Bug 1036968 - (CVE-2017-8373) VUL-0: CVE-2017-8373: libmad: heap-based buffer overflow in mad_layer_III (layer3.c)
(CVE-2017-8373)
VUL-0: CVE-2017-8373: libmad: heap-based buffer overflow in mad_layer_III (la...
Status: IN_PROGRESS
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P4 - Low : Normal (vote)
: Current
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/184602/
CVSSv3.1:SUSE:CVE-2017-8373:7.8:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-30 10:30 UTC by Mikhail Kasimov
Modified: 2022-10-03 16:08 UTC (History)
19 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
00213-libmad-heapoverflow-mad_layer_III_reproducer (6.61 KB, application/octet-stream)
2017-04-30 10:30 UTC, Mikhail Kasimov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-04-30 10:30:09 UTC
Created attachment 723245 [details]
00213-libmad-heapoverflow-mad_layer_III_reproducer

Ref: https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-in-mad_layer_iii-layer3-c/
======================================================
Description:
libmad stays for “M”peg “A”udio “D”ecoder library.

There is an heap overflow discovered through madplay.

The complete ASan output:

# madplay -v -i -o raw:out $FILE
==14773==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e00000fa87 at pc 0x0000004bc8ec bp 0x7ffcda3263d0 sp 0x7ffcda325b80
WRITE of size 2060 at 0x61e00000fa87 thread T0
    #0 0x4bc8eb in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413
    #1 0x7f37ddfa397d in mad_layer_III /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:2635:2
    #2 0x7f37ddf6784d in mad_frame_decode /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/frame.c:453:7
    #3 0x7f37ddf8c4e4 in run_sync /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/decoder.c:404:11
    #4 0x7f37ddf8ac59 in mad_decoder_run /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/decoder.c:557:12
    #5 0x5277a1 in decode /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:1862:12
    #6 0x5277a1 in play_one /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:1951
    #7 0x5277a1 in play_all /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:2041
    #8 0x5215a2 in player_run /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:2768:14
    #9 0x50c46c in main /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/madplay.c:816:7
    #10 0x7f37dce4f78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #11 0x41aa78 in _init (/usr/bin/madplay+0x41aa78)

Affected version:
0.15.1b

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00213-libmad-heapoverflow-mad_layer_III

Timeline:
2017-01-01: bug discovered and reported to upstream
2017-04-30: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

    libmad: heap-based buffer overflow in mad_layer_III (layer3.c)
======================================================

(open-)SUSE: https://software.opensuse.org/package/libmad

0.15.1b (TW, 42.{1,2}, multimedia:libs repo)
Comment 1 Mikhail Kasimov 2017-05-01 07:59:22 UTC
CVE-2017-8373: https://nvd.nist.gov/vuln/detail/CVE-2017-8373
Comment 2 Andreas Stieger 2017-05-01 08:41:08 UTC
libmad is not in the distribution, but submitted to Factory:
https://build.opensuse.org/request/show/491354

multimedia:libs/libmad has no maintainer set. Security team requests that project maintainers please set one. Assigning to last involved project maintainer.
Comment 3 Johannes Segitz 2017-07-13 09:19:49 UTC
fixed in Factory, no need to track it as security incident anymore. The request for adding a maintainer still stands
Comment 4 Johannes Segitz 2018-02-21 13:43:13 UTC
now included in leap, submit to Factory was revoked. Reopening
Comment 5 Robert Frohl 2022-08-01 15:07:49 UTC
still missing for:

- SUSE:SLE-15:Update/libmad
Comment 6 Robert Frohl 2022-08-01 15:08:26 UTC
@Adam: could you have a look please found this would going though our backlog
Comment 10 Stanislav Brabec 2022-10-03 16:08:06 UTC
I took the Factory patch and backported to:
openSUSE:Backports:SLE-12-SP1: https://build.opensuse.org/request/show/1007718
SUSE:SLE-15:Update: https://build.suse.de/request/show/281510 (internal), sources are equal to openSUSE:Backports:SLE-12-SP1

The backport was straightforward.