https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748

[debian-lts-announce] 20201029 [SECURITY] [DLA 2418-1] libsndfile security update

https://secuniaresearch.flexerasoftware.com/advisories/76717/

https://secuniaresearch.flexerasoftware.com/secunia_research/2017-13/

GLSA-201811-23

USN-4013-1

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4704-1 advisory.

  - In libsndfile version 1.0.28, an error in the aiff_read_chanmap() function (aiff.c) can be exploited to     cause an out-of-bounds read memory access via a specially crafted AIFF file. (CVE-2017-6892)

  - Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28     allows remote attackers to cause a denial of service (application crash) or possibly have unspecified     other impact. (CVE-2017-12562)

  - An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote     DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point     values. (CVE-2017-14245)

  - An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote     DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point     values. (CVE-2017-14246)

  - In libsndfile 1.0.28, a divide-by-zero error exists in the function double64_init() in double64.c, which     may lead to DoS when playing a crafted audio file. (CVE-2017-14634)

  - In libsndfile 1.0.25 (fixed in 1.0.26), a divide-by-zero error exists in the function     wav_w64_read_fmt_chunk() in wav_w64.c, which may lead to DoS when playing a crafted audio file.
    (CVE-2017-16942)

  - A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28 allows remote attackers to     cause a denial of service (application crash) or possibly have unspecified other impact via a crafted     audio file. The vulnerability can be triggered by the executable sndfile-deinterleave. (CVE-2018-13139)

  - An issue was discovered in libsndfile 1.0.28. There is a NULL pointer dereference in the function     sf_write_int in sndfile.c, which will lead to a denial of service. (CVE-2018-19432)

  - An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2ulaw_array in     ulaw.c that will lead to a denial of service. (CVE-2018-19661)

  - An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2alaw_array in     alaw.c that will lead to a denial of service. (CVE-2018-19662)

  - There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a     denial of service. (CVE-2018-19758)

  - It was discovered the fix for CVE-2018-19758 (libsndfile) was not complete and still allows a read beyond     the limits of a buffer in wav_write_header() function in wav.c. A local attacker may use this flaw to make     the application crash. (CVE-2019-3832)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Several issues have been found in libsndfile, a library for reading/writing audio files. All issues are basically divide by zero errors, heap read overflows or other buffer overlow errors.

For Debian 9 stretch, these problems have been fixed in version 1.0.27-3+deb9u1.

We recommend that you upgrade your libsndfile packages.

For the detailed security status of libsndfile please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libsndfile

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libsndfile package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In libsndfile before 1.0.28, an error in the     'header_read()' function (common.c) when handling ID3     tags can be exploited to cause a stack-based buffer     overflow via a specially crafted FLAC     file.(CVE-2017-7586)

  - Heap-based Buffer Overflow in the psf_binheader_writef     function in common.c in libsndfile through 1.0.28     allows remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact.(CVE-2017-12562)

  - In libsndfile 1.0.25 (fixed in 1.0.26), a     divide-by-zero error exists in the function     wav_w64_read_fmt_chunk() in wav_w64.c, which may lead     to DoS when playing a crafted audio     file.(CVE-2017-16942)

  - In libsndfile 1.0.28, a divide-by-zero error exists in     the function double64_init() in double64.c, which may     lead to DoS when playing a crafted audio     file.(CVE-2017-14634)

  - The psf_fwrite function in file_io.c in libsndfile     allows attackers to cause a denial of service     (divide-by-zero error and application crash) via     unspecified vectors related to the headindex     variable.(CVE-2014-9756)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with write memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7741)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with read memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7742)

  - In libsndfile version 1.0.28, an error in the     'aiff_read_chanmap()' function (aiff.c) can be     exploited to cause an out-of-bounds read memory access     via a specially crafted AIFF file.(CVE-2017-6892)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     audio file.(CVE-2017-8361)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (invalid read and application crash) via a     crafted audio file.(CVE-2017-8362)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (heap-based buffer over-read and application     crash) via a crafted audio file.(CVE-2017-8363)

  - The i2les_array function in pcm.c in libsndfile 1.0.28     allows remote attackers to cause a denial of service     (buffer over-read and application crash) via a crafted     audio file.(CVE-2017-8365)

  - The sd2_parse_rsrc_fork function in sd2.c in libsndfile     allows attackers to have unspecified impact via vectors     related to a (1) map offset or (2) rsrc marker, which     triggers an out-of-bounds read.(CVE-2014-9496)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libsndfile package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In libsndfile version 1.0.28, an error in the     'aiff_read_chanmap()' function (aiff.c) can be     exploited to cause an out-of-bounds read memory access     via a specially crafted AIFF file.(CVE-2017-6892)

  - The sd2_parse_rsrc_fork function in sd2.c in libsndfile     allows attackers to have unspecified impact via vectors     related to a (1) map offset or (2) rsrc marker, which     triggers an out-of-bounds read.(CVE-2014-9496)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     audio file.(CVE-2017-8361)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with write memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7741)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with read memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7742)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a stack-based buffer overflow via a specially     crafted FLAC file.(CVE-2017-7585)

  - An out of bounds read in the function d2ulaw_array() in     ulaw.c of libsndfile 1.0.28 may lead to a remote DoS     attack or information disclosure, related to     mishandling of the NAN and INFINITY floating-point     values.(CVE-2017-14246)

  - An out of bounds read in the function d2alaw_array() in     alaw.c of libsndfile 1.0.28 may lead to a remote DoS     attack or information disclosure, related to     mishandling of the NAN and INFINITY floating-point     values.(CVE-2017-14245)

  - The function d2ulaw_array() in ulaw.c of libsndfile     1.0.29pre1 may lead to a remote DoS attack (SEGV on     unknown address 0x000000000000), a different     vulnerability than CVE-2017-14246.(CVE-2017-17457)

  - The function d2alaw_array() in alaw.c of libsndfile     1.0.29pre1 may lead to a remote DoS attack (SEGV on     unknown address 0x000000000000), a different     vulnerability than CVE-2017-14245.(CVE-2017-17456)

  - In libsndfile 1.0.28, a divide-by-zero error exists in     the function double64_init() in double64.c, which may     lead to DoS when playing a crafted audio     file.(CVE-2017-14634)

  - The psf_fwrite function in file_io.c in libsndfile     allows attackers to cause a denial of service     (divide-by-zero error and application crash) via     unspecified vectors related to the headindex     variable.(CVE-2014-9756)

  - In libsndfile before 1.0.28, an error in the     'header_read()' function (common.c) when handling ID3     tags can be exploited to cause a stack-based buffer     overflow via a specially crafted FLAC     file.(CVE-2017-7586)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (invalid read and application crash) via a     crafted audio file.(CVE-2017-8362)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (heap-based buffer over-read and application     crash) via a crafted audio file.(CVE-2017-8363)

  - The i2les_array function in pcm.c in libsndfile 1.0.28     allows remote attackers to cause a denial of service     (buffer over-read and application crash) via a crafted     audio file.(CVE-2017-8365)

  - In libsndfile 1.0.25 (fixed in 1.0.26), a     divide-by-zero error exists in the function     wav_w64_read_fmt_chunk() in wav_w64.c, which may lead     to DoS when playing a crafted audio     file.(CVE-2017-16942)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that libsndfile incorrectly handled certain malformed files. A remote attacker could use this issue to cause libsndfile to crash, resulting in a denial of service, or possibly execute arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libsndfile package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A stack-based buffer overflow in psf_memset in common.c     in libsndfile 1.0.28 allows remote attackers to cause a     denial of service (application crash) or possibly have     unspecified other impact via a crafted audio file. The     vulnerability can be triggered by the executable     sndfile-deinterleave.(CVE-2018-13139)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     audio file.(CVE-2017-8361)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (invalid read and application crash) via a     crafted audio file.(CVE-2017-8362)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (heap-based buffer over-read and application     crash) via a crafted audio file.(CVE-2017-8363)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201811-23 (libsndfile: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libsndfile. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker, by enticing a user to open a specially crafted file,       could cause a Denial of Service condition or have other unspecified       impacts.
  Workaround :

    There is no known workaround at this time.

Laurent Delosieres, Secunia Research at Flexera Software reports :

Secunia Research has discovered a vulnerability in libsndfile, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an error in the 'aiff_read_chanmap()' function (src/aiff.c), which can be exploited to cause an out-of-bounds read memory access via a specially crafted AIFF file. The vulnerability is confirmed in version 1.0.28. Other versions may also be affected.

This update for libsndfile fixes the following issues :

  - CVE-2017-16942: Divide-by-zero in the function     wav_w64_read_fmt_chunk(), which may lead to Denial of     service (bsc#1069874). 

  - CVE-2017-6892: Fixed an out-of-bounds read memory access     in the aiff_read_chanmap() (bsc#1043978).

  - CVE-2017-14634: In libsndfile 1.0.28, a divide-by-zero     error exists in the function double64_init() in     double64.c, which may lead to DoS when playing a crafted     audio file. (bsc#1059911)

  - CVE-2017-14245: An out of bounds read in the function     d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead     to a remote DoS attack or information disclosure,     related to mishandling of the NAN and INFINITY     floating-point values. (bsc#1059912)

  - CVE-2017-14246: An out of bounds read in the function     d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead     to a remote DoS attack or information disclosure,     related to mishandling of the NAN and INFINITY     floating-point values.(bsc#1059913)

This update was imported from the SUSE:SLE-12:Update update project.

This update for libsndfile fixes the following issues :

  - CVE-2017-16942: Divide-by-zero in the function     wav_w64_read_fmt_chunk(), which may lead to Denial of     service (bsc#1069874).

  - CVE-2017-6892: Fixed an out-of-bounds read memory access     in the aiff_read_chanmap() (bsc#1043978).

  - CVE-2017-14634: In libsndfile 1.0.28, a divide-by-zero     error exists in the function double64_init() in     double64.c, which may lead to DoS when playing a crafted     audio file. (bsc#1059911)

  - CVE-2017-14245: An out of bounds read in the function     d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead     to a remote DoS attack or information disclosure,     related to mishandling of the NAN and INFINITY     floating-point values. (bsc#1059912)

  - CVE-2017-14246: An out of bounds read in the function     d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead     to a remote DoS attack or information disclosure,     related to mishandling of the NAN and INFINITY     floating-point values.(bsc#1059913)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

fix CVE-2017-6892

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that there was a vulnerability in libsndfile, a library for reading/writing audio files. A specially crafted AIFF ('Audio Interchange File Format') file could result in an out-of-bounds memory read.

For Debian 7 'Wheezy', this issue has been fixed in libsndfile version 1.0.25-9.1+deb7u3.

We recommend that you upgrade your libsndfile packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
145464	Ubuntu 16.04 LTS : libsndfile vulnerabilities (USN-4704-1)	Nessus	Ubuntu Local Security Checks	critical
142107	Debian DLA-2418-1 : libsndfile security update	Nessus	Debian Local Security Checks	high
131666	EulerOS 2.0 SP2 : libsndfile (EulerOS-SA-2019-2513)	Nessus	Huawei Local Security Checks	critical
130670	EulerOS 2.0 SP5 : libsndfile (EulerOS-SA-2019-2208)	Nessus	Huawei Local Security Checks	high
125812	Ubuntu 16.04 LTS / 18.04 LTS / 18.10 : libsndfile vulnerabilities (USN-4013-1)	Nessus	Ubuntu Local Security Checks	high
122202	EulerOS 2.0 SP3 : libsndfile (EulerOS-SA-2019-1029)	Nessus	Huawei Local Security Checks	high
119318	GLSA-201811-23 : libsndfile: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
107078	FreeBSD : libsndfile -- out-of-bounds read memory access (004debf9-1d16-11e8-b6aa-4ccc6adda413)	Nessus	FreeBSD Local Security Checks	high
106664	openSUSE Security Update : libsndfile (openSUSE-2018-140)	Nessus	SuSE Local Security Checks	high
106605	SUSE SLED12 / SLES12 Security Update : libsndfile (SUSE-SU-2018:0352-1)	Nessus	SuSE Local Security Checks	high
101688	Fedora 26 : libsndfile (2017-9b932ec622)	Nessus	Fedora Local Security Checks	high
101506	Fedora 25 : libsndfile (2017-708adeb9b6)	Nessus	Fedora Local Security Checks	high
101500	Fedora 24 : libsndfile (2017-2cfb239358)	Nessus	Fedora Local Security Checks	high
100796	Debian DLA-985-1 : libsndfile security update	Nessus	Debian Local Security Checks	high

CVE-2017-6892

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

critical

high

high

high

critical

high

high

high

high

high

high

high