Bug 1631088 (CVE-2018-17095)

Summary: CVE-2018-17095 audiofile: Heap-based buffer overflow in Expand3To4Module::run() when running sfconvert
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ajax, alexl, gwync, john.j5live, mclasen, rhughes, rstrode, sandmann, wtaymans
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 21:57:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1631089, 1637128    
Bug Blocks: 1631090    

Description Pedro Sampaio 2018-09-19 20:48:43 UTC 
An issue has been discovered in mpruett Audio File Library (aka audiofile) 0.3.6. A heap-based buffer overflow in Expand3To4Module::run has occurred when running sfconvert.

Upstream issues:

https://github.com/mpruett/audiofile/issues/50
https://github.com/mpruett/audiofile/issues/51
Comment 1 Pedro Sampaio 2018-09-19 20:49:11 UTC 
Created audiofile tracking bugs for this issue:

Affects: fedora-all [bug 1631089]
Comment 2 Scott Gayou 2018-10-08 16:14:48 UTC 
Upstream Patch:
https://github.com/wtay/audiofile/commit/822b732fd31ffcb78f6920001e9b1fbd815fa712
Comment 4 Scott Gayou 2018-10-08 16:49:46 UTC 
Upstream has two issues for what appears to be the exact same flaw.

See test1 run:

```
Audio File Library: file missing data -- read 0 frames, should be 5 [error 5]
==18400== Invalid write of size 4
==18400==    at 0x4E55C07: ??? (in /usr/lib64/libaudiofile.so.1.0.0)
==18400==    by 0x4E4C8E2: afReadFrames (in /usr/lib64/libaudiofile.so.1.0.0)
==18400==    by 0x401E4D: ??? (in /usr/bin/sfconvert)
==18400==    by 0x40162D: ??? (in /usr/bin/sfconvert)
==18400==    by 0x50913D4: (below main) (in /usr/lib64/libc-2.17.so)
```

and test2 run:
```
Audio File Library: file missing data -- read 0 frames, should be 5 [error 5]
==18402== Invalid write of size 4
==18402==    at 0x4E55C07: ??? (in /usr/lib64/libaudiofile.so.1.0.0)
==18402==    by 0x4E4C8E2: afReadFrames (in /usr/lib64/libaudiofile.so.1.0.0)
==18402==    by 0x401E4D: ??? (in /usr/bin/sfconvert)
==18402==    by 0x40162D: ??? (in /usr/bin/sfconvert)
==18402==    by 0x50913D4: (below main) (in /usr/lib64/libc-2.17.so)
```
Comment 6 errata-xmlrpc 2020-09-29 19:29:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3877 https://access.redhat.com/errata/RHSA-2020:3877
Comment 7 Product Security DevOps Team 2020-09-29 21:57:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-17095