Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1600367 - (CVE-2018-13440) CVE-2018-13440 audiofile: NULL pointer dereference in modules/ModuleState.cpp:ModuleState::setup() allows for denial of service via crafted file
CVE-2018-13440 audiofile: NULL pointer dereference in modules/ModuleState.cpp...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20180707,reported=2...
: Security
Depends On: 1601014 1600368 1600369
Blocks: 1600371
  Show dependency treegraph
 
Reported: 2018-07-12 01:45 EDT by Sam Fowler
Modified: 2018-07-13 11:40 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Sam Fowler 2018-07-12 01:45:25 EDT 
The Audio File Library through version 0.3.6 is vulnerable to a NULL pointer dereference in the modules/ModuleState.cpp:ModuleState::setup() function. An attacker could exploit this to cause a denial of service via crafted caf file.


Upstream Issue:

https://github.com/mpruett/audiofile/issues/49
Comment 1 Sam Fowler 2018-07-12 01:45:51 EDT 
Created audiofile tracking bugs for this issue:

Affects: fedora-all [bug 1600368]
Comment 3 Sam Fowler 2018-07-12 01:55:40 EDT 
Reproduced with audiofile-0.3.6-15.fc27.x86_64 on F27:

sh-4.4# ASAN_OPTIONS=allocator_may_return_null=1 sfconvert poc output format aiff 2>&1 | ./asan_symbolize.py -d
Audio File Library: IMA type not set [error 47]
ASAN:DEADLYSIGNAL
=================================================================
==116==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f032234d3ef bp 0x7ffcc09153f0 sp 0x7ffcc0915240 T0)
==116==The signal is caused by a READ memory access.
==116==Hint: address points to the zero page.
    #0 0x7f032234d3ee in ModuleState::setup(_AFfilehandle*, Track*) /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/libaudiofile/modules/ModuleState.cpp:143
    #1 0x7f032234d3ee in ?? ??:0
    #1 0x7f0322337a1a in afGetFrameCount (/lib64/libaudiofile.so.1+0x69a1a)
    #2 0x402bfd in ?? /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/sfcommands/sfconvert.c:359
    #3 0x402bfd in ?? ??:0
    #4 0x402844 in ?? /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/sfcommands/sfconvert.c:275
    #5 0x402844 in ?? ??:0
    #4 0x7f0321cdff29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
    #6 0x401529 in ?? ??:0
    #7 0x401529 in ?? ??:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib64/libaudiofile.so.1+0x7f3ee)
==116==ABORTING
Comment 6 Scott Gayou 2018-07-13 11:09:02 EDT 
RHEL7 segfaults with the POC. RHEL5/6 do not appear vulnerable as the version of audiofile shipped did not yet support CAFF files. See units.c in RHEL5/6 and units.cpp in RHEL7 release.
Comment 8 Scott Gayou 2018-07-13 11:12:35 EDT 
Statement:

Red Hat Product Security has rated this issue as having a security impact of Low, and a future update may address this flaw.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.