Bug 1470199 (CVE-2015-9100, CVE-2017-11720, CVE-2017-13712, CVE-2017-15018, CVE-2017-15019, CVE-2017-15045, CVE-2017-15046, CVE-2017-8419, CVE-2017-9410, CVE-2017-9411, CVE-2017-9412)

Summary: CVE-2015-9099 CVE-2015-9100 CVE-2017-8419 CVE-2017-9410 CVE-2017-9411 CVE-2017-9412 CVE-2017-11720 CVE-2017-13712 CVE-2017-15018 CVE-2017-15019 CVE-2017-15045 CVE-2017-15046 lame: Multiple vulnerabilities
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: neerajpal09, redhat-bugzilla, samoht0-bugzilla, wtaymans, yselkowi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[REJECTED CVE] This candidate is a duplicate of CVE-2015-9100. Note that all CVE users should reference CVE-2015-9100 instead of this candidate.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:16:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1470201, 1470202, 1910593    
Bug Blocks:    
Attachments:
Description Flags
A patch is proposed for Lame 3.99.5 mp3 encoder with CVE ID: 2017-9411 none

Description Andrej Nemec 2017-07-12 14:02:10 UTC 
CVE-2015-9099

The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file with a negative sample rate.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775959

CVE-2015-9100

The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted audio file.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777160
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777161
Comment 1 Andrej Nemec 2017-07-12 14:02:29 UTC 
Created lame tracking bugs for this issue:

Affects: epel-all [bug 1470201]
Affects: fedora-all [bug 1470202]
Comment 2 Andrej Nemec 2017-07-27 09:05:25 UTC 
Adding multiple vulnerabilities.

CVE-2017-9410

The fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted wav file. 

CVE-2017-9411

The fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file. 

CVE-2017-9412

The unpack_read_samples function in frontend/get_audio.c in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file. 

References:

http://seclists.org/fulldisclosure/2017/Jul/63
Comment 3 Andrej Nemec 2017-07-28 14:47:52 UTC 
Adding one more.

CVE-2017-11720

There is a division-by-zero vulnerability in LAME 3.99.5, caused by a malformed input file.

https://sourceforge.net/p/lame/bugs/460/
Comment 4 Neeraj Pal 2017-08-29 06:35:37 UTC 
Created attachment 1319324 [details]
A patch is proposed for Lame 3.99.5 mp3 encoder with CVE ID: 2017-9411

Hello all,

I proposed a patch for bug encountered in Lame version 3.99.5 which already has a CVE-ID: 2017-9411.

Description:
The fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file.


POC:
lame_3.99.5_invalid_memory_read_1.wav
CVE:
CVE-2017-9411

Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42390.zip
Comment 5 Andrej Nemec 2017-08-31 14:59:36 UTC 
CVE-2017-13712

NULL Pointer Dereference in the id3v2AddAudioDuration function in libmp3lame/id3tag.c in LAME 3.99.5 allows attackers to perform Denial of Service by triggering a NULL first argument. 

https://sourceforge.net/p/lame/bugs/472/
Comment 7 Andrej Nemec 2017-10-06 08:59:09 UTC 
CVE-2017-15045

LAME 3.99.5 has a heap-based buffer over-read, a different vulnerability than CVE-2017-9410.

https://sourceforge.net/p/lame/bugs/478/

CVE-2017-15046

LAME 3.99.5 has a stack-based buffer overflow, a different vulnerability than CVE-2017-9412.

https://sourceforge.net/p/lame/bugs/479/
Comment 8 Andrej Nemec 2017-10-10 14:28:22 UTC 
CVE-2017-15018

LAME 3.99.5 has a heap-based buffer over-read when handling a malformed file in k_34_4 in vbrquantize.c.

https://sourceforge.net/p/lame/bugs/480/

CVE-2017-15019

LAME 3.99.5 has a NULL Pointer Dereference in the hip_decode_init function within libmp3lame/mpglib_interface.c via a malformed mpg file, because of an incorrect calloc call.

https://sourceforge.net/p/lame/bugs/477/
Comment 9 Andrej Nemec 2017-10-20 07:18:29 UTC 
CVE-2017-8419

LAME through 3.99.5 relies on the signed integer data type for values in a WAV or AIFF header, which allows remote attackers to cause a denial of service (stack-based buffer overflow or heap-based buffer overflow) or possibly have unspecified other impact via a crafted file, as demonstrated by mishandling of num_channels. 

https://sourceforge.net/p/lame/bugs/458/
Comment 10 samoht0 2017-10-22 09:57:22 UTC 
I opened a bug as there's a new upstream release, that resolves some of the vulnerabilities:
https://bugzilla.redhat.com/show_bug.cgi?id=1505107
Comment 11 Robert Scheck 2017-10-22 21:46:50 UTC 
From my point of view, 3.100 fixes all of these CVEs except CVE-2017-15019.
Is that correct?
Comment 12 Product Security DevOps Team 2019-06-08 03:16:21 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.