Bug 488361 (CVE-2009-0186)

Summary: CVE-2009-0186 libsndfile: overflows may lead to execution of arbitrary code
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: andreas, mgrigull, michel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0186
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-20 22:16:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 488362, 488363, 488364    
Bug Blocks:    
Attachments:
Description Flags
possible patch to fix CVE-2009-0186 none

Description Vincent Danen 2009-03-03 21:50:59 UTC 
Quoting Secunia's advisory:

Secunia Research has discovered a vulnerability in libsndfile, which
can be exploited by malicious people to compromise an application
using the library.

The vulnerability is caused due to an integer overflow error in the
processing of CAF description chunks. This can be exploited to cause
a heap-based buffer overflow by tricking the user into processing a
specially crafted CAF audio file.

Successful exploitation may allow execution of arbitrary code.

The original advisory can be found here:

http://secunia.com/secunia_research/2009-7/

Verification of the vulnerability was against 1.0.18; 1.0.19 corrects the problem
Comment 1 Vincent Danen 2009-03-03 21:51:31 UTC 
Created libsndfile tracking bugs for this issue

CVE-2009-0186 Affects: F10 [bug #488362]
CVE-2009-0186 Affects: F9 [bug #488363]
CVE-2009-0186 Affects: epel-5 [bug #488364]
Comment 2 Vincent Danen 2009-03-03 22:07:22 UTC 
Created attachment 333940 [details]
possible patch to fix CVE-2009-0186

Quick look in the changelog shows:

    * src/caf.c
    Validate channels per frame value before using, fixing a possible integer
    overflow bug, leading to a possible heap overflow. Found by Alin Rad Pop of
    Secunia Research (CVE-2009-0186).

and the patch attached contains the relevant changes that look like they would correct this issue.
Comment 3 Fedora Update System 2009-12-03 05:03:56 UTC 
libsndfile-1.0.20-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2009-12-03 05:06:53 UTC 
libsndfile-1.0.20-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Michel Lind 2010-07-03 21:41:28 UTC 
Odd, this bug should have been automatically closed. Could someone verify that the problem is fixed?
Comment 6 Vincent Danen 2010-07-05 15:22:20 UTC 
There is still a tracker open against EPEL5, which does not look to be fixed.
Comment 7 Michel Lind 2010-07-05 22:04:35 UTC 
Thanks. I'll be requesting a fast-track decision to take over the package -- a security bug that only needs updating the EL-5 branch to fix is rather unacceptable.