Bug 1196487 (CVE-2022-24599)

Summary: VUL-1: CVE-2022-24599: audiofile: memory leak in printinfo.c
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: E-mail List <gnome-bugs>
Status: CONFIRMED --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: sbrabec, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/324633/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-24599:4.4:(AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2022-02-25 09:52:16 UTC 
rh#2058371

In autofile Audio File Library 0.3.6, there exists one memory leak vulnerability in printfileinfo, in printinfo.c, which allows an attacker to leak sensitive information via a crafted file. The printfileinfo function calls the copyrightstring function to get data, however, it dosn't use zero bytes to truncate the data.

https://github.com/mpruett/audiofile/issues/60

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2058371
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24599
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24599
https://github.com/mpruett/audiofile/issues/60
Comment 1 Carlos López 2022-02-25 09:53:01 UTC 
Affected:
 - SUSE:SLE-11-SP1:Update
 - SUSE:SLE-12:Update
 - SUSE:SLE-15:Update
 - openSUSE:Factory
Comment 5 Stanislav Brabec 2022-08-01 13:59:57 UTC 
The "crafted" file is not as complicated. It is just a AIFF mangled AIFF with a chunk that declares a shorter length than it actually is. As a result, printf() gets an unterminated string and it could swallow part of heap following the string. And the AIFF parser will try to read a random garbage somewhere later.

So I will start with proposed zeroing of the memory and look what is happening there. The goal is simple:
- printf() should always get a NUL terminated string, even if the provided string is not terminated.
- If the AIFF parser gets a random garbage, nothing bad could happen.