Bug 1600367 (CVE-2018-13440) - CVE-2018-13440 audiofile: NULL pointer dereference in modules/ModuleState.cpp:ModuleState::setup() allows for denial of service via crafted file
Summary: CVE-2018-13440 audiofile: NULL pointer dereference in modules/ModuleState.cpp...
Status: NEW
Alias: CVE-2018-13440
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20180707,reported=2...
Keywords: Security
Depends On: 1601014 1600368 1600369
Blocks: 1600371
TreeView+ depends on / blocked
 
Reported: 2018-07-12 05:45 UTC by Sam Fowler
Modified: 2018-07-13 15:40 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Sam Fowler 2018-07-12 05:45:25 UTC
The Audio File Library through version 0.3.6 is vulnerable to a NULL pointer dereference in the modules/ModuleState.cpp:ModuleState::setup() function. An attacker could exploit this to cause a denial of service via crafted caf file.


Upstream Issue:

https://github.com/mpruett/audiofile/issues/49

Comment 1 Sam Fowler 2018-07-12 05:45:51 UTC
Created audiofile tracking bugs for this issue:

Affects: fedora-all [bug 1600368]

Comment 3 Sam Fowler 2018-07-12 05:55:40 UTC
Reproduced with audiofile-0.3.6-15.fc27.x86_64 on F27:

sh-4.4# ASAN_OPTIONS=allocator_may_return_null=1 sfconvert poc output format aiff 2>&1 | ./asan_symbolize.py -d
Audio File Library: IMA type not set [error 47]
ASAN:DEADLYSIGNAL
=================================================================
==116==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f032234d3ef bp 0x7ffcc09153f0 sp 0x7ffcc0915240 T0)
==116==The signal is caused by a READ memory access.
==116==Hint: address points to the zero page.
    #0 0x7f032234d3ee in ModuleState::setup(_AFfilehandle*, Track*) /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/libaudiofile/modules/ModuleState.cpp:143
    #1 0x7f032234d3ee in ?? ??:0
    #1 0x7f0322337a1a in afGetFrameCount (/lib64/libaudiofile.so.1+0x69a1a)
    #2 0x402bfd in ?? /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/sfcommands/sfconvert.c:359
    #3 0x402bfd in ?? ??:0
    #4 0x402844 in ?? /usr/src/debug/audiofile-0.3.6-15.fc27.x86_64/sfcommands/sfconvert.c:275
    #5 0x402844 in ?? ??:0
    #4 0x7f0321cdff29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
    #6 0x401529 in ?? ??:0
    #7 0x401529 in ?? ??:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib64/libaudiofile.so.1+0x7f3ee)
==116==ABORTING

Comment 6 Scott Gayou 2018-07-13 15:09:02 UTC
RHEL7 segfaults with the POC. RHEL5/6 do not appear vulnerable as the version of audiofile shipped did not yet support CAFF files. See units.c in RHEL5/6 and units.cpp in RHEL7 release.

Comment 8 Scott Gayou 2018-07-13 15:12:35 UTC
Statement:

Red Hat Product Security has rated this issue as having a security impact of Low, and a future update may address this flaw.


Note You need to log in before you can comment on or make changes to this bug.