Bug 1600367 (CVE-2018-13440)

Summary: CVE-2018-13440 audiofile: NULL pointer dereference in ModuleState::setup() in modules/ModuleState.cpp allows for denial of service via crafted file
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ajax, alexl, john.j5live, mclasen, rhughes, rstrode, sandmann, wtaymans
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 21:57:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1600368, 1600369, 1601014    
Bug Blocks: 1600371    

Description Sam Fowler 2018-07-12 05:45:25 UTC 
The Audio File Library through version 0.3.6 is vulnerable to a NULL pointer dereference in the modules/ModuleState.cpp:ModuleState::setup() function. An attacker could exploit this to cause a denial of service via crafted caf file.


Upstream Issue:

https://github.com/mpruett/audiofile/issues/49
Comment 1 Sam Fowler 2018-07-12 05:45:51 UTC 
Created audiofile tracking bugs for this issue:

Affects: fedora-all [bug 1600368]
Comment 3 Sam Fowler 2018-07-12 05:55:40 UTC 
Reproduced with audiofile-0.3.6-15.fc27.x86_64 on F27:

sh-4.4# ASAN_OPTIONS=allocator_may_return_null=1 sfconvert poc output format aiff 2>&1 | ./asan_symbolize.py -d
Audio File Library: IMA type not set [error 47]
ASAN:DEADLYSIGNAL
=================================================================
==116==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f032234d3ef bp 0x7ffcc09153f0 sp 0x7ffcc0915240 T0)
==116==The signal is caused by a READ memory access.
==116==Hint: address points to the zero page.
    #0 0x7f032234d3ee in ModuleState::setup(_AFfilehandle*, Track*) /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/libaudiofile/modules/ModuleState.cpp:143
    #1 0x7f032234d3ee in ?? ??:0
    #1 0x7f0322337a1a in afGetFrameCount (/lib64/libaudiofile.so.1+0x69a1a)
    #2 0x402bfd in ?? /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/sfcommands/sfconvert.c:359
    #3 0x402bfd in ?? ??:0
    #4 0x402844 in ?? /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/sfcommands/sfconvert.c:275
    #5 0x402844 in ?? ??:0
    #4 0x7f0321cdff29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
    #6 0x401529 in ?? ??:0
    #7 0x401529 in ?? ??:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib64/libaudiofile.so.1+0x7f3ee)
==116==ABORTING
Comment 6 Scott Gayou 2018-07-13 15:09:02 UTC 
RHEL7 segfaults with the POC. RHEL5/6 do not appear vulnerable as the version of audiofile shipped did not yet support CAFF files. See units.c in RHEL5/6 and units.cpp in RHEL7 release.
Comment 8 Scott Gayou 2018-07-13 15:12:35 UTC 
Statement:

Red Hat Product Security has rated this issue as having a security impact of Low, and a future update may address this flaw.
Comment 10 errata-xmlrpc 2020-09-29 19:29:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3877 https://access.redhat.com/errata/RHSA-2020:3877
Comment 11 Product Security DevOps Team 2020-09-29 21:57:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-13440