Bug 1499599

Summary: libextract Divide-By-Zero Denial of Service Vulnerability
Product: [Fedora] Fedora Reporter: Leon <leon.zhao.7>
Component: libextractorAssignee: Gwyn Ciesla <gwync>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 27CC: gwync, sheltren
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: libextractor-1.6-1.fc26 libextractor-1.6-1.fc25 libextractor-1.6-1.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-30 16:18:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
POC file that crashing extract none

Description Leon 2017-10-09 02:51:09 UTC 
Created attachment 1336093 [details]
POC file that crashing extract

Description of problem:
In 'EXTRACTOR_wav_extract_method' function of wav_extractor.c, the program does not check the value of sample_rate, with a crafted file, the sample_rate can be set to zero.

Version-Release number of selected component (if applicable):
v1.4

How reproducible:
./extract -i $poc

Steps to Reproduce:
the output of gdb
Reading symbols from /opt/asan/bin/extract...done.
(gdb) set args -i extract-wav_extractor-119.dos 
(gdb) run
Starting program: /opt/asan/bin/extract -i extract-wav_extractor-119.dos 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Keywords for file extract-wav_extractor-119.dos:
Program received signal SIGFPE, Arithmetic exception.
0x00007ffff1c242fe in EXTRACTOR_wav_extract_method (ec=0x7fffffffa070) at wav_extractor.c:119
119                 : (samples / sample_rate) * 1000,
(gdb) p sample_rate
$1 = 0
(gdb) bt
#0  0x00007ffff1c242fe in EXTRACTOR_wav_extract_method (ec=0x7fffffffa070) at wav_extractor.c:119
#1  0x00007ffff6c09793 in do_extract (plugins=0x60800000b520, shm=0x0, ds=0x60300000ec20, proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:577
#2  0x00007ffff6c09b99 in EXTRACTOR_extract (plugins=0x60800000b520, filename=0x60800000be59 "extract-wav_extractor-119.dos", data=0x0, size=0, 
    proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:655
#3  0x00000000004044ca in main (argc=3, argv=0x7fffffffe4d8) at extract.c:977
(gdb) l
114       snprintf (scratch,
115                 sizeof (scratch),
116                 "%u ms, %d Hz, %s",
117                 (samples < sample_rate)
118                 ? (samples * 1000 / sample_rate)
119                 : (samples / sample_rate) * 1000,
120                 sample_rate, (1 == channels) ? _("mono") : _("stereo"));
121       if (0 != ec->proc (ec->cls, 
122                          "wav",
123                          EXTRACTOR_METATYPE_RESOURCE_TYPE,
(gdb) 

Actual results:
crash(Floating point exception)

Expected results:
crash(Floating point exception)

Additional info:
This vulnerability is detected Zhao Liang, Huawei Weiran Labs
Comment 1 Fedora Update System 2017-10-20 13:00:43 UTC 
libextractor-1.6-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa
Comment 2 Fedora Update System 2017-10-20 13:01:04 UTC 
libextractor-1.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16
Comment 3 Fedora Update System 2017-10-20 13:01:19 UTC 
libextractor-1.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b
Comment 4 Fedora Update System 2017-10-21 19:29:36 UTC 
libextractor-1.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b
Comment 5 Fedora Update System 2017-10-22 02:25:41 UTC 
libextractor-1.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16
Comment 6 Fedora Update System 2017-10-22 03:25:04 UTC 
libextractor-1.6-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa
Comment 7 Fedora Update System 2017-10-30 16:18:20 UTC 
libextractor-1.6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2017-10-30 16:28:25 UTC 
libextractor-1.6-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2017-11-11 02:59:51 UTC 
libextractor-1.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.