Bug 470822 (CVE-2008-5008)

Summary: CVE-2008-5008 libsamplerate: buffer overflow on "extreme low conversion ratios"
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hdegoede, lkundrak, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5008
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-21 21:39:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
src/src_sinc.c 0.13 -> 0.14 diff none

Description Tomas Hoger 2008-11-10 14:19:05 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5008 to the following vulnerability:

Buffer overflow in src/src_sinc.c in Secret Rabbit Code (aka SRC or
libsamplerate) before 0.1.4, when "extreme low conversion ratios" are
used, allows user-assisted attackers to have an unknown impact via a
crafted audio file.

References:
http://www.openwall.com/lists/oss-security/2008/11/03/6
http://www.mega-nerd.com/SRC/ChangeLog
Comment 1 Tomas Hoger 2008-11-10 14:22:05 UTC 
Created attachment 323069 [details]
src/src_sinc.c 0.13 -> 0.14 diff

Only change in src/src_sinc.c between 0.13 and 0.14.

I haven't looked closely whether this is over-write or over-read only.
Comment 2 Hans de Goede 2008-11-11 08:55:05 UTC 
I do not believe this bufferoverflow is something which can be triggered remotely, not even by a crafted file.

Never the less I've updated F-8 and F-9 cvs to the latest upstream (F-10 and later already has that), which fixes this and is ABI compatible, and I've done builds of this:
libsamplerate-0.1.4-1.fc9 Tag: dist-f9-updates-candidate:
http://koji.fedoraproject.org/koji/buildinfo?buildID=69053
libsamplerate-0.1.4-1.fc8 Tag: dist-f8-updates-candidate:
http://koji.fedoraproject.org/koji/buildinfo?buildID=69056

Although I do not expect any problems from these updates, given the low if any security impact of this I would prefer to see this pushed to the repo through updates-testing if pushed at all.
Comment 3 Tomas Hoger 2008-11-14 08:07:24 UTC 
Hans, thanks for checking.  I'll fully trust your judgement here, as you surely know the code much better as long-term maintainer of this package.  If you decide to submit anyway, feel free to do it via testing first.
Comment 4 Vincent Danen 2010-04-21 21:39:16 UTC 
I'm going to close this.  Current Fedora has 0.1.6 or newer, although EPEL5 has 0.1.2.  However, if we do not believe this can be triggered at all, then we should not classify this as a security issue.