Bug 1470199 (CVE-2015-9099, CVE-2015-9100, CVE-2017-11720, CVE-2017-13712, CVE-2017-15018, CVE-2017-15019, CVE-2017-15045, CVE-2017-15046, CVE-2017-8419, CVE-2017-9410, CVE-2017-9411, CVE-2017-9412) - CVE-2015-9099 CVE-2015-9100 CVE-2017-11720 CVE-2017-13712 CVE-2017-15018 CVE-2017-15019 CVE-2017-15045 CVE-2017-15046 CVE-2017-9410 CVE-2017-9411 CVE-2017-9412 CVE-2017-8419 lame: Multiple vulnerabilities
Summary: CVE-2015-9099 CVE-2015-9100 CVE-2017-11720 CVE-2017-13712 CVE-2017-15018 CVE-...
Status: CLOSED UPSTREAM
Alias: CVE-2015-9099, CVE-2015-9100, CVE-2017-11720, CVE-2017-13712, CVE-2017-15018, CVE-2017-15019, CVE-2017-15045, CVE-2017-15046, CVE-2017-8419, CVE-2017-9410, CVE-2017-9411, CVE-2017-9412
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20150205,reported=2...
Keywords: Security
Depends On: 1470202 1470201
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-12 14:02 UTC by Andrej Nemec
Modified: 2019-06-08 22:06 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-06-08 03:16:21 UTC


Attachments (Terms of Use)
A patch is proposed for Lame 3.99.5 mp3 encoder with CVE ID: 2017-9411 (712 bytes, patch)
2017-08-29 06:35 UTC, Neeraj Pal
no flags Details | Diff

Description Andrej Nemec 2017-07-12 14:02:10 UTC
CVE-2015-9099

The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file with a negative sample rate.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775959

CVE-2015-9100

The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted audio file.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777160
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777161

Comment 1 Andrej Nemec 2017-07-12 14:02:29 UTC
Created lame tracking bugs for this issue:

Affects: epel-all [bug 1470201]
Affects: fedora-all [bug 1470202]

Comment 2 Andrej Nemec 2017-07-27 09:05:25 UTC
Adding multiple vulnerabilities.

CVE-2017-9410

The fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted wav file. 

CVE-2017-9411

The fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file. 

CVE-2017-9412

The unpack_read_samples function in frontend/get_audio.c in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file. 

References:

http://seclists.org/fulldisclosure/2017/Jul/63

Comment 3 Andrej Nemec 2017-07-28 14:47:52 UTC
Adding one more.

CVE-2017-11720

There is a division-by-zero vulnerability in LAME 3.99.5, caused by a malformed input file.

https://sourceforge.net/p/lame/bugs/460/

Comment 4 Neeraj Pal 2017-08-29 06:35 UTC
Created attachment 1319324 [details]
A patch is proposed for Lame 3.99.5 mp3 encoder with CVE ID: 2017-9411

Hello all,

I proposed a patch for bug encountered in Lame version 3.99.5 which already has a CVE-ID: 2017-9411.

Description:
The fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file.


POC:
lame_3.99.5_invalid_memory_read_1.wav
CVE:
CVE-2017-9411

Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42390.zip

Comment 5 Andrej Nemec 2017-08-31 14:59:36 UTC
CVE-2017-13712

NULL Pointer Dereference in the id3v2AddAudioDuration function in libmp3lame/id3tag.c in LAME 3.99.5 allows attackers to perform Denial of Service by triggering a NULL first argument. 

https://sourceforge.net/p/lame/bugs/472/

Comment 7 Andrej Nemec 2017-10-06 08:59:09 UTC
CVE-2017-15045

LAME 3.99.5 has a heap-based buffer over-read, a different vulnerability than CVE-2017-9410.

https://sourceforge.net/p/lame/bugs/478/

CVE-2017-15046

LAME 3.99.5 has a stack-based buffer overflow, a different vulnerability than CVE-2017-9412.

https://sourceforge.net/p/lame/bugs/479/

Comment 8 Andrej Nemec 2017-10-10 14:28:22 UTC
CVE-2017-15018

LAME 3.99.5 has a heap-based buffer over-read when handling a malformed file in k_34_4 in vbrquantize.c.

https://sourceforge.net/p/lame/bugs/480/

CVE-2017-15019

LAME 3.99.5 has a NULL Pointer Dereference in the hip_decode_init function within libmp3lame/mpglib_interface.c via a malformed mpg file, because of an incorrect calloc call.

https://sourceforge.net/p/lame/bugs/477/

Comment 9 Andrej Nemec 2017-10-20 07:18:29 UTC
CVE-2017-8419

LAME through 3.99.5 relies on the signed integer data type for values in a WAV or AIFF header, which allows remote attackers to cause a denial of service (stack-based buffer overflow or heap-based buffer overflow) or possibly have unspecified other impact via a crafted file, as demonstrated by mishandling of num_channels. 

https://sourceforge.net/p/lame/bugs/458/

Comment 10 samoht0 2017-10-22 09:57:22 UTC
I opened a bug as there's a new upstream release, that resolves some of the vulnerabilities:
https://bugzilla.redhat.com/show_bug.cgi?id=1505107

Comment 11 Robert Scheck 2017-10-22 21:46:50 UTC
From my point of view, 3.100 fixes all of these CVEs except CVE-2017-15019.
Is that correct?

Comment 12 Product Security DevOps Team 2019-06-08 03:16:21 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.