Debian Bug report logs -
#862205
libsndfile: CVE-2017-8361: global buffer overflow in flac_buffer_copy
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Erik de Castro Lopo <erikd@mega-nerd.com>:
Bug#862205; Package src:libsndfile.
(Tue, 09 May 2017 19:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Erik de Castro Lopo <erikd@mega-nerd.com>.
(Tue, 09 May 2017 19:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libsndfile
Version: 1.0.27-2
Severity: important
Tags: security patch upstream
Forwarded: https://github.com/erikd/libsndfile/issues/232#issuecomment-300267444
Hi,
the following vulnerability was published for libsndfile.
CVE-2017-8361[0]:
| The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows
| remote attackers to cause a denial of service (buffer overflow and
| application crash) or possibly have unspecified other impact via a
| crafted audio file.
root@sid:~/libsndfile-1.0.27# ASAN_OPTIONS='detect_leaks=0' ./programs/sndfile-convert ~/poc/00265-libsndfile-globaloverflow-flac_buffer_copy /tmp/out.wav
=================================================================
==19742==ERROR: AddressSanitizer: global-buffer-overflow on address 0x555fbce48220 at pc 0x555fbcb08bbe bp 0x7ffff8e810d0 sp 0x7ffff8e810c8
WRITE of size 4 at 0x555fbce48220 thread T0
#0 0x555fbcb08bbd in flac_buffer_copy /root/libsndfile-1.0.27/src/flac.c:263
#1 0x555fbcb09bc1 in sf_flac_write_callback /root/libsndfile-1.0.27/src/flac.c:387
#2 0x7fa32d65f18e (/usr/lib/x86_64-linux-gnu/libFLAC.so.8+0x4e18e)
#3 0x7fa32d66269c in FLAC__stream_decoder_process_single (/usr/lib/x86_64-linux-gnu/libFLAC.so.8+0x5169c)
#4 0x555fbcb0caa7 in flac_read_loop /root/libsndfile-1.0.27/src/flac.c:920
#5 0x555fbcb0ce26 in flac_read_flac2i /root/libsndfile-1.0.27/src/flac.c:962
#6 0x555fbcae3f8c in sf_readf_int /root/libsndfile-1.0.27/src/sndfile.c:1778
#7 0x555fbcad8ec7 in sfe_copy_data_int /root/libsndfile-1.0.27/programs/common.c:87
#8 0x555fbcad8930 in main /root/libsndfile-1.0.27/programs/sndfile-convert.c:340
#9 0x7fa32c8b12b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#10 0x555fbcad7639 in _start (/root/libsndfile-1.0.27/programs/sndfile-convert+0x2d639)
0x555fbce48220 is located 32 bytes to the left of global variable 'sf_errno' defined in 'sndfile.c:293:5' (0x555fbce48240) of size 4
0x555fbce48220 is located 0 bytes to the right of global variable 'data' defined in 'common.c:80:14' (0x555fbce44220) of size 16384
SUMMARY: AddressSanitizer: global-buffer-overflow /root/libsndfile-1.0.27/src/flac.c:263 in flac_buffer_copy
Shadow bytes around the buggy address:
0x0aac779c0ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aac779c1000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aac779c1010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aac779c1020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aac779c1030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0aac779c1040: 00 00 00 00[f9]f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0aac779c1050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aac779c1060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aac779c1070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aac779c1080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aac779c1090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19742==ABORTING
root@sid:~/libsndfile-1.0.27#
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8361
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8361
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>:
You have taken responsibility.
(Sun, 28 May 2017 21:21:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 28 May 2017 21:21:12 GMT) (full text, mbox, link).
Message #10 received at 862205-close@bugs.debian.org (full text, mbox, reply):
Source: libsndfile
Source-Version: 1.0.27-3
We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 862205@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org> (supplier of updated libsndfile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 28 May 2017 22:52:39 +0200
Source: libsndfile
Binary: libsndfile1-dev libsndfile1 sndfile-programs libsndfile1-dbg sndfile-programs-dbg
Architecture: source
Version: 1.0.27-3
Distribution: unstable
Urgency: medium
Maintainer: Erik de Castro Lopo <erikd@mega-nerd.com>
Changed-By: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
Description:
libsndfile1 - Library for reading/writing audio files
libsndfile1-dbg - debugging symbols for libsndfile
libsndfile1-dev - Development files for libsndfile; a library for reading/writing a
sndfile-programs - Sample programs that use libsndfile
sndfile-programs-dbg - debugging symbols for sndfile-programs
Closes: 860255 862202 862203 862204 862205
Changes:
libsndfile (1.0.27-3) unstable; urgency=medium
.
* Mentioned CVEs fixed by fix_bufferoverflows.patch
(CVE-2017-7741, CVE-2017-7586, CVE-2017-7585)
* Backported patch for error handling of malicious/broken FLAC files
(CVE-2017-7742, CVE-2017-7741, CVE-2017-7585)
(Closes: #860255)
* Backported patch to fix buffer read overflow in FLAC code
(CVE-2017-8362)
(Closes: #862204)
* Backported patches to fix memory leaks in FLAC code
(CVE-2017-8363)
(Closes: #862203)
* Backported patch to fix buffer overruns in FLAC-code
(CVE-2017-8365, CVE-2017-8363, CVE-2017-8361)
(Closes: #862205, #862203, #862202)
.
* Added Vcs-* stanzas to d/control
Checksums-Sha1:
1ba035530bd1d8fef1423eca479edf5db8ef2628 2325 libsndfile_1.0.27-3.dsc
3e8f3576bce8dc565b1db811dd7a2861ec6b2b4e 14944 libsndfile_1.0.27-3.debian.tar.xz
3a03ed8d076e305d02e4da85ce5c61d04f41b7da 6992 libsndfile_1.0.27-3_amd64.buildinfo
Checksums-Sha256:
2aad1627be9e40b1d46351cf66e8be1c98c9c0c997a4e29560d7bb17b47700e5 2325 libsndfile_1.0.27-3.dsc
f0dfb219d920423161d3ecbe5c576cbc7fe0a8169335b9efcad4528ca7e8e463 14944 libsndfile_1.0.27-3.debian.tar.xz
f81d2a2c606108ba1243740cd8735964a411c6a2a1d74baf527a660108702cb6 6992 libsndfile_1.0.27-3_amd64.buildinfo
Files:
008c5fc1524f3105802fb7f241e989a9 2325 devel optional libsndfile_1.0.27-3.dsc
910e06b21b2dc8607df249118c05f98f 14944 devel optional libsndfile_1.0.27-3.debian.tar.xz
ba4e818c2469241f6410594e5ddd9838 6992 devel optional libsndfile_1.0.27-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEdAXnRVdICXNIABVttlAZxH96NvgFAlkrOv8ACgkQtlAZxH96
Nvj7+w//Xz+KQYXOLZcJf2t1BtpdTyeqjtOu0huX+QQLRLGcLXDu+uiokLnKGfvG
L8iGXb3Pmh0nUgSvw5/1I0XvqgPdgPHpJbEWaVmeqJhz0aAyXaXb5ylXp85P+OM+
oo5vxkTqEwmMhM0FT1LhppM0gZJMPu8FOwEu8b7T7+yfrkFMTgR0z/RQqYUHbYW0
jowy/atUNTp25lnb2G0NhjuSvWxF5lw7QhWQyRo2PvXYl0MgOYkbYuJYx0VxJGhK
f7BO1j88CCZFeXc2yG3o7HX5Prairz7hPtd7UNheZF4n9iP8GxhjJOLlf5d1oYZ2
3XqnFP1po0tvNX9ndaYQa/Imp3rWR3lGoyOFtuIDAzfbHsf6fYyD4jD8+jS80PJN
cwLiEUtcCe091jdHuqSvRAkHNSo1Pa6zopvZzYmTXU2b9MbefsDKt/WfZ3xIlBoy
BofEiBuQ081/lWgDH+fv/vOgHFNy+BnpuPaE2FVG82LC11sgFwt40GJiB1LkhgI0
mjUUoG+qcAIxU5ZjpnBddahk5bkgc2QRnjKeT0rKOATJS5lPLtob3y5jQlEbJnQ3
phz2+zrSAfP7+LPuBp9BBVQMzc5Be0SqlzUTlHEhbxzYUgGnR9DsIXnZ8ancamhC
mC5dl6LBd/ii9Uzh/xhZxPc7AQXQvClC5F0pyIyr7bZ3YgeYvAc=
=up1C
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 15 Aug 2017 07:25:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:02:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon