http://advisories.mageia.org/MGASA-2015-0015.html

openSUSE-SU-2015:0041

62320

MDVSA-2015:024

[oss-security] 20150103 Re: Re: CVE Request: libsndfile buffer overread

http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

71796

USN-2832-1

https://github.com/erikd/libsndfile/commit/dbe14f00030af5d3577f4cabbf9861db59e9c378

https://github.com/erikd/libsndfile/issues/93

20190411 [SECURITY] [DSA 4430-1] wpa security update

GLSA-201612-03

According to the versions of the libsndfile package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In libsndfile before 1.0.28, an error in the     'header_read()' function (common.c) when handling ID3     tags can be exploited to cause a stack-based buffer     overflow via a specially crafted FLAC     file.(CVE-2017-7586)

  - Heap-based Buffer Overflow in the psf_binheader_writef     function in common.c in libsndfile through 1.0.28     allows remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact.(CVE-2017-12562)

  - In libsndfile 1.0.25 (fixed in 1.0.26), a     divide-by-zero error exists in the function     wav_w64_read_fmt_chunk() in wav_w64.c, which may lead     to DoS when playing a crafted audio     file.(CVE-2017-16942)

  - In libsndfile 1.0.28, a divide-by-zero error exists in     the function double64_init() in double64.c, which may     lead to DoS when playing a crafted audio     file.(CVE-2017-14634)

  - The psf_fwrite function in file_io.c in libsndfile     allows attackers to cause a denial of service     (divide-by-zero error and application crash) via     unspecified vectors related to the headindex     variable.(CVE-2014-9756)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with write memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7741)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with read memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7742)

  - In libsndfile version 1.0.28, an error in the     'aiff_read_chanmap()' function (aiff.c) can be     exploited to cause an out-of-bounds read memory access     via a specially crafted AIFF file.(CVE-2017-6892)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     audio file.(CVE-2017-8361)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (invalid read and application crash) via a     crafted audio file.(CVE-2017-8362)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (heap-based buffer over-read and application     crash) via a crafted audio file.(CVE-2017-8363)

  - The i2les_array function in pcm.c in libsndfile 1.0.28     allows remote attackers to cause a denial of service     (buffer over-read and application crash) via a crafted     audio file.(CVE-2017-8365)

  - The sd2_parse_rsrc_fork function in sd2.c in libsndfile     allows attackers to have unspecified impact via vectors     related to a (1) map offset or (2) rsrc marker, which     triggers an out-of-bounds read.(CVE-2014-9496)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libsndfile package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In libsndfile version 1.0.28, an error in the     'aiff_read_chanmap()' function (aiff.c) can be     exploited to cause an out-of-bounds read memory access     via a specially crafted AIFF file.(CVE-2017-6892)

  - The sd2_parse_rsrc_fork function in sd2.c in libsndfile     allows attackers to have unspecified impact via vectors     related to a (1) map offset or (2) rsrc marker, which     triggers an out-of-bounds read.(CVE-2014-9496)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     audio file.(CVE-2017-8361)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with write memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7741)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with read memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7742)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a stack-based buffer overflow via a specially     crafted FLAC file.(CVE-2017-7585)

  - An out of bounds read in the function d2ulaw_array() in     ulaw.c of libsndfile 1.0.28 may lead to a remote DoS     attack or information disclosure, related to     mishandling of the NAN and INFINITY floating-point     values.(CVE-2017-14246)

  - An out of bounds read in the function d2alaw_array() in     alaw.c of libsndfile 1.0.28 may lead to a remote DoS     attack or information disclosure, related to     mishandling of the NAN and INFINITY floating-point     values.(CVE-2017-14245)

  - The function d2ulaw_array() in ulaw.c of libsndfile     1.0.29pre1 may lead to a remote DoS attack (SEGV on     unknown address 0x000000000000), a different     vulnerability than CVE-2017-14246.(CVE-2017-17457)

  - The function d2alaw_array() in alaw.c of libsndfile     1.0.29pre1 may lead to a remote DoS attack (SEGV on     unknown address 0x000000000000), a different     vulnerability than CVE-2017-14245.(CVE-2017-17456)

  - In libsndfile 1.0.28, a divide-by-zero error exists in     the function double64_init() in double64.c, which may     lead to DoS when playing a crafted audio     file.(CVE-2017-14634)

  - The psf_fwrite function in file_io.c in libsndfile     allows attackers to cause a denial of service     (divide-by-zero error and application crash) via     unspecified vectors related to the headindex     variable.(CVE-2014-9756)

  - In libsndfile before 1.0.28, an error in the     'header_read()' function (common.c) when handling ID3     tags can be exploited to cause a stack-based buffer     overflow via a specially crafted FLAC     file.(CVE-2017-7586)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (invalid read and application crash) via a     crafted audio file.(CVE-2017-8362)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (heap-based buffer over-read and application     crash) via a crafted audio file.(CVE-2017-8363)

  - The i2les_array function in pcm.c in libsndfile 1.0.28     allows remote attackers to cause a denial of service     (buffer over-read and application crash) via a crafted     audio file.(CVE-2017-8365)

  - In libsndfile 1.0.25 (fixed in 1.0.26), a     divide-by-zero error exists in the function     wav_w64_read_fmt_chunk() in wav_w64.c, which may lead     to DoS when playing a crafted audio     file.(CVE-2017-16942)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the libsndfile package installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - The sd2_parse_rsrc_fork function in sd2.c in libsndfile     allows attackers to have unspecified impact via vectors     related to a (1) map offset or (2) rsrc marker, which     triggers an out-of-bounds read.(CVE-2014-9496)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201612-03 (libsndfile: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libsndfile. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to open a specially crafted file,       possibly resulting in the execution of arbitrary code with the privileges       of the process, or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

New libsndfile packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix security issues.

It was discovered that libsndfile incorrectly handled memory when parsing malformed files. A remote attacker could use this issue to cause libsndfile to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-9496)

Joshua Rogers discovered that libsndfile incorrectly handled division when parsing malformed files. A remote attacker could use this issue to cause libsndfile to crash, resulting in a denial of service.
(CVE-2014-9756)

Marco Romano discovered that libsndfile incorrectly handled certain malformed AIFF files. A remote attacker could use this issue to cause libsndfile to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7805).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

CVE-2014-9496

The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read.

CVE-2014-9756

The psf_fwrite function in file_io.c in libsndfile allows attackers to cause a denial of service (divide-by-zero error and application crash) via unspecified vectors related to the headindex variable.

CVE-2015-7805

Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated libsndfile packages fix security vulnerabilities :

libsndfile contains multiple buffer-overflow vulnerabilities in src/sd2.c because it fails to properly bounds-check user-supplied input, which may allow an attacker to execute arbitrary code or cause a denial of service (CVE-2014-9496).

libsndfile contains a divide-by-zero error in src/file_io.c which may allow an attacker to cause a denial of service.

This update for libsndfile fixes two buffer read overflows in sd2_parse_rsrc_fork(). (CVE-2014-9496, bsc#911796)

Changes in libsndfile: two buffer read overflows in sd2_parse_rsrc_fork() (CVE-2014-9496, bnc#911796): backported upstream fix patches

ID	Name	Product	Family	Severity
131666	EulerOS 2.0 SP2 : libsndfile (EulerOS-SA-2019-2513)	Nessus	Huawei Local Security Checks	critical
130670	EulerOS 2.0 SP5 : libsndfile (EulerOS-SA-2019-2208)	Nessus	Huawei Local Security Checks	high
129230	EulerOS 2.0 SP3 : libsndfile (EulerOS-SA-2019-2037)	Nessus	Huawei Local Security Checks	low
95518	GLSA-201612-03 : libsndfile: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
88626	Slackware 13.37 / 14.0 / 14.1 / current : libsndfile (SSA:2016-039-02)	Nessus	Slackware Local Security Checks	critical
87239	Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : libsndfile vulnerabilities (USN-2832-1)	Nessus	Ubuntu Local Security Checks	critical
87111	Debian DLA-356-1 : libsndfile security update	Nessus	Debian Local Security Checks	critical
82402	Mandriva Linux Security Advisory : libsndfile (MDVSA-2015:149)	Nessus	Mandriva Local Security Checks	critical
81078	SuSE 11.3 Security Update : libsndfile (SAT Patch Number 10221)	Nessus	SuSE Local Security Checks	critical
80561	Mandriva Linux Security Advisory : libsndfile (MDVSA-2015:024)	Nessus	Mandriva Local Security Checks	critical
80543	openSUSE Security Update : libsndfile (openSUSE-SU-2015:0041-1)	Nessus	SuSE Local Security Checks	critical

CVE-2014-9496

low

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Tenable Plugins

critical

high

low

critical

critical

critical

critical

critical

critical

critical

critical