Bug 1631054 (CVE-2018-17097)

Summary: CVE-2018-17097 soundtouch: Out-of-bounds heap write in WavOutFile::write()
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dtimms, hdegoede, otte
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:17:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1631056, 1631057, 1631059    
Bug Blocks: 1631058    

Description Pedro Sampaio 2018-09-19 20:04:10 UTC 
The WavFileBase class in WavFile.cpp in Olli Parviainen SoundTouch 2.0 allows remote attackers to cause a denial of service (double free) or possibly have unspecified other impact, as demonstrated by SoundStretch.

Upstream issue:

https://gitlab.com/soundtouch/soundtouch/issues/14

References:

https://github.com/TeamSeri0us/pocs/tree/master/soundtouch/2018_09_03
Comment 1 Pedro Sampaio 2018-09-19 20:04:45 UTC 
Created soundtouch tracking bugs for this issue:

Affects: epel-6 [bug 1631057]
Affects: fedora-all [bug 1631056]
Comment 3 Adam Mariš 2018-10-22 15:02:36 UTC 
This is not double free in fact, it is actually off-by-one error that happens in WavOutFile::write(float*, int) function:

        case 3:
        {
            char *temp2 = (char *)temp;
            for (int i = 0; i < numElems; i ++)
            {
                int value = saturate(buffer[i] * 8388608.0f, -8388608.0f, 8388607.0f);
                *((int*)temp2) = _swap32(value);
                temp2 += 3;
            }
            break;

temp is allocated with size numElems * 3. In the last loop when i == numElems - 1, int value is stored into temp2 which on most architectures has 4 bytes, therefore the last byte is written out of bounds, which overwrites the PREV_INUSE bit in next chunk. When convBuff is later freed, glibc finds that PREV_INUSE bit is clear, triggering double free detection as a result.
Comment 4 Adam Mariš 2018-10-22 15:02:44 UTC 
Statement:

This issue did not affect the versions of soundtouch as shipped with Red Hat Enterprise Linux 7 as they did not include the vulnerable code.
Comment 5 Sergio Basto 2018-10-22 15:34:33 UTC 
hi, can you provide a patch to apply in source code ? please 

Upstream still not solve the problem [1] 

Thanks.

[1] 
https://gitlab.com/soundtouch/soundtouch/issues/14
Comment 6 Adam Mariš 2018-11-05 16:01:36 UTC 
Upstream patch:

https://gitlab.com/soundtouch/soundtouch/commit/7f594f8b7d10bbc16a4a31de8ec5a279af9c7378

(https://gitlab.com/soundtouch/soundtouch/commit/09e04252dde9ef02a7d254315b13089996afe302 - this was the previous attempt to fix which was found incomplete)