Bug 1677216 (CVE-2019-3832)

Summary: CVE-2019-3832 libsndfile: incomplete fix for CVE-2018-19758 still allow to read beyond buffer limits
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, andreas, dbaker, jokerman, mhlavink, sthangav, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: ---
Doc Text:
It was discovered the fix for CVE-2018-19758 was not complete and still allows a read beyond the limits of a buffer in wav_write_header() function in wav.c. A local attacker may use this flaw to make the application crash.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1677219, 1677220, 1677221    
Bug Blocks: 1677222    

Description Riccardo Schirone 2019-02-14 10:01:18 UTC
It was discovered the fix for CVE-2018-19758 is not complete and it still allows to read beyond the limit of the buffer in function wav_write_header() in wav.c. Function wav_write_header() iterates through the `loops` array for an amount of times read from the file itself. However, this value is not correctly checked and the library can read beyond the limits of the `loops` array, possibly making the application crash.

Upstream issue:

Comment 1 Riccardo Schirone 2019-02-14 10:01:21 UTC

Name: Riccardo Schirone (Red Hat)

Comment 2 Riccardo Schirone 2019-02-14 10:02:46 UTC
Created libsndfile tracking bugs for this issue:

Affects: fedora-all [bug 1677219]

Comment 7 Riccardo Schirone 2019-03-05 11:09:35 UTC
A PR has been submitted upstream to fix this issue: https://github.com/erikd/libsndfile/pull/460