sox: CVE-2017-15372: stack-buffer-overflow src/adpcm.c:126 in lsx_ms_adpcm_block_expand_i

Debian Bug report logs - #878808
sox: CVE-2017-15372: stack-buffer-overflow src/adpcm.c:126 in lsx_ms_adpcm_block_expand_i

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: sox: CVE-2017-15372: stack-buffer-overflow src/adpcm.c:126 in lsx_ms_adpcm_block_expand_i

Date: Mon, 16 Oct 2017 21:49:51 +0200

[Message part 1 (text/plain, inline)]

Source: sox
Version: 14.4.1-5
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for sox.

CVE-2017-15372[0]:
| There is a stack-based buffer overflow in the
| lsx_ms_adpcm_block_expand_i function of adpcm.c in Sound eXchange (SoX)
| 14.4.2. A Crafted input will lead to a denial of service attack during
| conversion of an audio file.

With an ASAN build and

./src/sox ~/01-stack-overflow out.snd
=================================================================
==4852==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff9b73d8a4 at pc 0x7fae2c9b322d bp 0x7fff9b73d7e0 sp 0x7fff9b73d7d8
WRITE of size 2 at 0x7fff9b73d8a4 thread T0
    #0 0x7fae2c9b322c in lsx_ms_adpcm_block_expand_i src/adpcm.c:126
    #1 0x7fae2c9b672b in AdpcmReadBlock src/wav.c:176
    #2 0x7fae2c9bd5b0 in read_samples src/wav.c:1029
    #3 0x7fae2c88e1fb in sox_read src/formats.c:973
    #4 0x406096 in sox_read_wide src/sox.c:490
    #5 0x406a6e in combiner_drain src/sox.c:552
    #6 0x7fae2c8c1fe1 in drain_effect src/effects.c:318
    #7 0x7fae2c8c2ffe in sox_flow_effects src/effects.c:387
    #8 0x4122da in process src/sox.c:1794
    #9 0x41b386 in main src/sox.c:3012
    #10 0x7fae2bd622e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #11 0x402f49 in _start (/root/sox-14.4.1/src/.libs/sox+0x402f49)

Address 0x7fff9b73d8a4 is located in stack of thread T0 at offset 68 in frame
    #0 0x7fae2c9b3063 in lsx_ms_adpcm_block_expand_i src/adpcm.c:112

  This frame has 1 object(s):
    [32, 64) 'state' <== Memory access at offset 68 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow src/adpcm.c:126 in lsx_ms_adpcm_block_expand_i
Shadow bytes around the buggy address:
  0x1000736dfac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000736dfad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000736dfae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000736dfaf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000736dfb00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x1000736dfb10: 00 00 00 00[f3]f3 f3 f3 00 00 00 00 00 00 00 00
  0x1000736dfb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000736dfb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000736dfb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000736dfb50: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2
  0x1000736dfb60: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f3 f3 f3 f3 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4852==ABORTING

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15372
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15372
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1500553

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

[01-stack-overflow (audio/x-wav, attachment)]

Message #10 received at 878808-submitter@bugs.debian.org (full text, mbox, reply):

From: Jaromír Mikeš <mira.mikes@seznam.cz>

To: 878808-submitter@bugs.debian.org

Subject: Bug#878808 marked as pending

Date: Sun, 19 Nov 2017 14:04:32 +0000

tag 878808 pending
thanks

Hello,

Bug #878808 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://anonscm.debian.org/git/pkg-multimedia/sox.git/commit/?id=f4b7147

---
commit f4b714721768acfc2510cb42cc7882ed2a4c47b8
Author: Jaromír Mikeš <mira.mikes@seznam.cz>
Date:   Sun Nov 19 15:04:28 2017 +0100

    Start new upload.

diff --git a/debian/changelog b/debian/changelog
index aa93517..20efa1f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+sox (14.4.2-2) UNRELEASED; urgency=medium
+
+  * Add patch to fix CVE-2017-15372. (Closes: #878808)
+
+ -- Jaromír Mikeš <mira.mikes@seznam.cz>  Sun, 19 Nov 2017 15:03:25 +0100
+
 sox (14.4.2-1) experimental; urgency=medium
 
   [ Jaromír Mikeš ]

Message #15 received at 878808-close@bugs.debian.org (full text, mbox, reply):

From: Jaromír Mikeš <mira.mikes@seznam.cz>

To: 878808-close@bugs.debian.org

Subject: Bug#878808: fixed in sox 14.4.2-2

Date: Fri, 24 Nov 2017 09:21:30 +0000

Source: sox
Source-Version: 14.4.2-2

We believe that the bug you reported is fixed in the latest version of
sox, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 878808@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jaromír Mikeš <mira.mikes@seznam.cz> (supplier of updated sox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 24 Nov 2017 09:12:48 +0100
Source: sox
Binary: sox libsox3 libsox-fmt-base libsox-fmt-alsa libsox-fmt-ao libsox-fmt-mp3 libsox-fmt-oss libsox-fmt-pulse libsox-fmt-all libsox-dev
Architecture: source
Version: 14.4.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Jaromír Mikeš <mira.mikes@seznam.cz>
Description:
 libsox-dev - Development files for the SoX library
 libsox-fmt-all - All SoX format libraries
 libsox-fmt-alsa - SoX alsa format I/O library
 libsox-fmt-ao - SoX Libao format I/O library
 libsox-fmt-base - Minimal set of SoX format libraries
 libsox-fmt-mp3 - SoX MP2 and MP3 format library
 libsox-fmt-oss - SoX OSS format I/O library
 libsox-fmt-pulse - SoX PulseAudio format I/O library
 libsox3    - SoX library of audio effects and processing
 sox        - Swiss army knife of sound processing
Closes: 878808 882144 882236
Changes:
 sox (14.4.2-2) unstable; urgency=medium
 .
   * Upload to unstable to start transition.
   * Add patch to fix CVE-2017-15372. (Closes: #878808)
   * Add patch to fix CVE-2017-15642. (Closes: #882144)
   * Add patch to fix CVE-2017-11333 in vorbis lib. (Closes: #882236)
Checksums-Sha1:
 b8ab4c36c8ec68dcbcd604bb7391a4180d4f5962 2758 sox_14.4.2-2.dsc
 287b90c95ac1cf1e505f302bab797411fc75c7c5 22864 sox_14.4.2-2.debian.tar.xz
 f7ff435ee3603350e01fc32ad1d6d549e41fdd7c 12434 sox_14.4.2-2_amd64.buildinfo
Checksums-Sha256:
 3fd4152facadfe95b14b2dba9ed273f8b613f9b6e0cc4508a204177480156776 2758 sox_14.4.2-2.dsc
 24ae960b7f5f00cb3fca668bbe5ea2d2b4619d953e8914240f5ce28104aa7e0c 22864 sox_14.4.2-2.debian.tar.xz
 3f3a36a467db4e4f74003de097a4025c079628c5a118f49a756b3d349b4d3324 12434 sox_14.4.2-2_amd64.buildinfo
Files:
 b712e055958a93008d7e87e4da7017fe 2758 sound optional sox_14.4.2-2.dsc
 4760968c44056b1600c8897ab66f0a0d 22864 sound optional sox_14.4.2-2.debian.tar.xz
 c6d792bdf47b24bb52f3daabc041ff5f 12434 sound optional sox_14.4.2-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCgAzFiEESlQ1E9LfY1GoF46jWwGUVeK4T6UFAloX1kkVHG1pcmEubWlr
ZXNAc2V6bmFtLmN6AAoJEFsBlFXiuE+lK70QALIckxm/FQ43TX6XCwOrRWnrZmAm
YhIbFds7NJCp6yaO5HczrpNZAD9brDVwkU4ZVYohwLK1pqk13hPcyiIPfTM3EG/h
/fXXJ1PQYgGbn+asbzgziP5k0BZBBBxRh4rH2ODKU4w7nlLmu/femJugBRTtpQ6e
rIX4kbUqix1FU88uoIqBXPRUrHsrhmQqcmzeVDCuM9Tuy6GoHQ/MzDfYbEOmNdd/
wnKQsIH/1zBm85y/+1DwT9C0X4eO8eEno1aLi6zKtVobZorhv/pT0oPmo8mamEqH
T2Bfw6fObGC8Ef+WBxMvU6NZVdM+FDmO1CfPMNDuJ5fIv5Ii3702o2qBSvlk6/2s
CslJlqUGmU4/ZY+6XgnY++qPdp32GszhwV8P7cPT+8LSXc3DbTdELhyu2cRVampn
+Xu1HPk06OpjHNOGng/v7bjrYbOrTqZUBqg8WHh9a6it8akOTGcAWXrL62tfrAOV
9iGJTQ5N5+DhxGkAg7O5S2NpSzWe0eghS/MHYMZ+aCWxxsIa3NErVjVTwPC1pP2p
uPrTPSJObvKiSOTbZPTpdENa+Q8KZe4TRM6T1EgxXFYEGKtutlnLZIcJDFfsb6DH
MoVnaldrWM8SKUiB8MBHLsy7FPiFSRs9LnwcRJ0r6c5ZcSs9IH7kJ4ISuAHCAKjX
eOIGe9+bUP25VbHk
=KDL4
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.