Bugzilla – Bug 1026978
VUL-1: CVE-2017-6837, CVE-2017-6838, CVE-2017-6839: audiofile: multiple ubsan crashes
Last modified: 2017-07-13 12:36:37 UTC
Ref: http://seclists.org/oss-sec/2017/q1/515 ============================================== Description: audiofile is a C-based library for reading and writing audio files in many common formats. A fuzz on it discovered multiple crashes because of undefined behavior. The complete UBsan output: # sfconvert @@ out.mp3 format aiff /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:289:14: runtime error: index 256 out of bounds for type 'int16_t [256][2]' /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:290:14: runtime error: index 256 out of bounds for type 'int16_t [256][2]' Reproducer: https://github.com/asarubbo/poc/blob/master/00191-audiofile-indexoob ########################################## # sfconvert @@ out.mp3 format aiff /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/sfcommands/sfconvert.c:327:42: runtime error: signed integer overflow: 65536 * 252936 cannot be represented in type 'int' Reproducer: https://github.com/asarubbo/poc/blob/master/00192-audiofile-signintoverflow-sfconvert ########################################## # sfconvert @@ out.mp3 format aiff /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/modules/MSADPCM.cpp:115:27: runtime error: signed integer overflow: 5512570 * 409 cannot be represented in type 'int' Reproducer: https://github.com/asarubbo/poc/blob/master/00193-audiofile-signintoverflow-MSADPCM ########################################## Affected version: 0.3.6 Fixed version: N/A Commit fix: N/A Credit: These bugs were discovered by Agostino Sarubbo of Gentoo. Timeline: 2017-02-20: bug discovered and reported to upstream 2017-02-20: blog post about the issue Note: These bugs were found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes ============================================== https://software.opensuse.org/package/audiofile TW|42.{1,2}: 0.3.6 VUL-1 because: http://seclists.org/oss-sec/2017/q1/504 ======================================================== Hello all. I discovered multiple crashes in the audiofile library. The maintainer was informed privately, I didn't see reactions and all details are public on my blog. I posted them to the cveform too, but I didn't get response. I'll send update if something will change. -- Agostino Sarubbo Gentoo Linux Developer ========================================================
bugbot adjusting priority
Hi SLE people - is this something you maintain? I've never touched if afik.
I created a pull request to fix these three issues in the original project: https://github.com/mpruett/audiofile/pull/42 Once I fix all the audiofile reported issues boo#1026979 thru boo#1026988, I'll backport all fixes to SLE11/SLE12/openSUSE
*** Bug 1026982 has been marked as a duplicate of this bug. ***
*** Bug 1026979 has been marked as a duplicate of this bug. ***
*** Bug 1026980 has been marked as a duplicate of this bug. ***
*** Bug 1026984 has been marked as a duplicate of this bug. ***
*** Bug 1026985 has been marked as a duplicate of this bug. ***
*** Bug 1026986 has been marked as a duplicate of this bug. ***
*** Bug 1026987 has been marked as a duplicate of this bug. ***
*** Bug 1026988 has been marked as a duplicate of this bug. ***
The following CVEs where assigned: https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ CVE: CVE-2017-6837 Reproducer: https://github.com/asarubbo/poc/blob/master/00191-audiofile-indexoob CVE: CVE-2017-6838 Reproducer: https://github.com/asarubbo/poc/blob/master/00192-audiofile-signintoverflow-sfconvert CVE: CVE-2017-6839 Reproducer: https://github.com/asarubbo/poc/blob/master/00193-audiofile-signintoverflow-MSADPCM
SUSE-SU-2017:0940-1: An update that fixes 14 vulnerabilities is now available. Category: security (low) Bug References: 1026978,1026979,1026980,1026981,1026982,1026983,1026984,1026985,1026986,1026987,1026988,949399 CVE References: CVE-2015-7747,CVE-2017-6827,CVE-2017-6828,CVE-2017-6829,CVE-2017-6830,CVE-2017-6831,CVE-2017-6832,CVE-2017-6833,CVE-2017-6834,CVE-2017-6835,CVE-2017-6836,CVE-2017-6837,CVE-2017-6838,CVE-2017-6839 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): audiofile-0.3.6-10.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): audiofile-0.3.6-10.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): audiofile-0.3.6-10.1 SUSE Linux Enterprise Server 12-SP2 (src): audiofile-0.3.6-10.1 SUSE Linux Enterprise Server 12-SP1 (src): audiofile-0.3.6-10.1 SUSE Linux Enterprise Desktop 12-SP2 (src): audiofile-0.3.6-10.1 SUSE Linux Enterprise Desktop 12-SP1 (src): audiofile-0.3.6-10.1
openSUSE-SU-2017:1038-1: An update that fixes 13 vulnerabilities is now available. Category: security (low) Bug References: 1026978,1026979,1026980,1026981,1026982,1026983,1026984,1026985,1026986,1026987,1026988 CVE References: CVE-2017-6827,CVE-2017-6828,CVE-2017-6829,CVE-2017-6830,CVE-2017-6831,CVE-2017-6832,CVE-2017-6833,CVE-2017-6834,CVE-2017-6835,CVE-2017-6836,CVE-2017-6837,CVE-2017-6838,CVE-2017-6839 Sources used: openSUSE Leap 42.2 (src): audiofile-0.3.6-10.3.1 openSUSE Leap 42.1 (src): audiofile-0.3.6-12.1
SUSE-SU-2017:1182-1: An update that fixes 13 vulnerabilities is now available. Category: security (moderate) Bug References: 1026978,1026979,1026980,1026981,1026982,1026983,1026984,1026985,1026986,1026987,1026988 CVE References: CVE-2017-6827,CVE-2017-6828,CVE-2017-6829,CVE-2017-6830,CVE-2017-6831,CVE-2017-6832,CVE-2017-6833,CVE-2017-6834,CVE-2017-6835,CVE-2017-6836,CVE-2017-6837,CVE-2017-6838,CVE-2017-6839 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): audiofile-0.2.6-142.17.1 SUSE Linux Enterprise Server 11-SP4 (src): audiofile-0.2.6-142.17.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): audiofile-0.2.6-142.17.1
released