Bug 1610609 (CVE-2018-14523)
| Summary: | CVE-2018-14523 aubio: buffer over-read in pitch/pitchyinfft.c:new_aubio_pitchyinfft() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED UPSTREAM | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | brendan.jones.it, green, nphilipp |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:34:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1610611 | ||
| Bug Blocks: | |||
|
Description
Sam Fowler
2018-08-01 03:51:25 UTC
Reproduced with aubio-0.4.2-8.fc28.x86_64:
# aubionotes testcase2 2>&1 | ./asan_symbolizer.py -d
=================================================================
==70==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000436f08 at pc 0x000000421379 bp 0x7ffff1b85950 sp 0x7ffff1b85940
READ of size 4 at 0x000000436f08 thread T0
#0 0x421378 in new_aubio_pitchyinfft /usr/src/debug/aubio-0.4.2-8.fc28.x86_64/build/../src/pitch/pitchyinfft.c:73
#1 0x418397 in new_aubio_pitch /usr/src/debug/aubio-0.4.2-8.fc28.x86_64/build/../src/pitch/pitch.c:181
#2 0x404598 in main /usr/src/debug/aubio-0.4.2-8.fc28.x86_64/build/../examples/aubionotes.c:143
#3 0x7f28b733524a in __libc_start_main (/lib64/libc.so.6+0x2324a)
#3 0x4022f9 in ?? ??:0
0x000000436f08 is located 0 bytes to the right of global variable 'freqs' defined in '../src/pitch/pitchyinfft.c:43:21' (0x436e80) of size 136
0x000000436f08 is located 56 bytes to the left of global variable 'weight' defined in '../src/pitch/pitchyinfft.c:50:21' (0x436f40) of size 136
SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/bin/aubionotes+0x421378)
Shadow bytes around the buggy address:
0x00008007ed90: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
0x00008007eda0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x00008007edb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008007edc0: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x00008007edd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008007ede0: 00[f9]f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x00008007edf0: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x00008007ee00: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x00008007ee10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008007ee20: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
0x00008007ee30: 00 00 00 03 f9 f9 f9 f9 00 00 00 00 00 00 00 07
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==70==ABORTING
Created aubio tracking bugs for this issue: Affects: fedora-all [bug 1610611] This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. |