Integer overflow in libsndfile 1.0.18, as used in Winamp and other products, allows context-dependent attackers to execute arbitrary code via crafted description chunks in a CAF audio file, leading to a heap-based buffer overflow.

Version 1.0.20 (2009-03-14) * Fix potential heap overflow in VOC file parser (Tobias Klein, http://www.trapkit.de/). Version 1.0.19 (2009-03-02) * Fix for CVE-2009-0186 (Alin Rad Pop, Secunia Research).
* Huge number of minor bug fixes as a result of static analysis.
Version 1.0.18 (2009-02-07) * Add Ogg/Vorbis support (thanks to John ffitch). * Remove captive FLAC library. * Many new features and bug fixes.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Specially crafted CAF files could cause an integer overflow in libsndfile. (CVE-2009-0186)

Specially crafted CAF files could cause an integer overflow in libsndfile (CVE-2009-0186).

Crafted data - channels per frame value - in CAF files enables remote attackers to execute arbitrary code or denial of service via a possible integer overflow, leading to a possible heap overflow (CVE-2009-0186).

This update provides fix for that vulnerability.

It was discovered that libsndfile did not correctly handle description chunks in CAF audio files. If a user or automated system were tricked into opening a specially crafted CAF audio file, an attacker could execute arbitrary code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200904-16 (libsndfile: User-assisted execution of arbitrary code)

    Alin Rad Pop from Secunia Research reported an integer overflow when     processing CAF description chunks, leading to a heap-based buffer     overflow.
  Impact :

    A remote attacker could entice a user to open a specially crafted CAF     file, resulting in the remote execution of arbitrary code with the     privileges of the user running the application.
  Workaround :

    There is no known workaround at this time.

Secunia reports :

The vulnerability is caused due to an integer overflow error in the processing of CAF description chunks. This can be exploited to cause a heap-based buffer overflow by tricking the user into processing a specially crafted CAF audio file.

Alan Rad Pop discovered that libsndfile, a library to read and write sampled audio data, is prone to an integer overflow. This causes a heap-based buffer overflow when processing crafted CAF description chunks possibly leading to arbitrary code execution.

ID	Name	Product	Family	Severity
42985	Fedora 11 : libsndfile-1.0.20-3.fc11 (2009-11618)	Nessus	Fedora Local Security Checks	high
42984	Fedora 10 : libsndfile-1.0.20-3.fc10 (2009-11499)	Nessus	Fedora Local Security Checks	high
41550	SuSE 10 Security Update : libsndfile (ZYPP Patch Number 6040)	Nessus	SuSE Local Security Checks	high
41428	SuSE 11 Security Update : libsndfile (SAT Patch Number 637)	Nessus	SuSE Local Security Checks	high
40268	openSUSE Security Update : libsndfile (libsndfile-577)	Nessus	SuSE Local Security Checks	high
40044	openSUSE Security Update : libsndfile (libsndfile-577)	Nessus	SuSE Local Security Checks	high
37704	Mandriva Linux Security Advisory : libsndfile (MDVSA-2009:067)	Nessus	Mandriva Local Security Checks	high
37606	Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : libsndfile vulnerability (USN-749-1)	Nessus	Ubuntu Local Security Checks	high
36195	GLSA-200904-16 : libsndfile: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
36080	openSUSE 10 Security Update : libsndfile (libsndfile-6044)	Nessus	SuSE Local Security Checks	high
35940	FreeBSD : libsndfile -- CAF processing integer overflow vulnerability (c5af0747-1262-11de-a964-0030843d3802)	Nessus	FreeBSD Local Security Checks	high
35925	Debian DSA-1742-1 : libsndfile - integer overflow	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2009-0186

critical

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high