Bug 1125575 (CVE-2019-3832)

Summary: VUL-1: CVE-2019-3832: libsndfile: libsndfile: incomplete fix for still allow to read beyond buffer limits
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Takashi Iwai <tiwai>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P5 - None CC: smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/224754/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2019-02-15 10:55:46 UTC 
rh#1677216

It was discovered the fix for CVE-2018-19758 is not complete and it still allows to read beyond the limit of the buffer in function wav_write_header() in wav.c. Function wav_write_header() iterates through the `loops` array for an amount of times read from the file itself. However, this value is not correctly checked and the library can read beyond the limits of the `loops` array, possibly making the application crash.

Upstream issue:
https://github.com/erikd/libsndfile/issues/456#issuecomment-463542436

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1677216
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3832
Comment 1 Robert Frohl 2019-02-15 10:57:44 UTC 
Hi Takashi,
I think we are not affected because the fix you developed looks to solve the issue completely. I still would like you to confirm this understanding.

Maybe your fix could also help upstream to solve the issue correctly ?
Comment 2 Takashi Iwai 2019-02-15 11:11:51 UTC 
Yes, my fix should avoid this OOB access, if I understand the issue correctly.
Comment 3 Robert Frohl 2019-02-15 12:47:54 UTC 
thanks for the confirmation.
-> closing