Bug 1600367 (CVE-2018-13440)

Summary: CVE-2018-13440 audiofile: NULL pointer dereference in modules/ModuleState.cpp:ModuleState::setup() allows for denial of service via crafted file
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ajax, alexl, bugs.michael, john.j5live, mclasen, rhughes, rstrode, sandmann, wtaymans
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20180707,reported=20180712,source=cve,cvss3=5.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L,cwe=CWE-476,fedora-all/audiofile=affected,rhel-5/audiofile=notaffected,rhel-6/audiofile=notaffected,rhel-7/audiofile=affected,rhel-8/audiofile=wontfix
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1601014, 1600368, 1600369    
Bug Blocks: 1600371    

Description Sam Fowler 2018-07-12 05:45:25 UTC
The Audio File Library through version 0.3.6 is vulnerable to a NULL pointer dereference in the modules/ModuleState.cpp:ModuleState::setup() function. An attacker could exploit this to cause a denial of service via crafted caf file.


Upstream Issue:

https://github.com/mpruett/audiofile/issues/49

Comment 1 Sam Fowler 2018-07-12 05:45:51 UTC
Created audiofile tracking bugs for this issue:

Affects: fedora-all [bug 1600368]

Comment 3 Sam Fowler 2018-07-12 05:55:40 UTC
Reproduced with audiofile-0.3.6-15.fc27.x86_64 on F27:

sh-4.4# ASAN_OPTIONS=allocator_may_return_null=1 sfconvert poc output format aiff 2>&1 | ./asan_symbolize.py -d
Audio File Library: IMA type not set [error 47]
ASAN:DEADLYSIGNAL
=================================================================
==116==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f032234d3ef bp 0x7ffcc09153f0 sp 0x7ffcc0915240 T0)
==116==The signal is caused by a READ memory access.
==116==Hint: address points to the zero page.
    #0 0x7f032234d3ee in ModuleState::setup(_AFfilehandle*, Track*) /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/libaudiofile/modules/ModuleState.cpp:143
    #1 0x7f032234d3ee in ?? ??:0
    #1 0x7f0322337a1a in afGetFrameCount (/lib64/libaudiofile.so.1+0x69a1a)
    #2 0x402bfd in ?? /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/sfcommands/sfconvert.c:359
    #3 0x402bfd in ?? ??:0
    #4 0x402844 in ?? /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/sfcommands/sfconvert.c:275
    #5 0x402844 in ?? ??:0
    #4 0x7f0321cdff29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
    #6 0x401529 in ?? ??:0
    #7 0x401529 in ?? ??:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib64/libaudiofile.so.1+0x7f3ee)
==116==ABORTING

Comment 6 Scott Gayou 2018-07-13 15:09:02 UTC
RHEL7 segfaults with the POC. RHEL5/6 do not appear vulnerable as the version of audiofile shipped did not yet support CAFF files. See units.c in RHEL5/6 and units.cpp in RHEL7 release.

Comment 8 Scott Gayou 2018-07-13 15:12:35 UTC
Statement:

Red Hat Product Security has rated this issue as having a security impact of Low, and a future update may address this flaw.