https://blogs.gentoo.org/ago/2017/04/11/libsndfile-invalid-memory-read-and-invalid-memory-write-in/

https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0

GLSA-201707-04

According to the versions of the libsndfile package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The psf_fwrite function in file_io.c in libsndfile     allows attackers to cause a denial of service     (divide-by-zero error and application crash) via     unspecified vectors related to the headindex     variable.(CVE-2014-9756)

  - Heap-based Buffer Overflow in the psf_binheader_writef     function in common.c in libsndfile through 1.0.28     allows remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact.(CVE-2017-12562)

  - In libsndfile 1.0.28, a divide-by-zero error exists in     the function double64_init() in double64.c, which may     lead to DoS when playing a crafted audio     file.(CVE-2017-14634)

  - In libsndfile 1.0.25 (fixed in 1.0.26), a     divide-by-zero error exists in the function     wav_w64_read_fmt_chunk() in wav_w64.c, which may lead     to DoS when playing a crafted audio     file.(CVE-2017-16942)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a stack-based buffer overflow via a specially     crafted FLAC file.(CVE-2017-7585)

  - In libsndfile before 1.0.28, an error in the     'header_read()' function (common.c) when handling ID3     tags can be exploited to cause a stack-based buffer     overflow via a specially crafted FLAC     file.(CVE-2017-7586)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with write memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7741)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with read memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7742)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libsndfile package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In libsndfile before 1.0.28, an error in the     'header_read()' function (common.c) when handling ID3     tags can be exploited to cause a stack-based buffer     overflow via a specially crafted FLAC     file.(CVE-2017-7586)

  - Heap-based Buffer Overflow in the psf_binheader_writef     function in common.c in libsndfile through 1.0.28     allows remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact.(CVE-2017-12562)

  - In libsndfile 1.0.25 (fixed in 1.0.26), a     divide-by-zero error exists in the function     wav_w64_read_fmt_chunk() in wav_w64.c, which may lead     to DoS when playing a crafted audio     file.(CVE-2017-16942)

  - In libsndfile 1.0.28, a divide-by-zero error exists in     the function double64_init() in double64.c, which may     lead to DoS when playing a crafted audio     file.(CVE-2017-14634)

  - The psf_fwrite function in file_io.c in libsndfile     allows attackers to cause a denial of service     (divide-by-zero error and application crash) via     unspecified vectors related to the headindex     variable.(CVE-2014-9756)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with write memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7741)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with read memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7742)

  - In libsndfile version 1.0.28, an error in the     'aiff_read_chanmap()' function (aiff.c) can be     exploited to cause an out-of-bounds read memory access     via a specially crafted AIFF file.(CVE-2017-6892)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     audio file.(CVE-2017-8361)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (invalid read and application crash) via a     crafted audio file.(CVE-2017-8362)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (heap-based buffer over-read and application     crash) via a crafted audio file.(CVE-2017-8363)

  - The i2les_array function in pcm.c in libsndfile 1.0.28     allows remote attackers to cause a denial of service     (buffer over-read and application crash) via a crafted     audio file.(CVE-2017-8365)

  - The sd2_parse_rsrc_fork function in sd2.c in libsndfile     allows attackers to have unspecified impact via vectors     related to a (1) map offset or (2) rsrc marker, which     triggers an out-of-bounds read.(CVE-2014-9496)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libsndfile package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In libsndfile version 1.0.28, an error in the     'aiff_read_chanmap()' function (aiff.c) can be     exploited to cause an out-of-bounds read memory access     via a specially crafted AIFF file.(CVE-2017-6892)

  - The sd2_parse_rsrc_fork function in sd2.c in libsndfile     allows attackers to have unspecified impact via vectors     related to a (1) map offset or (2) rsrc marker, which     triggers an out-of-bounds read.(CVE-2014-9496)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     audio file.(CVE-2017-8361)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with write memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7741)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with read memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7742)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a stack-based buffer overflow via a specially     crafted FLAC file.(CVE-2017-7585)

  - An out of bounds read in the function d2ulaw_array() in     ulaw.c of libsndfile 1.0.28 may lead to a remote DoS     attack or information disclosure, related to     mishandling of the NAN and INFINITY floating-point     values.(CVE-2017-14246)

  - An out of bounds read in the function d2alaw_array() in     alaw.c of libsndfile 1.0.28 may lead to a remote DoS     attack or information disclosure, related to     mishandling of the NAN and INFINITY floating-point     values.(CVE-2017-14245)

  - The function d2ulaw_array() in ulaw.c of libsndfile     1.0.29pre1 may lead to a remote DoS attack (SEGV on     unknown address 0x000000000000), a different     vulnerability than CVE-2017-14246.(CVE-2017-17457)

  - The function d2alaw_array() in alaw.c of libsndfile     1.0.29pre1 may lead to a remote DoS attack (SEGV on     unknown address 0x000000000000), a different     vulnerability than CVE-2017-14245.(CVE-2017-17456)

  - In libsndfile 1.0.28, a divide-by-zero error exists in     the function double64_init() in double64.c, which may     lead to DoS when playing a crafted audio     file.(CVE-2017-14634)

  - The psf_fwrite function in file_io.c in libsndfile     allows attackers to cause a denial of service     (divide-by-zero error and application crash) via     unspecified vectors related to the headindex     variable.(CVE-2014-9756)

  - In libsndfile before 1.0.28, an error in the     'header_read()' function (common.c) when handling ID3     tags can be exploited to cause a stack-based buffer     overflow via a specially crafted FLAC     file.(CVE-2017-7586)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (invalid read and application crash) via a     crafted audio file.(CVE-2017-8362)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (heap-based buffer over-read and application     crash) via a crafted audio file.(CVE-2017-8363)

  - The i2les_array function in pcm.c in libsndfile 1.0.28     allows remote attackers to cause a denial of service     (buffer over-read and application crash) via a crafted     audio file.(CVE-2017-8365)

  - In libsndfile 1.0.25 (fixed in 1.0.26), a     divide-by-zero error exists in the function     wav_w64_read_fmt_chunk() in wav_w64.c, which may lead     to DoS when playing a crafted audio     file.(CVE-2017-16942)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201707-04 (libsndfile: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libsndfile. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to open a specially crafted file,       possibly resulting in the execution of arbitrary code with the privileges       of the process, or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Agostino Sarubbo and Jakub Jirasek discovered that libsndfile incorrectly handled certain malformed files. A remote attacker could use this issue to cause libsndfile to crash, resulting in a denial of service, or possibly execute arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libsndfile fixes the following issues :

  - CVE-2017-8361: Global buffer overflow in     flac_buffer_copy. (bsc#1036946)

  - CVE-2017-8362: Invalid memory read in flac_buffer_copy.
    (bsc#1036943)

  - CVE-2017-8363: Heap-based buffer overflow in     flac_buffer_copy. (bsc#1036945)

  - CVE-2017-7585, CVE-2017-7741, CVE-2017-7742: Stack-based     buffer overflows via specially crafted FLAC files.
    (bsc#1033054)

This update was imported from the SUSE:SLE-12:Update update project.

This update for libsndfile fixes the following issues :

  - CVE-2017-8361: Global buffer overflow in     flac_buffer_copy. (bsc#1036946)

  - CVE-2017-8362: Invalid memory read in flac_buffer_copy.
    (bsc#1036943)

  - CVE-2017-8363: Heap-based buffer overflow in     flac_buffer_copy. (bsc#1036945)

  - CVE-2017-7585, CVE-2017-7741, CVE-2017-7742: Stack-based     buffer overflows via specially crafted FLAC files.
    (bsc#1033054)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libsndfile fixes the following issues :

  - CVE-2017-8362: invalid memory read in flac_buffer_copy     (flac.c) (bsc#1036943)

  - CVE-2017-8365: global buffer overflow in i2les_array     (pcm.c) (bsc#1036946)

  - CVE-2017-8361: global buffer overflow in     flac_buffer_copy (flac.c) (bsc#1036944)

  - CVE-2017-8363: heap-based buffer overflow in     flac_buffer_copy (flac.c) (bsc#1036945)

  - CVE-2017-7585: stack-based buffer overflow via a     specially crafted FLAC file (bsc#1033054)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities were found in libsndfile, a popular library for reading/writing audio files.

CVE-2017-7585

In libsndfile before 1.0.28, an error in the 'flac_buffer_copy()' function (flac.c) can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file.

CVE-2017-7586

In libsndfile before 1.0.28, an error in the 'header_read()' function (common.c) when handling ID3 tags can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file.
CVE-2017-7741

In libsndfile before 1.0.28, an error in the 'flac_buffer_copy()' function (flac.c) can be exploited to cause a segmentation violation (with write memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. CVE-2017-7742

In libsndfile before 1.0.28, an error in the 'flac_buffer_copy()' function (flac.c) can be exploited to cause a segmentation violation (with read memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. CVE-2014-9496

The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read.

CVE-2014-9756

The psf_fwrite function in file_io.c in libsndfile allows attackers to cause a denial of service (divide-by-zero error and application crash) via unspecified vectors related to the headindex variable.
CVE-2015-7805

Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file.

For Debian 7 'Wheezy', these problems have been fixed in version 1.0.25-9.1+deb7u1.

We recommend that you upgrade your libsndfile packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libsndfile fixes the following security issues :

  - CVE-2017-7586: A stack-based buffer overflow via a     specially crafted FLAC file was fixed (error in the     'header_read()' function) (bsc#1033053)

  - CVE-2017-7585,CVE-2017-7741, CVE-2017-7742: Several     stack-based buffer overflows via a specially crafted     FLAC file (error in the 'flac_buffer_copy()' function)     were fixed (bsc#1033054,bsc#1033915,bsc#1033914).

This update was imported from the SUSE:SLE-12:Update update project.

NVD reports :

In libsndfile before 1.0.28, an error in the 'flac_buffer_copy()' function (flac.c) can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file.

In libsndfile before 1.0.28, an error in the 'header_read()' function (common.c) when handling ID3 tags can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file.

In libsndfile before 1.0.28, an error in the 'flac_buffer_copy()' function (flac.c) can be exploited to cause a segmentation violation (with write memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585.

In libsndfile before 1.0.28, an error in the 'flac_buffer_copy()' function (flac.c) can be exploited to cause a segmentation violation (with read memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585.

This update for libsndfile fixes the following security issues :

  - CVE-2017-7586: A stack-based buffer overflow via a     specially crafted FLAC file was fixed (error in the     'header_read()' function) (bsc#1033053)

  - CVE-2017-7585,CVE-2017-7741, CVE-2017-7742: Several     stack-based buffer overflows via a specially crafted     FLAC file (error in the 'flac_buffer_copy()' function)     were fixed (bsc#1033054,bsc#1033915,bsc#1033914).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libsndfile fixes the following issues :

  - CVE-2017-7585,CVE-2017-7741,CVE-2017-7742: Some     stack-based buffer overflows via a specially crafted     FLAC file were fixed (error in the 'flac_buffer_copy()'     function) (bsc#1033054, bsc#1033914, bsc#1033915).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
132151	EulerOS 2.0 SP3 : libsndfile (EulerOS-SA-2019-2616)	Nessus	Huawei Local Security Checks	critical
131666	EulerOS 2.0 SP2 : libsndfile (EulerOS-SA-2019-2513)	Nessus	Huawei Local Security Checks	critical
130670	EulerOS 2.0 SP5 : libsndfile (EulerOS-SA-2019-2208)	Nessus	Huawei Local Security Checks	high
101335	GLSA-201707-04 : libsndfile: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
100590	Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : libsndfile vulnerabilities (USN-3306-1)	Nessus	Ubuntu Local Security Checks	high
100501	openSUSE Security Update : libsndfile (openSUSE-2017-625)	Nessus	SuSE Local Security Checks	high
100353	SUSE SLED12 / SLES12 Security Update : libsndfile (SUSE-SU-2017:1367-1)	Nessus	SuSE Local Security Checks	high
100121	SUSE SLES11 Security Update : libsndfile (SUSE-SU-2017:1236-1)	Nessus	SuSE Local Security Checks	high
99739	Debian DLA-928-1 : libsndfile security update	Nessus	Debian Local Security Checks	medium
99703	openSUSE Security Update : libsndfile (openSUSE-2017-514)	Nessus	SuSE Local Security Checks	medium
99554	FreeBSD : libsndfile -- multiple vulnerabilities (5a97805e-93ef-4dcb-8d5e-dbcac263bfc2)	Nessus	FreeBSD Local Security Checks	medium
99462	SUSE SLED12 / SLES12 Security Update : libsndfile (SUSE-SU-2017:1040-1)	Nessus	SuSE Local Security Checks	medium
99460	SUSE SLES11 Security Update : libsndfile (SUSE-SU-2017:1030-1)	Nessus	SuSE Local Security Checks	medium

CVE-2017-7741

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

high

medium

high

high

high

high

medium

medium

medium

medium

medium