Bug 721234 (CVE-2011-2696) - CVE-2011-2696 libsndfile: Application crash due integer overflow by processing certain PAF audio files
Summary: CVE-2011-2696 libsndfile: Application crash due integer overflow by processin...
Status: CLOSED ERRATA
Alias: CVE-2011-2696
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110712,reported=20110713,sou...
Keywords: Security
Depends On: 721239 721240 722841 722842
Blocks: 721249
TreeView+ depends on / blocked
 
Reported: 2011-07-14 06:22 UTC by Jan Lieskovsky
Modified: 2019-06-08 18:52 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-05-10 08:23:39 UTC


Attachments (Terms of Use)
Promised local copy of upstream patch (1.92 KB, text/plain)
2011-07-14 06:29 UTC, Jan Lieskovsky
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1084 normal SHIPPED_LIVE Moderate: libsndfile security update 2011-07-20 18:18:17 UTC

Description Jan Lieskovsky 2011-07-14 06:22:35 UTC
An integer overflow, leading to heap-based buffer overflow flaw was found in the way libsndfile, library for reading and writing of sound files, processed certain PARIS Audio Format (PAF) audio files with crafted count of channels in the PAF file header. A remote attacker could provided a specially-crafted PAF audio file, which once opened by a local, unsuspecting user in an application, linked against libsndfile could lead to that particular application crash (denial of service), or, potentially arbitrary code execution with the privileges of the user running the application.

References:
[1] https://bugs.gentoo.org/show_bug.cgi?id=375125
[2] http://www.securelist.com/en/advisories/45125
[3] http://secunia.com/advisories/45125/
[4] http://www.mega-nerd.com/libsndfile/

Relevant upstream patch (from Bzr log, local copy will be attached later too):

revno: 1610
committer: Erik de Castro Lopo <erikd@mega-nerd.com>
branch nick: libsndfile-dev
timestamp: Wed 2011-07-06 19:40:05 +1000
message:
  Fix for Secunia Advisory SA45125, heap overflow in PAF file handler.

Comment 1 Jan Lieskovsky 2011-07-14 06:25:15 UTC
This issue affects the version of the libsndfile package, as present within EPEL-5 repository. Please schedule an update.

--

This issue affects the version of the libsndfile package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the libsndfile package, as shipped with Fedora release of 14 and 15. Please schedule an update.

Comment 2 Jan Lieskovsky 2011-07-14 06:29:16 UTC
Created attachment 512812 [details]
Promised local copy of upstream patch

Retrieved via
(couldn't find remote URL reference. Maybe there is one I am not aware of):

bzr get http://www.mega-nerd.com/Bzr/libsndfile-dev/
bzr diff -r1609..1610 > /tmp/SASA45125_revno1609_1610.diff

Comment 3 Jan Lieskovsky 2011-07-14 06:36:28 UTC
CVE Request:
[5] http://www.openwall.com/lists/oss-security/2011/07/14/1

Comment 4 Jan Lieskovsky 2011-07-14 06:37:48 UTC
Created libsndfile tracking bugs for this issue

Affects: epel-5 [bug 721239]
Affects: fedora-all [bug 721240]

Comment 5 Jan Lieskovsky 2011-07-14 07:19:52 UTC
Erik de Castro Lopo (upstream libsndfile maintainer) suggested, arbitrary code
execution is not possible in this case:
=======================================

Jan Lieskovsky wrote:

> >    an integer overflow, leading to heap-based buffer overflow flaw was
> > found in the way libsndfile, library for reading and writing of sound
> > files, processed certain PARIS Audio Format (PAF) audio files with
> > crafted count of channels in the PAF file header. A remote attacker
> > could provided a specially-crafted PAF audio file, which once opened by
> > a local, unsuspecting user in an application, linked against libsndfile,
> > could lead to that particular application crash (denial of service),
I agree with everything up to here.

> > or, potentially arbitrary code execution with the privileges of the
> > user running the application.
but this is rubbish. The heap gets overwritten with zeros which would
certainly lead to the application segfaulting. However, there is
no way for arbitrary code to be executed on amy sane OS with proper
memory protection.

Furthermore, Secunia when they contacted me about this said they would
release information about this vulernability on the 18th and then ended
up releasing it on the 12th instead which means I had to rush out the
release I was working on (and would have easily had ready for the
18th). That is not the way to win friends and influence people.

Regards,
Erik
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/ 


=======================================

Thus have adjusted the impact and severity of this issue appropriately.

Comment 7 Huzaifa S. Sidhpurwala 2011-07-18 06:56:19 UTC
This has been assigned CVE-2011-2696

Comment 10 errata-xmlrpc 2011-07-20 18:18:23 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1084 https://rhn.redhat.com/errata/RHSA-2011-1084.html


Note You need to log in before you can comment on or make changes to this bug.