Heap-based buffer overflow in voc_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a VOC file with an invalid header value.

Version 1.0.20 (2009-03-14) * Fix potential heap overflow in VOC file parser (Tobias Klein, http://www.trapkit.de/). Version 1.0.19 (2009-03-02) * Fix for CVE-2009-0186 (Alin Rad Pop, Secunia Research).
* Huge number of minor bug fixes as a result of static analysis.
Version 1.0.18 (2009-02-07) * Add Ogg/Vorbis support (thanks to John ffitch). * Remove captive FLAC library. * Many new features and bug fixes.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Tobias Klein discovered a heap-based buffer overflow in libsndfile. If a user or automated system processed a crafted VOC file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-1788)

Erik de Castro Lopo discovered a similar heap-based buffer overflow when processing AIFF files. If a user or automated system processed a crafted AIFF file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-1791).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update of libsndfile fixes a heap-based buffer overflow in voc_read_header() (CVE-2009-1788) and a heap-based buffer overflow in aiff_read_header() (CVE-2009-1791).

This update of libsndfile fixes a heap-based buffer overflow in voc_read_header() (CVE-2009-1788) and a heap-based buffer overflow in aiff_read_header(). (CVE-2009-1791)

Two vulnerabilities have been found in libsndfile, a library to read and write sampled audio data. The Common Vulnerabilities and Exposures project identified the following problems :

  - CVE-2009-1788     Tobias Klein discovered that the VOC parsing routines     suffer of a heap-based buffer overflow which can be     triggered by an attacker via a crafted VOC header.

  - CVE-2009-1791     The vendor discovered that the AIFF parsing routines     suffer of a heap-based buffer overflow similar to     CVE-2009-1788 which can be triggered by an attacker via     a crafted AIFF header.

In both cases the overflowing data is not completely attacker controlled but still leads to application crashes or under some circumstances might still lead to arbitrary code execution.

Multiple vulnerabilities has been found and corrected in libsndfile :

Heap-based buffer overflow in voc_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a VOC file with an invalid header value (CVE-2009-1788).

Heap-based buffer overflow in aiff_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an AIFF file with an invalid header value (CVE-2009-1791).

This update provides fixes for these vulnerabilities.

Update :

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

Secunia reports :

Two vulnerabilities have been reported in libsndfile, which can be exploited by malicious people to compromise an application using the library.

A boundary error exists within the 'voc_read_header()' function in src/voc.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted VOC file.

A boundary error exists within the 'aiff_read_header()' function in src/aiff.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted AIFF file.

The remote host is affected by the vulnerability described in GLSA-200905-09 (libsndfile: User-assisted execution of arbitrary code)

    The following vulnerabilities have been found in libsndfile:
    Tobias Klein reported that the header_read() function in     src/common.c uses user input for calculating a buffer size, possibly     leading to a heap-based buffer overflow (CVE-2009-1788).
    The     vendor reported a boundary error in the aiff_read_header() function in     src/aiff.c, possibly leading to a heap-based buffer overflow     (CVE-2009-1791).
  Impact :

    A remote attacker could entice a user to open a specially crafted AIFF     or VOC file in a program using libsndfile, possibly resulting in the     execution of arbitrary code with the privileges of the user running the     application.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
42985	Fedora 11 : libsndfile-1.0.20-3.fc11 (2009-11618)	Nessus	Fedora Local Security Checks	high
42984	Fedora 10 : libsndfile-1.0.20-3.fc10 (2009-11499)	Nessus	Fedora Local Security Checks	high
42167	Ubuntu 8.04 LTS / 8.10 / 9.04 : libsndfile vulnerabilities (USN-849-1)	Nessus	Ubuntu Local Security Checks	high
42017	openSUSE 10 Security Update : libsndfile (libsndfile-6277)	Nessus	SuSE Local Security Checks	high
41429	SuSE 11 Security Update : libsndfile (SAT Patch Number 944)	Nessus	SuSE Local Security Checks	high
40339	openSUSE Security Update : libsndfile (libsndfile-949)	Nessus	SuSE Local Security Checks	high
40337	openSUSE Security Update : libsndfile (libsndfile-949)	Nessus	SuSE Local Security Checks	high
39374	Debian DSA-1814-1 : libsndfile - heap-based buffer overflow	Nessus	Debian Local Security Checks	high
39324	Mandriva Linux Security Advisory : libsndfile (MDVSA-2009:132-1)	Nessus	Mandriva Local Security Checks	high
38964	FreeBSD : libsndfile -- multiple vulnerabilities (6355efdb-4d4d-11de-8811-0030843d3802)	Nessus	FreeBSD Local Security Checks	high
38944	GLSA-200905-09 : libsndfile: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high

Detections

Analytics

CVE-2009-1788

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high