Bug 1500570

Summary: It is a reachable assertion abort in function sox_append_comment(in formats.c:227) that will lead to denial of service attack
Product: [Fedora] Fedora Reporter: Liu Zhu <fantasy7082>
Component: soxAssignee: Jiri Kucera <jkucera>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 26CC: felix, fkluknav, hhorak, hobbes1069, psampaio
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: sox-14.4.2.0-14.fc26 sox-14.4.2.0-14.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-23 21:17:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
poc_file none

Description Liu Zhu 2017-10-11 04:14:46 UTC 
Created attachment 1337015 [details]
poc_file

Version-Release number of selected component (if applicable):
SoX v14.4.2

How reproducible:

./sox 03-abort out.wav
sox: /root/fuzzing/sox/src/formats.c:227: sox_append_comment: Assertion `comment' failed.
Aborted (core dumped)


The gdb debugging information is listed below:

gdb ./sox /tmp/core.1507694923 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./sox...done.
[New LWP 15505]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./sox 03-abort out.wav'.
Program terminated with signal SIGABRT, Aborted.
#0  0x00007f1580380428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007f1580380428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007f158038202a in __GI_abort () at abort.c:89
#2  0x00007f1580378bd7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x676044 "comment", file=file@entry=0x682f00 "/root/fuzzing/sox/src/formats.c", line=line@entry=227, 
    function=function@entry=0x683a90 <__PRETTY_FUNCTION__.6255> "sox_append_comment") at assert.c:92
#3  0x00007f1580378c82 in __GI___assert_fail (assertion=assertion@entry=0x676044 "comment", file=file@entry=0x682f00 "/root/fuzzing/sox/src/formats.c", line=line@entry=227, function=function@entry=0x683a90 <__PRETTY_FUNCTION__.6255> "sox_append_comment")
    at assert.c:101
#4  0x000000000056d2b5 in sox_append_comment (comments=comments@entry=0x21c9560, comment=0x0) at /root/fuzzing/sox/src/formats.c:227
#5  0x00000000005f471b in decoder_metadata_callback (flac=<optimized out>, metadata=0x7ffcd5007a80, client_data=0x21c9510) at /root/fuzzing/sox/src/flac.c:133
#6  0x00007f1580c29e38 in read_metadata_ (decoder=decoder@entry=0x21caac0) at stream_decoder.c:1511
#7  0x00007f1580c30560 in FLAC__stream_decoder_process_until_end_of_metadata (decoder=0x21caac0) at stream_decoder.c:1054
#8  0x00000000005f3809 in start_read (ft=0x21c9510) at /root/fuzzing/sox/src/flac.c:239
#9  0x00000000005716b5 in open_read (path=<optimized out>, buffer=buffer@entry=0x0, buffer_size=buffer_size@entry=0, signal=signal@entry=0x21c9200, encoding=encoding@entry=0x21c9220, filetype=<optimized out>) at /root/fuzzing/sox/src/formats.c:545
#10 0x0000000000572d7a in sox_open_read (path=<optimized out>, signal=signal@entry=0x21c9200, encoding=encoding@entry=0x21c9220, filetype=<optimized out>) at /root/fuzzing/sox/src/formats.c:585
#11 0x000000000040bbf7 in main (argc=3, argv=0x7ffcd5007f68) at /root/fuzzing/sox/src/sox.c:2945


Additional info:
Name:liuzhu
Comment 1 Jiri Kucera 2018-01-03 13:56:53 UTC 
There is a related discussion on upstream:

https://sourceforge.net/p/sox/mailman/sox-devel/thread/CAG_ZyaD8huzEm9cajDd63z1nGOTVRw%3DY8vPE-t5pHB%3D9XmQ_Xw%40mail.gmail.com/#msg36124536

with a link to the patch that fix this bug:

https://bogomips.org/sox.git/patch/?id=818bdd0ccc1e5b6cae742c740c17fd414935cf39

This patch is also in Debian alioth:

https://anonscm.debian.org/git/pkg-multimedia/sox.git/plain/debian/patches/0005-CVE-2017-15371.patch
Comment 2 Jiri Kucera 2018-01-03 14:24:59 UTC 
Link to commit:

https://src.fedoraproject.org/rpms/sox/c/1c345ef4b817366e86ade0792e3ef81e2e84643a?branch=master

Also merged with f26 and f27 branches.
Comment 3 Fedora Update System 2018-01-03 14:30:45 UTC 
sox-14.4.2.0-13.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-448444341e
Comment 4 Fedora Update System 2018-01-03 14:30:52 UTC 
sox-14.4.2.0-13.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6ca3df84ad
Comment 5 Fedora Update System 2018-01-03 22:30:37 UTC 
sox-14.4.2.0-13.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-448444341e
Comment 6 Fedora Update System 2018-01-03 23:55:20 UTC 
sox-14.4.2.0-13.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6ca3df84ad
Comment 7 Fedora Update System 2018-01-05 11:01:27 UTC 
sox-14.4.2.0-13.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6ca3df84ad
Comment 8 Fedora Update System 2018-01-11 01:00:20 UTC 
sox-14.4.2.0-14.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b528f28c59
Comment 9 Fedora Update System 2018-01-11 01:07:41 UTC 
sox-14.4.2.0-14.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b26768593c
Comment 10 Fedora Update System 2018-01-11 13:08:03 UTC 
sox-14.4.2.0-13.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-448444341e
Comment 11 Fedora Update System 2018-01-11 23:07:51 UTC 
sox-14.4.2.0-13.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-448444341e
Comment 12 Fedora Update System 2018-01-11 23:08:52 UTC 
sox-14.4.2.0-14.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b528f28c59
Comment 13 Fedora Update System 2018-01-11 23:42:43 UTC 
sox-14.4.2.0-14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b26768593c
Comment 14 Fedora Update System 2018-01-23 21:17:55 UTC 
sox-14.4.2.0-14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2018-01-23 21:44:56 UTC 
sox-14.4.2.0-14.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.