An issue has been discovered in mpruett Audio File Library (aka audiofile) 0.3.6. A heap-based buffer overflow in Expand3To4Module::run has occurred when running sfconvert. Upstream issues: https://github.com/mpruett/audiofile/issues/50 https://github.com/mpruett/audiofile/issues/51
Created audiofile tracking bugs for this issue: Affects: fedora-all [bug 1631089]
Upstream Patch: https://github.com/wtay/audiofile/commit/822b732fd31ffcb78f6920001e9b1fbd815fa712
Upstream has two issues for what appears to be the exact same flaw. See test1 run: ``` Audio File Library: file missing data -- read 0 frames, should be 5 [error 5] ==18400== Invalid write of size 4 ==18400== at 0x4E55C07: ??? (in /usr/lib64/libaudiofile.so.1.0.0) ==18400== by 0x4E4C8E2: afReadFrames (in /usr/lib64/libaudiofile.so.1.0.0) ==18400== by 0x401E4D: ??? (in /usr/bin/sfconvert) ==18400== by 0x40162D: ??? (in /usr/bin/sfconvert) ==18400== by 0x50913D4: (below main) (in /usr/lib64/libc-2.17.so) ``` and test2 run: ``` Audio File Library: file missing data -- read 0 frames, should be 5 [error 5] ==18402== Invalid write of size 4 ==18402== at 0x4E55C07: ??? (in /usr/lib64/libaudiofile.so.1.0.0) ==18402== by 0x4E4C8E2: afReadFrames (in /usr/lib64/libaudiofile.so.1.0.0) ==18402== by 0x401E4D: ??? (in /usr/bin/sfconvert) ==18402== by 0x40162D: ??? (in /usr/bin/sfconvert) ==18402== by 0x50913D4: (below main) (in /usr/lib64/libc-2.17.so) ```
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3877 https://access.redhat.com/errata/RHSA-2020:3877
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-17095