Bug 1600367 (CVE-2018-13440) - CVE-2018-13440 audiofile: NULL pointer dereference in ModuleState::setup() in modules/ModuleState.cpp allows for denial of service via crafted file
Summary: CVE-2018-13440 audiofile: NULL pointer dereference in ModuleState::setup() in...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-13440
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1600368 1600369 1601014
Blocks: 1600371
TreeView+ depends on / blocked
 
Reported: 2018-07-12 05:45 UTC by Sam Fowler
Modified: 2021-02-16 23:59 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-29 21:57:12 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3877 0 None None None 2020-09-29 19:29:54 UTC

Description Sam Fowler 2018-07-12 05:45:25 UTC 
The Audio File Library through version 0.3.6 is vulnerable to a NULL pointer dereference in the modules/ModuleState.cpp:ModuleState::setup() function. An attacker could exploit this to cause a denial of service via crafted caf file.


Upstream Issue:

https://github.com/mpruett/audiofile/issues/49
Comment 1 Sam Fowler 2018-07-12 05:45:51 UTC 
Created audiofile tracking bugs for this issue:

Affects: fedora-all [bug 1600368]
Comment 3 Sam Fowler 2018-07-12 05:55:40 UTC 
Reproduced with audiofile-0.3.6-15.fc27.x86_64 on F27:

sh-4.4# ASAN_OPTIONS=allocator_may_return_null=1 sfconvert poc output format aiff 2>&1 | ./asan_symbolize.py -d
Audio File Library: IMA type not set [error 47]
ASAN:DEADLYSIGNAL
=================================================================
==116==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f032234d3ef bp 0x7ffcc09153f0 sp 0x7ffcc0915240 T0)
==116==The signal is caused by a READ memory access.
==116==Hint: address points to the zero page.
    #0 0x7f032234d3ee in ModuleState::setup(_AFfilehandle*, Track*) /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/libaudiofile/modules/ModuleState.cpp:143
    #1 0x7f032234d3ee in ?? ??:0
    #1 0x7f0322337a1a in afGetFrameCount (/lib64/libaudiofile.so.1+0x69a1a)
    #2 0x402bfd in ?? /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/sfcommands/sfconvert.c:359
    #3 0x402bfd in ?? ??:0
    #4 0x402844 in ?? /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/sfcommands/sfconvert.c:275
    #5 0x402844 in ?? ??:0
    #4 0x7f0321cdff29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
    #6 0x401529 in ?? ??:0
    #7 0x401529 in ?? ??:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib64/libaudiofile.so.1+0x7f3ee)
==116==ABORTING
Comment 6 Scott Gayou 2018-07-13 15:09:02 UTC 
RHEL7 segfaults with the POC. RHEL5/6 do not appear vulnerable as the version of audiofile shipped did not yet support CAFF files. See units.c in RHEL5/6 and units.cpp in RHEL7 release.
Comment 8 Scott Gayou 2018-07-13 15:12:35 UTC 
Statement:

Red Hat Product Security has rated this issue as having a security impact of Low, and a future update may address this flaw.
Comment 10 errata-xmlrpc 2020-09-29 19:29:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3877 https://access.redhat.com/errata/RHSA-2020:3877
Comment 11 Product Security DevOps Team 2020-09-29 21:57:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-13440
Note You need to log in before you can comment on or make changes to this bug.