libsndfile: CVE-2017-7742: Invalid memory read in flac_buffer_copy function

Debian Bug report logs - #860255
libsndfile: CVE-2017-7742: Invalid memory read in flac_buffer_copy function

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libsndfile: CVE-2017-7742: Invalid memory read in flac_buffer_copy function

Date: Thu, 13 Apr 2017 18:21:34 +0200

Source: libsndfile
Version: 1.0.27-1
Severity: important
Tags: security upstream
Control: found -1 1.0.27-2

Hi,

the following vulnerability was published for libsndfile.

CVE-2017-7742[0]:
| In libsndfile before 1.0.28, an error in the "flac_buffer_copy()"
| function (flac.c) can be exploited to cause a segmentation violation
| (with read memory access) via a specially crafted FLAC file during a
| resample attempt, a similar issue to CVE-2017-7585.

Note that this is not the same as CVE-2017-7742, which is for the
invalid memory write in flac_buffer_copy function which seems
addressed with the patches applied in 1.0.27-2 already (unless I'm
wrong, please double-check).

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7742
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7742

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 860255@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 860255@bugs.debian.org

Subject: Re: Bug#860255: libsndfile: CVE-2017-7742: Invalid memory read in flac_buffer_copy function

Date: Thu, 13 Apr 2017 18:27:01 +0200

For reference in the Debian BTS:

==15547== Memcheck, a memory error detector
==15547== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==15547== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==15547== Command: sndfile-resample -to 24000 -c 1 /root/poc/00260-libsndfile-invalidread-flac_buffer_copy out
==15547== 
==15547== Conditional jump or move depends on uninitialised value(s)
==15547==    at 0x51AF38D: psf_open_file (sndfile.c:2741)
==15547==    by 0x108EE1: ??? (in /usr/bin/sndfile-resample)
==15547==    by 0x57402B0: (below main) (libc-start.c:291)
==15547== 
==15547== Invalid read of size 4
==15547==    at 0x51B87BB: flac_buffer_copy (flac.c:284)
==15547==    by 0x51B9724: flac_read_loop (flac.c:916)
==15547==    by 0x51B9824: flac_read_flac2f (flac.c:982)
==15547==    by 0x51ADA89: sf_readf_float (sndfile.c:1870)
==15547==    by 0x10925F: ??? (in /usr/bin/sndfile-resample)
==15547==    by 0x57402B0: (below main) (libc-start.c:291)
==15547==  Address 0x66ac370 is 0 bytes after a block of size 16,400 alloc'd
==15547==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==15547==    by 0x5B0AFA8: ??? (in /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0)
==15547==    by 0x5B0F69C: FLAC__stream_decoder_process_single (in /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0)
==15547==    by 0x5B104AB: FLAC__stream_decoder_seek_absolute (in /usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0)
==15547==    by 0x51B7C50: flac_seek (flac.c:1374)
==15547==    by 0x51ABB60: sf_seek (sndfile.c:1468)
==15547==    by 0x1090BB: ??? (in /usr/bin/sndfile-resample)
==15547==    by 0x57402B0: (below main) (libc-start.c:291)
==15547== 
==15547== 
==15547== Process terminating with default action of signal 11 (SIGSEGV)
==15547==  Access not within mapped region at address 0x4000
==15547==    at 0x51B87BB: flac_buffer_copy (flac.c:284)
==15547==    by 0x51B9724: flac_read_loop (flac.c:916)
==15547==    by 0x51B9824: flac_read_flac2f (flac.c:982)
==15547==    by 0x51ADA89: sf_readf_float (sndfile.c:1870)
==15547==    by 0x10925F: ??? (in /usr/bin/sndfile-resample)
==15547==    by 0x57402B0: (below main) (libc-start.c:291)
==15547==  If you believe this happened as a result of a stack
==15547==  overflow in your program's main thread (unlikely but
==15547==  possible), you can try to increase the size of the
==15547==  main thread stack using the --main-stacksize= flag.
==15547==  The main thread stack size used in this run was 8388608.
Input File    : /root/poc/00260-libsndfile-invalidread-flac_buffer_copy
Sample Rate   : 1047740
Input Frames  : 47261415625

SRC Ratio     : 0.022906
Converter     : Medium Sinc Interpolator

Output file   : out
Sample Rate   : 24000
==15547== 
==15547== HEAP SUMMARY:
==15547==     in use at exit: 4,030,315 bytes in 59 blocks
==15547==   total heap usage: 60 allocs, 1 frees, 4,034,411 bytes allocated
==15547== 
==15547== LEAK SUMMARY:
==15547==    definitely lost: 1,048,560 bytes in 4 blocks
==15547==    indirectly lost: 0 bytes in 0 blocks
==15547==      possibly lost: 32,800 bytes in 2 blocks
==15547==    still reachable: 2,948,955 bytes in 53 blocks
==15547==         suppressed: 0 bytes in 0 blocks
==15547== Rerun with --leak-check=full to see details of leaked memory
==15547== 
==15547== For counts of detected and suppressed errors, rerun with: -v
==15547== Use --track-origins=yes to see where uninitialised values come from
==15547== ERROR SUMMARY: 4 errors from 2 contexts (suppressed: 0 from 0)

with 1.0.27-2.

Regards,
Salvatore

Message #19 received at 860255-close@bugs.debian.org (full text, mbox, reply):

From: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>

To: 860255-close@bugs.debian.org

Subject: Bug#860255: fixed in libsndfile 1.0.27-3

Date: Sun, 28 May 2017 21:18:39 +0000

Source: libsndfile
Source-Version: 1.0.27-3

We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860255@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org> (supplier of updated libsndfile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 28 May 2017 22:52:39 +0200
Source: libsndfile
Binary: libsndfile1-dev libsndfile1 sndfile-programs libsndfile1-dbg sndfile-programs-dbg
Architecture: source
Version: 1.0.27-3
Distribution: unstable
Urgency: medium
Maintainer: Erik de Castro Lopo <erikd@mega-nerd.com>
Changed-By: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
Description:
 libsndfile1 - Library for reading/writing audio files
 libsndfile1-dbg - debugging symbols for libsndfile
 libsndfile1-dev - Development files for libsndfile; a library for reading/writing a
 sndfile-programs - Sample programs that use libsndfile
 sndfile-programs-dbg - debugging symbols for sndfile-programs
Closes: 860255 862202 862203 862204 862205
Changes:
 libsndfile (1.0.27-3) unstable; urgency=medium
 .
   * Mentioned CVEs fixed by fix_bufferoverflows.patch
     (CVE-2017-7741, CVE-2017-7586, CVE-2017-7585)
   * Backported patch for error handling of malicious/broken FLAC files
     (CVE-2017-7742, CVE-2017-7741, CVE-2017-7585)
     (Closes: #860255)
   * Backported patch to fix buffer read overflow in FLAC code
     (CVE-2017-8362)
     (Closes: #862204)
   * Backported patches to fix memory leaks in FLAC code
     (CVE-2017-8363)
     (Closes: #862203)
   * Backported patch to fix buffer overruns in FLAC-code
     (CVE-2017-8365, CVE-2017-8363, CVE-2017-8361)
     (Closes: #862205, #862203, #862202)
 .
   * Added Vcs-* stanzas to d/control
Checksums-Sha1:
 1ba035530bd1d8fef1423eca479edf5db8ef2628 2325 libsndfile_1.0.27-3.dsc
 3e8f3576bce8dc565b1db811dd7a2861ec6b2b4e 14944 libsndfile_1.0.27-3.debian.tar.xz
 3a03ed8d076e305d02e4da85ce5c61d04f41b7da 6992 libsndfile_1.0.27-3_amd64.buildinfo
Checksums-Sha256:
 2aad1627be9e40b1d46351cf66e8be1c98c9c0c997a4e29560d7bb17b47700e5 2325 libsndfile_1.0.27-3.dsc
 f0dfb219d920423161d3ecbe5c576cbc7fe0a8169335b9efcad4528ca7e8e463 14944 libsndfile_1.0.27-3.debian.tar.xz
 f81d2a2c606108ba1243740cd8735964a411c6a2a1d74baf527a660108702cb6 6992 libsndfile_1.0.27-3_amd64.buildinfo
Files:
 008c5fc1524f3105802fb7f241e989a9 2325 devel optional libsndfile_1.0.27-3.dsc
 910e06b21b2dc8607df249118c05f98f 14944 devel optional libsndfile_1.0.27-3.debian.tar.xz
 ba4e818c2469241f6410594e5ddd9838 6992 devel optional libsndfile_1.0.27-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEdAXnRVdICXNIABVttlAZxH96NvgFAlkrOv8ACgkQtlAZxH96
Nvj7+w//Xz+KQYXOLZcJf2t1BtpdTyeqjtOu0huX+QQLRLGcLXDu+uiokLnKGfvG
L8iGXb3Pmh0nUgSvw5/1I0XvqgPdgPHpJbEWaVmeqJhz0aAyXaXb5ylXp85P+OM+
oo5vxkTqEwmMhM0FT1LhppM0gZJMPu8FOwEu8b7T7+yfrkFMTgR0z/RQqYUHbYW0
jowy/atUNTp25lnb2G0NhjuSvWxF5lw7QhWQyRo2PvXYl0MgOYkbYuJYx0VxJGhK
f7BO1j88CCZFeXc2yG3o7HX5Prairz7hPtd7UNheZF4n9iP8GxhjJOLlf5d1oYZ2
3XqnFP1po0tvNX9ndaYQa/Imp3rWR3lGoyOFtuIDAzfbHsf6fYyD4jD8+jS80PJN
cwLiEUtcCe091jdHuqSvRAkHNSo1Pa6zopvZzYmTXU2b9MbefsDKt/WfZ3xIlBoy
BofEiBuQ081/lWgDH+fv/vOgHFNy+BnpuPaE2FVG82LC11sgFwt40GJiB1LkhgI0
mjUUoG+qcAIxU5ZjpnBddahk5bkgc2QRnjKeT0rKOATJS5lPLtob3y5jQlEbJnQ3
phz2+zrSAfP7+LPuBp9BBVQMzc5Be0SqlzUTlHEhbxzYUgGnR9DsIXnZ8ancamhC
mC5dl6LBd/ii9Uzh/xhZxPc7AQXQvClC5F0pyIyr7bZ3YgeYvAc=
=up1C
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.