Bug 1499599 - libextract Divide-By-Zero Denial of Service Vulnerability
Summary: libextract Divide-By-Zero Denial of Service Vulnerability
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libextractor
Version: 27
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-09 02:51 UTC by Leon
Modified: 2017-11-11 02:59 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-10-30 16:18:20 UTC


Attachments (Terms of Use)
POC file that crashing extract (16.02 KB, audio/x-wav)
2017-10-09 02:51 UTC, Leon
no flags Details

Description Leon 2017-10-09 02:51:09 UTC
Created attachment 1336093 [details]
POC file that crashing extract

Description of problem:
In 'EXTRACTOR_wav_extract_method' function of wav_extractor.c, the program does not check the value of sample_rate, with a crafted file, the sample_rate can be set to zero.

Version-Release number of selected component (if applicable):
v1.4

How reproducible:
./extract -i $poc

Steps to Reproduce:
the output of gdb
Reading symbols from /opt/asan/bin/extract...done.
(gdb) set args -i extract-wav_extractor-119.dos 
(gdb) run
Starting program: /opt/asan/bin/extract -i extract-wav_extractor-119.dos 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Keywords for file extract-wav_extractor-119.dos:
Program received signal SIGFPE, Arithmetic exception.
0x00007ffff1c242fe in EXTRACTOR_wav_extract_method (ec=0x7fffffffa070) at wav_extractor.c:119
119                 : (samples / sample_rate) * 1000,
(gdb) p sample_rate
$1 = 0
(gdb) bt
#0  0x00007ffff1c242fe in EXTRACTOR_wav_extract_method (ec=0x7fffffffa070) at wav_extractor.c:119
#1  0x00007ffff6c09793 in do_extract (plugins=0x60800000b520, shm=0x0, ds=0x60300000ec20, proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:577
#2  0x00007ffff6c09b99 in EXTRACTOR_extract (plugins=0x60800000b520, filename=0x60800000be59 "extract-wav_extractor-119.dos", data=0x0, size=0, 
    proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:655
#3  0x00000000004044ca in main (argc=3, argv=0x7fffffffe4d8) at extract.c:977
(gdb) l
114       snprintf (scratch,
115                 sizeof (scratch),
116                 "%u ms, %d Hz, %s",
117                 (samples < sample_rate)
118                 ? (samples * 1000 / sample_rate)
119                 : (samples / sample_rate) * 1000,
120                 sample_rate, (1 == channels) ? _("mono") : _("stereo"));
121       if (0 != ec->proc (ec->cls, 
122                          "wav",
123                          EXTRACTOR_METATYPE_RESOURCE_TYPE,
(gdb) 

Actual results:
crash(Floating point exception)

Expected results:
crash(Floating point exception)

Additional info:
This vulnerability is detected Zhao Liang, Huawei Weiran Labs

Comment 1 Fedora Update System 2017-10-20 13:00:43 UTC
libextractor-1.6-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa

Comment 2 Fedora Update System 2017-10-20 13:01:04 UTC
libextractor-1.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16

Comment 3 Fedora Update System 2017-10-20 13:01:19 UTC
libextractor-1.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b

Comment 4 Fedora Update System 2017-10-21 19:29:36 UTC
libextractor-1.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b

Comment 5 Fedora Update System 2017-10-22 02:25:41 UTC
libextractor-1.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16

Comment 6 Fedora Update System 2017-10-22 03:25:04 UTC
libextractor-1.6-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa

Comment 7 Fedora Update System 2017-10-30 16:18:20 UTC
libextractor-1.6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2017-10-30 16:28:25 UTC
libextractor-1.6-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2017-11-11 02:59:51 UTC
libextractor-1.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.