Bug 32561 - audiofile new security issue CVE-2022-24599
Summary: audiofile new security issue CVE-2022-24599
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-11-24 12:48 CET by Nicolas Salguero
Modified: 2023-12-04 13:10 CET (History)
4 users (show)

See Also:
Source RPM: audiofile-0.3.6-12.mga9.src.rpm
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2023-11-24 12:48:14 CET
Fedora has issued an advisory on November 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTETOUJNRR75REYJZTBGF6TAJZYTMXUY/

Mageia 8 and 9 are also affected.
Nicolas Salguero 2023-11-24 12:48:44 CET

Status comment: (none) => Patch available from Fedora
Source RPM: (none) => audiofile-0.3.6-12.mga9.src.rpm
Whiteboard: (none) => MGA9TOO, MGA8TOO

Comment 1 Lewis Smith 2023-11-24 21:52:50 CET
"Patch available from Fedora": I could not find it, but it must be there.

This version 0.3.6 is 10y old, and had a flurry of patches 6-5y ago.
The project site is http://www.68k.org/~michael/audiofile/

Assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-11-27 16:04:41 CET
For Cauldron and Mageia 9, a patch from Fedora was added into SVN.
Comment 3 Nicolas Salguero 2023-11-30 13:40:33 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In autofile Audio File Library 0.3.6, there exists one memory leak vulnerability in printfileinfo, in printinfo.c, which allows an attacker to leak sensitive information via a crafted file. The printfileinfo function calls the copyrightstring function to get data, however, it dosn't use zero bytes to truncate the data. (CVE-2022-24599)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24599
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTETOUJNRR75REYJZTBGF6TAJZYTMXUY/
========================

Updated packages in core/updates_testing:
========================
audiofile-0.3.6-12.1.mga9
lib(64)audiofile1-0.3.6-12.1.mga9
lib(64)audiofile-devel-0.3.6-12.1.mga9

from SRPM:
audiofile-0.3.6-12.1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO, MGA8TOO => (none)
Status comment: Patch available from Fedora => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9

Comment 4 Marja Van Waes 2023-11-30 16:31:08 CET
Advisory from comment 3 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory
CC: (none) => marja11

Comment 5 katnatek 2023-11-30 21:08:27 CET
Tested on Real Hardware Mageia 9 x86_64 lxq

Install current version of audio file
Download POC from https://github.com/mpruett/audiofile/issues/60

sfinfo ./heapleak_poc.aiff
File Name      ./heapleak_poc.aiff
File Format    Audio Interchange File Format (aiff)
Data Format    unknown
Audio Data     0 bytes begins at offset 0 (0 hex)
               0 channel, -1 frames
Sampling Rate  0.00 Hz
Duration       -inf seconds
Copyright      C▒

sfinfo ./libleak_poc.aiff
File Name      ./libleak_poc.aiff
File Format    Audio Interchange File Format (aiff)
Data Format    unknown
Audio Data     0 bytes begins at offset 0 (0 hex)
               0 channel, -1 frames
Sampling Rate  0.00 Hz
Duration       -inf seconds
Copyright      Copyright 1991,����

Update to testing versions of audiofile and lib64audiofile1 without issues

sfinfo ./heapleak_poc.aiff
File Name      ./heapleak_poc.aiff
File Format    Audio Interchange File Format (aiff)
Data Format    unknown
Audio Data     0 bytes begins at offset 0 (0 hex)
               0 channel, -1 frames
Sampling Rate  0.00 Hz
Duration       -inf seconds
Copyright      C

sfinfo ./libleak_poc.aiff
File Name      ./libleak_poc.aiff
File Format    Audio Interchange File Format (aiff)
Data Format    unknown
Audio Data     0 bytes begins at offset 0 (0 hex)
               0 channel, -1 frames
Sampling Rate  0.00 Hz
Duration       -inf seconds
Copyright      Copyright 1991, 

Can't run the python2 script in the POC files but this look good to me

Whiteboard: (none) => MGA9-64-0K

katnatek 2023-12-02 19:32:18 CET

CC: (none) => andrewsfarm

Comment 6 katnatek 2023-12-02 19:33:46 CET
@Thomas: I not feel right validate myself this, If my test is good enough for you, please validate this
Comment 7 Thomas Andrews 2023-12-02 21:44:14 CET
Looks OK to me. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Marja Van Waes 2023-12-03 16:57:40 CET
(In reply to Thomas Andrews from comment #7)
> Looks OK to me. Validating.

I see MGA9-64-0K on the whiteboard, but here https://madb.mageia.org/tools/updates I don't see an OK at all and there is no big yellow dot next to 9, but a light grey one.

Could that be because the _new_ version is in the SRPM field instead of the _previous_ one?? ....Removing the version there.

I hope the OK appears while I add this comment :-)

Source RPM: audiofile-0.3.6-12.mga9.src.rpm => audiofile

Comment 9 Marja Van Waes 2023-12-03 16:59:15 CET
(In reply to Marja Van Waes from comment #8)
> (In reply to Thomas Andrews from comment #7)
> > Looks OK to me. Validating.
> 
> I see MGA9-64-0K on the whiteboard, but here
> https://madb.mageia.org/tools/updates I don't see an OK at all and there is
> no big yellow dot next to 9, but a light grey one.
> 
> Could that be because the _new_ version is in the SRPM field instead of the
> _previous_ one?? ....Removing the version there.
> 
> I hope the OK appears while I add this comment :-)

No, no difference. CC'ing Dave Hodgins

CC: (none) => davidwhodgins

Thomas Andrews 2023-12-03 17:44:03 CET

Whiteboard: MGA9-64-0K => MGA9-64-OK

Comment 10 Thomas Andrews 2023-12-03 17:50:04 CET
Looks like I put "0K" instead of "OK" in the Whiteboard. I fixed it.

I'm pleading fat, aging fingers. ;-)
Comment 11 Thomas Andrews 2023-12-03 17:52:21 CET
I looked it over, and I'm vindicated! Katnatek is the one who made the typo. Looks like we are all human after all.
Comment 12 Marja Van Waes 2023-12-03 17:56:26 CET
LOL

Thanks for fixing it.

I'm glad there are others like me around (I once wrote ẃ instead of w in an xml warning tag, took me a long time to figure out what was wrong).
Comment 13 katnatek 2023-12-03 20:09:33 CET
(In reply to Thomas Andrews from comment #11)
> I looked it over, and I'm vindicated! Katnatek is the one who made the typo.
> Looks like we are all human after all.

My good!, sorry for that, Thank you, I'll try to not make that mistakes
Comment 14 Dave Hodgins 2023-12-03 21:30:04 CET
I copy/paste from a text file ...
$ cat validate 
MGA9-64-OK
MGA9-32-OK
MGA8-64-OK
MGA8-32-OK
has_procedure
advisory
FOR_ERRATA, IN_ERRATA
validated_update
Backport, validated_backport

sysadmin-bugs@ml.mageia.org

When I'm creating and advisory for svn using the mgaadv command, I copy/paste
the bug number, as it's critical to get right.

I make typos a lot too, and tend to see what I know it should be instead of
what's there when I proofread it. I learned a long time ago to make the
computer do tedious things when ever possible, as I'm not good at it. :-)
Comment 15 David Walser 2023-12-04 02:13:25 CET
Could someone please correct the SRPM field to be the current version (i.e. the version the bug was reported against)?
Comment 16 katnatek 2023-12-04 02:25:24 CET
(In reply to David Walser from comment #15)
> Could someone please correct the SRPM field to be the current version (i.e.
> the version the bug was reported against)?

Done!

Source RPM: audiofile => audiofile-0.3.6-12.mga9.src.rpm

Comment 17 Mageia Robot 2023-12-04 10:30:58 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0336.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 18 Marja Van Waes 2023-12-04 13:10:21 CET
(In reply to Dave Hodgins from comment #14)

> 
> When I'm creating and advisory for svn using the mgaadv command, I copy/paste
> the bug number, as it's critical to get right.
> 

I used to read it forward and backwards and forwards again, to be sure that it was exactly the same. But this morning I noticed that I had created 32588.adv for bug 32558. I'll c&p the bug number, too, from now on.

Another thing I found out, is that I should (whenever possible) open only one bug report at the same time. It is otherwise too easy put a comment for one bug report in a different one, or to accidentally gather data from the wrong bug report for an advisory.

Note You need to log in before you can comment on or make changes to this bug.