Bug 488361 (CVE-2009-0186) - CVE-2009-0186 libsndfile: overflows may lead to execution of arbitrary code
Summary: CVE-2009-0186 libsndfile: overflows may lead to execution of arbitrary code
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-0186
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard: impact=important,source=fulldisclosur...
Depends On: 488362 488363 488364
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-03 21:50 UTC by Vincent Danen
Modified: 2019-06-08 12:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-20 22:16:10 UTC


Attachments (Terms of Use)
possible patch to fix CVE-2009-0186 (688 bytes, patch)
2009-03-03 22:07 UTC, Vincent Danen
no flags Details | Diff

Description Vincent Danen 2009-03-03 21:50:59 UTC
Quoting Secunia's advisory:

Secunia Research has discovered a vulnerability in libsndfile, which
can be exploited by malicious people to compromise an application
using the library.

The vulnerability is caused due to an integer overflow error in the
processing of CAF description chunks. This can be exploited to cause
a heap-based buffer overflow by tricking the user into processing a
specially crafted CAF audio file.

Successful exploitation may allow execution of arbitrary code.

The original advisory can be found here:

http://secunia.com/secunia_research/2009-7/

Verification of the vulnerability was against 1.0.18; 1.0.19 corrects the problem

Comment 1 Vincent Danen 2009-03-03 21:51:31 UTC
Created libsndfile tracking bugs for this issue

CVE-2009-0186 Affects: F10 [bug #488362]
CVE-2009-0186 Affects: F9 [bug #488363]
CVE-2009-0186 Affects: epel-5 [bug #488364]

Comment 2 Vincent Danen 2009-03-03 22:07:22 UTC
Created attachment 333940 [details]
possible patch to fix CVE-2009-0186

Quick look in the changelog shows:

    * src/caf.c
    Validate channels per frame value before using, fixing a possible integer
    overflow bug, leading to a possible heap overflow. Found by Alin Rad Pop of
    Secunia Research (CVE-2009-0186).

and the patch attached contains the relevant changes that look like they would correct this issue.

Comment 3 Fedora Update System 2009-12-03 05:03:56 UTC
libsndfile-1.0.20-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2009-12-03 05:06:53 UTC
libsndfile-1.0.20-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Michel Alexandre Salim 2010-07-03 21:41:28 UTC
Odd, this bug should have been automatically closed. Could someone verify that the problem is fixed?

Comment 6 Vincent Danen 2010-07-05 15:22:20 UTC
There is still a tracker open against EPEL5, which does not look to be fixed.

Comment 7 Michel Alexandre Salim 2010-07-05 22:04:35 UTC
Thanks. I'll be requesting a fast-track decision to take over the package -- a security bug that only needs updating the EL-5 branch to fix is rather unacceptable.


Note You need to log in before you can comment on or make changes to this bug.