Bug 1659638 (CVE-2018-19758)
Summary: | CVE-2018-19758 libsndfile: heap-based buffer over-read at wav.c in wav_write_header | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | mhlavink |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-27 03:19:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1659639, 1673297, 1673298 | ||
Bug Blocks: | 1659634 |
Description
Laura Pardo
2018-12-14 20:49:12 UTC
Created libsndfile tracking bugs for this issue: Affects: fedora-all [bug 1659639] Upstream issue: https://github.com/erikd/libsndfile/issues/435 Function wav_write_header() in wav.c iterates through the `loops` array for an amount of times read from the file itself. However, this value is not correctly checked and the library can read beyond the limits of the `loops` array, possibly making the application crash. However, I believe the proposed fix for this CVE is not complete and it still allows to read outside the bounds of the loops array. Upstream has been informed of the issue through https://github.com/erikd/libsndfile/issues/456 . See bug 1677216 for the new flaw created because of the incomplete fix of CVE-2018-19758. |