Bug 1659638 (CVE-2018-19758)

Summary: CVE-2018-19758 libsndfile: heap-based buffer over-read at wav.c in wav_write_header
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mhlavink
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 03:19:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1659639, 1673297, 1673298    
Bug Blocks: 1659634    

Description Laura Pardo 2018-12-14 20:49:12 UTC
There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. 


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1643812

Comment 1 Laura Pardo 2018-12-14 20:49:25 UTC
Created libsndfile tracking bugs for this issue:

Affects: fedora-all [bug 1659639]

Comment 3 Riccardo Schirone 2019-02-07 08:38:05 UTC
Upstream issue:
https://github.com/erikd/libsndfile/issues/435

Comment 4 Riccardo Schirone 2019-02-07 09:21:32 UTC
Function wav_write_header() in wav.c iterates through the `loops` array for an amount of times read from the file itself. However, this value is not correctly checked and the library can read beyond the limits of the `loops` array, possibly making the application crash.

However, I believe the proposed fix for this CVE is not complete and it still allows to read outside the bounds of the loops array.
Upstream has been informed of the issue through https://github.com/erikd/libsndfile/issues/456 .

Comment 7 Riccardo Schirone 2019-02-14 10:08:43 UTC
See bug 1677216 for the new flaw created because of the incomplete fix of CVE-2018-19758.