Roundup: [oss-security] audiofile: multiple ubsan crashes

[grahamc]

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

• Update Graham's database

Info

Triage Indicator:

-needs-triage +roundup27 thread:0000000000003e20

• File Search: https://search.nix.gsc.io/?q=audiofile&i=fosho&repos=nixos-nixpkgs
• GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=audiofile+in%3Apath&type=Code

Should the search term be changed from audiofile? Suggest a new package search by commenting:

-suggested:audiofile +suggested:correctPackageName thread:0000000000003e20

Known CVEs: CVE-2017-6837, CVE-2017-6838, CVE-2017-6839

---

Skip to End

Sun, 26 Feb 2017 11:56:31 +0000 "Agostino Sarubbo" <ago-at-gentoo.org>, 267855.691348331-sendEmail@localhost

Description:
audiofile is a C-based library for reading and writing audio files in many common formats.

A fuzz on it discovered multiple crashes because of undefined behavior.

The complete UBsan output:

# sfconvert @@ out.mp3 format aiff
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:289:14: runtime error: index 256 out of bounds for type 'int16_t [256][2]'
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:290:14: runtime error: index 256 out of bounds for type 'int16_t [256][2]'

Reproducer:
https://github.com/asarubbo/poc/blob/master/00191-audiofile-indexoob

##########################################

# sfconvert @@ out.mp3 format aiff
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/sfcommands/sfconvert.c:327:42: runtime error: signed integer overflow: 65536 * 252936 cannot be represented in type 
'int'

Reproducer:
https://github.com/asarubbo/poc/blob/master/00192-audiofile-signintoverflow-sfconvert

##########################################

# sfconvert @@ out.mp3 format aiff
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/modules/MSADPCM.cpp:115:27: runtime error: signed integer overflow: 5512570 * 409 cannot be represented in 
type 'int'

Reproducer:
https://github.com/asarubbo/poc/blob/master/00193-audiofile-signintoverflow-MSADPCM

##########################################

Affected version:
0.3.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-02-20: bug discovered and reported to upstream
2017-02-20: blog post about the issue

Note:
These bugs were found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes

--
Agostino Sarubbo
Gentoo Linux Developer

Skip to End

---

Mon, 13 Mar 2017 10:40:02 +0100 Agostino Sarubbo <ago-at-gentoo.org>, 7377432.3LPlIO6s4Q@blackgate

On Sunday 26 February 2017 11:56:31 Agostino Sarubbo wrote:
> Permalink:
> https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes

These are:
CVE-2017-6837
CVE-2017-6838
CVE-2017-6839

-- 
Agostino Sarubbo
Gentoo Linux Developer

Skip to End

---

[Mic92]

This pull requests states to fix this: mpruett/audiofile#42
But I would like to get the feedback of the maintainer actually, because the patches are non-trivial.