lsx_is_power_of_2(len)' failed.
Aborted (core dumped)

https://sourceforge.net/p/sox/bugs/320/
$ sox --single-threaded xmalloc_31_integer_overflow.mp3 -t aiff /dev/null channels 1 rate 16k fade 3 norm
<This hung the command-line, loading alternate CPU cores>

https://sourceforge.net/p/sox/bugs/321/
$ sox --single-threaded fft4g_721_stack_buffer_overflow.mp3 -t aiff /dev/null channels 1 rate 16k fade 3 norm
Segmentation fault (core dumped)

Updated the 64-bit packages.

$ sox --single-threaded crash_effect_i_dsp_c_367_heap_buffer_overflow.mp3  -t aiff /dev/null channels 1 rate 16k fade 3 norm
sox: effects_i_dsp.c:188: update_fft_cache: Assertion `lsx_is_power_of_2(len)' failed.
Aborted (core dumped)
<As before>

$ sox --single-threaded xmalloc_31_integer_overflow.mp3 -t aiff /dev/null channels 1 rate 16k fade 3 norm
Segmentation fault (core dumped)
<No hangup this time>

$ sox --single-threaded fft4g_721_stack_buffer_overflow.mp3 -t aiff /dev/null channels 1 rate 16k fade 3 norm
<Finished immediately without errors>

So, one no change, one partial success and one apparently successful.

Played various music files with formats OGG and MP3 using the play command.
FLAC and WAV files fail.
$ play AnElizabethanSuite.flac
Segmentation fault (core dumped)
$ play ASuiteOfTheatreMusic.wav
Segmentation fault (core dumped)

This does not look good.

CC: (none) => tarazed25

David Walser 2020-01-15 22:35:19 CET

Keywords: (none) => feedback

Comment 5 Len Lawrence 2020-01-15 22:43:59 CET
Noticed something odd.  Going back to the mp3 directory play segfaulted on those files as well so something must have been corrupted.  A reboot did not cure it so I am removing sox and re-installing.  It takes things like k3b, anki and kdeenlive with it.
Comment 6 Len Lawrence 2020-01-15 23:26:16 CET
Re-installed the update candidate and tried again.  WAV and FLAC still segfault with play but OGG files are OK.  And so are MP3 now.
Comment 7 José Jorge 2020-01-16 17:17:17 CET
(In reply to Len Lawrence from comment #6)
> Re-installed the update candidate and tried again.  WAV and FLAC still
> segfault with play but OGG files are OK.  And so are MP3 now.

Unfortunately, I confirm the update segfaults on wav playing. This goes beyond my packager skills. I have asked upstream why to do no release for years, maybe we'll get one release one day?
Comment 8 David Walser 2020-01-16 17:19:46 CET
Maybe something you can try is a full current git snapshot to see if the segfaults are caused by us missing other patches?  It might be useful also to see if the patches from upstream used for this update differ substantially from the ones Ubuntu used.
Comment 9 José Jorge 2020-01-17 23:04:46 CET
(In reply to David Walser from comment #8)
> Maybe something you can try is a full current git snapshot to see if the
> segfaults are caused by us missing other patches?

It seems so. I went the git way in cauldron, and wav play does not segfault anymore. I'll wait some time to ensure there are no regressions before pushing this to MGA7.
José Jorge 2020-01-17 23:04:57 CET

Assignee: qa-bugs => lists.jjorge

Comment 10 David Walser 2020-01-18 16:03:55 CET
Now we have:
sox-14.4.3-0.git20200117.1.mga7
libsox3-14.4.3-0.git20200117.1.mga7
libsox-devel-14.4.3-0.git20200117.1.mga7

from sox-14.4.3-0.git20200117.1.mga7.src.rpm

Keywords: feedback => (none)
Assignee: lists.jjorge => qa-bugs

Comment 11 Len Lawrence 2020-01-19 10:42:29 CET
Installed the latest updates and tried play on flac, ogg, wav, mp3 files.  No problems so this can be sent on.

Whiteboard: (none) => MGA7-64-OK

Comment 12 Thomas Andrews 2020-01-19 21:37:12 CET
Looks like we dodged a bullet there. Well done, Gentlemen!

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-01-22 11:16:48 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 13 Mageia Robot 2020-01-22 11:38:41 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0045.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.