https://blogs.gentoo.org/ago/2017/04/29/libsndfile-heap-based-buffer-overflow-in-flac_buffer_copy-flac-c/

[debian-lts-announce] 20181226 [SECURITY] [DLA 1618-1] libsndfile security update

GLSA-201811-23

According to the versions of the libsndfile package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In libsndfile before 1.0.28, an error in the     'header_read()' function (common.c) when handling ID3     tags can be exploited to cause a stack-based buffer     overflow via a specially crafted FLAC     file.(CVE-2017-7586)

  - Heap-based Buffer Overflow in the psf_binheader_writef     function in common.c in libsndfile through 1.0.28     allows remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact.(CVE-2017-12562)

  - In libsndfile 1.0.25 (fixed in 1.0.26), a     divide-by-zero error exists in the function     wav_w64_read_fmt_chunk() in wav_w64.c, which may lead     to DoS when playing a crafted audio     file.(CVE-2017-16942)

  - In libsndfile 1.0.28, a divide-by-zero error exists in     the function double64_init() in double64.c, which may     lead to DoS when playing a crafted audio     file.(CVE-2017-14634)

  - The psf_fwrite function in file_io.c in libsndfile     allows attackers to cause a denial of service     (divide-by-zero error and application crash) via     unspecified vectors related to the headindex     variable.(CVE-2014-9756)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with write memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7741)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with read memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7742)

  - In libsndfile version 1.0.28, an error in the     'aiff_read_chanmap()' function (aiff.c) can be     exploited to cause an out-of-bounds read memory access     via a specially crafted AIFF file.(CVE-2017-6892)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     audio file.(CVE-2017-8361)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (invalid read and application crash) via a     crafted audio file.(CVE-2017-8362)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (heap-based buffer over-read and application     crash) via a crafted audio file.(CVE-2017-8363)

  - The i2les_array function in pcm.c in libsndfile 1.0.28     allows remote attackers to cause a denial of service     (buffer over-read and application crash) via a crafted     audio file.(CVE-2017-8365)

  - The sd2_parse_rsrc_fork function in sd2.c in libsndfile     allows attackers to have unspecified impact via vectors     related to a (1) map offset or (2) rsrc marker, which     triggers an out-of-bounds read.(CVE-2014-9496)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libsndfile package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In libsndfile version 1.0.28, an error in the     'aiff_read_chanmap()' function (aiff.c) can be     exploited to cause an out-of-bounds read memory access     via a specially crafted AIFF file.(CVE-2017-6892)

  - The sd2_parse_rsrc_fork function in sd2.c in libsndfile     allows attackers to have unspecified impact via vectors     related to a (1) map offset or (2) rsrc marker, which     triggers an out-of-bounds read.(CVE-2014-9496)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     audio file.(CVE-2017-8361)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with write memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7741)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a segmentation violation (with read memory     access) via a specially crafted FLAC file during a     resample attempt, a similar issue to     CVE-2017-7585.(CVE-2017-7742)

  - In libsndfile before 1.0.28, an error in the     'flac_buffer_copy()' function (flac.c) can be exploited     to cause a stack-based buffer overflow via a specially     crafted FLAC file.(CVE-2017-7585)

  - An out of bounds read in the function d2ulaw_array() in     ulaw.c of libsndfile 1.0.28 may lead to a remote DoS     attack or information disclosure, related to     mishandling of the NAN and INFINITY floating-point     values.(CVE-2017-14246)

  - An out of bounds read in the function d2alaw_array() in     alaw.c of libsndfile 1.0.28 may lead to a remote DoS     attack or information disclosure, related to     mishandling of the NAN and INFINITY floating-point     values.(CVE-2017-14245)

  - The function d2ulaw_array() in ulaw.c of libsndfile     1.0.29pre1 may lead to a remote DoS attack (SEGV on     unknown address 0x000000000000), a different     vulnerability than CVE-2017-14246.(CVE-2017-17457)

  - The function d2alaw_array() in alaw.c of libsndfile     1.0.29pre1 may lead to a remote DoS attack (SEGV on     unknown address 0x000000000000), a different     vulnerability than CVE-2017-14245.(CVE-2017-17456)

  - In libsndfile 1.0.28, a divide-by-zero error exists in     the function double64_init() in double64.c, which may     lead to DoS when playing a crafted audio     file.(CVE-2017-14634)

  - The psf_fwrite function in file_io.c in libsndfile     allows attackers to cause a denial of service     (divide-by-zero error and application crash) via     unspecified vectors related to the headindex     variable.(CVE-2014-9756)

  - In libsndfile before 1.0.28, an error in the     'header_read()' function (common.c) when handling ID3     tags can be exploited to cause a stack-based buffer     overflow via a specially crafted FLAC     file.(CVE-2017-7586)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (invalid read and application crash) via a     crafted audio file.(CVE-2017-8362)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (heap-based buffer over-read and application     crash) via a crafted audio file.(CVE-2017-8363)

  - The i2les_array function in pcm.c in libsndfile 1.0.28     allows remote attackers to cause a denial of service     (buffer over-read and application crash) via a crafted     audio file.(CVE-2017-8365)

  - In libsndfile 1.0.25 (fixed in 1.0.26), a     divide-by-zero error exists in the function     wav_w64_read_fmt_chunk() in wav_w64.c, which may lead     to DoS when playing a crafted audio     file.(CVE-2017-16942)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libsndfile package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A stack-based buffer overflow in psf_memset in common.c     in libsndfile 1.0.28 allows remote attackers to cause a     denial of service (application crash) or possibly have     unspecified other impact via a crafted audio file. The     vulnerability can be triggered by the executable     sndfile-deinterleave.(CVE-2018-13139)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     audio file.(CVE-2017-8361)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (invalid read and application crash) via a     crafted audio file.(CVE-2017-8362)

  - The flac_buffer_copy function in flac.c in libsndfile     1.0.28 allows remote attackers to cause a denial of     service (heap-based buffer over-read and application     crash) via a crafted audio file.(CVE-2017-8363)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been found in libsndfile, the library for reading and writing files containing sampled sound.

CVE-2017-8361

The flac_buffer_copy function (flac.c) is affected by a buffer overflow. This vulnerability might be leveraged by remote attackers to cause a denial of service, or possibly have unspecified other impact via a crafted audio file.

CVE-2017-8362

The flac_buffer_copy function (flac.c) is affected by an out-of-bounds read vulnerability. This flaw might be leveraged by remote attackers to cause a denial of service via a crafted audio file.

CVE-2017-8363

The flac_buffer_copy function (flac.c) is affected by a heap based OOB read vulnerability. This flaw might be leveraged by remote attackers to cause a denial of service via a crafted audio file.

CVE-2017-8365

The i2les_array function (pcm.c) is affected by a global buffer overflow. This vulnerability might be leveraged by remote attackers to cause a denial of service, or possibly have unspecified other impact via a crafted audio file.

CVE-2017-14245 CVE-2017-14246 CVE-2017-17456 CVE-2017-17457

The d2alaw_array() and d2ulaw_array() functions (src/ulaw.c and src/alaw.c) are affected by an out-of-bounds read vulnerability. This flaw might be leveraged by remote attackers to cause denial of service or information disclosure via a crafted audio file.

CVE-2017-14634

The double64_init() function (double64.c) is affected by a divide-by-zero error. This vulnerability might be leveraged by remote attackers to cause denial of service via a crafted audio file.

CVE-2018-13139

The psf_memset function (common.c) is affected by a stack-based buffer overflow. This vulnerability might be leveraged by remote attackers to cause a denial of service, or possibly have unspecified other impact via a crafted audio file. The vulnerability can be triggered by the executable sndfile-deinterleave.

CVE-2018-19432

The sf_write_int function (src/sndfile.c) is affected by an out-of-bounds read vulnerability. This flaw might be leveraged by remote attackers to cause a denial of service via a crafted audio file.

CVE-2018-19661 CVE-2018-19662

The i2alaw_array() and i2ulaw_array() functions (src/ulaw.c and src/alaw.c) are affected by an out-of-bounds read vulnerability. This flaw might be leveraged by remote attackers to cause denial of service or information disclosure via a crafted audio file.

For Debian 8 'Jessie', these problems have been fixed in version 1.0.25-9.1+deb8u2.

We recommend that you upgrade your libsndfile packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201811-23 (libsndfile: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libsndfile. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker, by enticing a user to open a specially crafted file,       could cause a Denial of Service condition or have other unspecified       impacts.
  Workaround :

    There is no known workaround at this time.

Agostino Sarubbo, Gentoo reports :

CVE-2017-8361 (Medium): The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file.

CVE-2017-8362 (Medium): The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file.

CVE-2017-8363 (Medium): The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file.

CVE-2017-8365 (Medium): The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file.

manxorist on Github reports :

CVE-2017-12562 (High): Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.

Xin-Jiang on Github reports :

CVE-2017-14634 (Medium): In libsndfile 1.0.28, a divide-by-zero error exists in the function double64_init() in double64.c, which may lead to DoS when playing a crafted audio file.

fixes buffer overflows for flac and pcm

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Agostino Sarubbo and Jakub Jirasek discovered that libsndfile incorrectly handled certain malformed files. A remote attacker could use this issue to cause libsndfile to crash, resulting in a denial of service, or possibly execute arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libsndfile fixes the following issues :

  - CVE-2017-8361: Global buffer overflow in     flac_buffer_copy. (bsc#1036946)

  - CVE-2017-8362: Invalid memory read in flac_buffer_copy.
    (bsc#1036943)

  - CVE-2017-8363: Heap-based buffer overflow in     flac_buffer_copy. (bsc#1036945)

  - CVE-2017-7585, CVE-2017-7741, CVE-2017-7742: Stack-based     buffer overflows via specially crafted FLAC files.
    (bsc#1033054)

This update was imported from the SUSE:SLE-12:Update update project.

CVE-2017-8361 The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file.

CVE-2017-8362 The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file.

CVE-2017-8363 The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file.

CVE-2017-8365 The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file.

For Debian 7 'Wheezy', these problems have been fixed in version 1.0.25-9.1+deb7u2.

We recommend that you upgrade your libsndfile packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libsndfile fixes the following issues :

  - CVE-2017-8361: Global buffer overflow in     flac_buffer_copy. (bsc#1036946)

  - CVE-2017-8362: Invalid memory read in flac_buffer_copy.
    (bsc#1036943)

  - CVE-2017-8363: Heap-based buffer overflow in     flac_buffer_copy. (bsc#1036945)

  - CVE-2017-7585, CVE-2017-7741, CVE-2017-7742: Stack-based     buffer overflows via specially crafted FLAC files.
    (bsc#1033054)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libsndfile fixes the following issues :

  - CVE-2017-8362: invalid memory read in flac_buffer_copy     (flac.c) (bsc#1036943)

  - CVE-2017-8365: global buffer overflow in i2les_array     (pcm.c) (bsc#1036946)

  - CVE-2017-8361: global buffer overflow in     flac_buffer_copy (flac.c) (bsc#1036944)

  - CVE-2017-8363: heap-based buffer overflow in     flac_buffer_copy (flac.c) (bsc#1036945)

  - CVE-2017-7585: stack-based buffer overflow via a     specially crafted FLAC file (bsc#1033054)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
131666	EulerOS 2.0 SP2 : libsndfile (EulerOS-SA-2019-2513)	Nessus	Huawei Local Security Checks	critical
130670	EulerOS 2.0 SP5 : libsndfile (EulerOS-SA-2019-2208)	Nessus	Huawei Local Security Checks	high
122202	EulerOS 2.0 SP3 : libsndfile (EulerOS-SA-2019-1029)	Nessus	Huawei Local Security Checks	high
119878	Debian DLA-1618-1 : libsndfile security update	Nessus	Debian Local Security Checks	high
119318	GLSA-201811-23 : libsndfile: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
107109	FreeBSD : libsndfile -- multiple vulnerabilities (2b386075-1d9c-11e8-b6aa-4ccc6adda413)	Nessus	FreeBSD Local Security Checks	critical
101706	Fedora 26 : libsndfile (2017-b6959bc910)	Nessus	Fedora Local Security Checks	high
100825	Fedora 24 : libsndfile (2017-a3d6e1a7bf)	Nessus	Fedora Local Security Checks	high
100747	Fedora 25 : libsndfile (2017-abbac6c64b)	Nessus	Fedora Local Security Checks	high
100590	Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : libsndfile vulnerabilities (USN-3306-1)	Nessus	Ubuntu Local Security Checks	high
100501	openSUSE Security Update : libsndfile (openSUSE-2017-625)	Nessus	SuSE Local Security Checks	high
100476	Debian DLA-956-1 : libsndfile security update	Nessus	Debian Local Security Checks	high
100353	SUSE SLED12 / SLES12 Security Update : libsndfile (SUSE-SU-2017:1367-1)	Nessus	SuSE Local Security Checks	high
100121	SUSE SLES11 Security Update : libsndfile (SUSE-SU-2017:1236-1)	Nessus	SuSE Local Security Checks	high

CVE-2017-8363

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

high

high

high

critical

critical

high

high

high

high

high

high

high

high