Bug 1071767 - (CVE-2017-17457) VUL-1: CVE-2017-17457: libsndfile: d2ulaw_array() in ulaw.c may lead to a remote DoS attack
(CVE-2017-17457)
VUL-1: CVE-2017-17457: libsndfile: d2ulaw_array() in ulaw.c may lead to a rem...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/196320/
CVSSv2:SUSE:CVE-2017-17457:2.1:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-07 13:09 UTC by Alexander Bergmann
Modified: 2020-06-08 15:09 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
QA Reproducer (35.40 KB, audio/x-wav)
2017-12-07 13:56 UTC, Alexander Bergmann
Details
Fix patch (1.60 KB, patch)
2018-06-08 12:44 UTC, Takashi Iwai
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2017-12-07 13:09:41 UTC
CVE-2017-17457

The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead to a
remote DoS attack (SEGV on unknown address 0x000000000000), a different
vulnerability than CVE-2017-14246.

Upstream bug report:
https://github.com/erikd/libsndfile/issues/344

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17457
Comment 1 Alexander Bergmann 2017-12-07 13:56:04 UTC
Created attachment 751909 [details]
QA Reproducer

SLE12> valgrind ./sndfile-convert -alaw crash_case_libsndfile 1.raw
==7574== Memcheck, a memory error detector
==7574== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==7574== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==7574== Command: ./sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
==7574== 
==7574== Invalid read of size 1
==7574==    at 0x4E68E24: ??? (in /usr/lib64/libsndfile.so.1.0.25)
==7574==    by 0x4E3FFBD: sf_writef_double (in /usr/lib64/libsndfile.so.1.0.25)
==7574==    by 0x401D45: sfe_copy_data_fp (common.c:71)
==7574==    by 0x40123E: main (sndfile-convert.c:259)
==7574==  Address 0x8000000004e8a300 is not stack'd, malloc'd or (recently) free'd
==7574== 
==7574== 
==7574== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==7574==  General Protection Fault
==7574==    at 0x4E68E24: ??? (in /usr/lib64/libsndfile.so.1.0.25)
==7574==    by 0x4E3FFBD: sf_writef_double (in /usr/lib64/libsndfile.so.1.0.25)
==7574==    by 0x401D45: sfe_copy_data_fp (common.c:71)
==7574==    by 0x40123E: main (sndfile-convert.c:259)
==7574== 
==7574== HEAP SUMMARY:
==7574==     in use at exit: 119,820 bytes in 7 blocks
==7574==   total heap usage: 78 allocs, 71 frees, 129,326 bytes allocated
==7574== 
==7574== LEAK SUMMARY:
==7574==    definitely lost: 0 bytes in 0 blocks
==7574==    indirectly lost: 0 bytes in 0 blocks
==7574==      possibly lost: 0 bytes in 0 blocks
==7574==    still reachable: 119,820 bytes in 7 blocks
==7574==         suppressed: 0 bytes in 0 blocks
==7574== Rerun with --leak-check=full to see details of leaked memory
==7574== 
==7574== For counts of detected and suppressed errors, rerun with: -v
==7574== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
Comment 2 Alexander Bergmann 2018-04-18 09:27:11 UTC
Still no upstream fix available.
Comment 3 Alexander Bergmann 2018-05-08 08:40:45 UTC
Moving to VUL-1 as this is a minor issue.
Comment 4 Takashi Iwai 2018-06-08 12:44:06 UTC
Now I took a deeper look.  Actually it's because of handling of double or float NaN.  But there are other potential issues that may lead to the array overflow, so it needs a range check in anyway in addition to NaN check.
Comment 5 Takashi Iwai 2018-06-08 12:44:30 UTC
Created attachment 773215 [details]
Fix patch
Comment 6 Takashi Iwai 2018-06-08 13:05:28 UTC
Submitted the fix for TW, SLE15, SLE12, SLE11.

Back to security team.
Comment 9 Swamp Workflow Management 2018-07-26 19:08:42 UTC
SUSE-SU-2018:2065-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1071767,1071777,1100167
CVE References: CVE-2017-17456,CVE-2017-17457,CVE-2018-13139
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libsndfile-1.0.25-36.13.1
SUSE Linux Enterprise Server 12-SP3 (src):    libsndfile-1.0.25-36.13.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libsndfile-1.0.25-36.13.1
Comment 10 Swamp Workflow Management 2018-07-26 19:15:57 UTC
SUSE-SU-2018:2074-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1071767,1071777,1100167
CVE References: CVE-2017-17456,CVE-2017-17457,CVE-2018-13139
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    libsndfile-1.0.28-5.5.1
Comment 11 Swamp Workflow Management 2018-08-06 13:11:41 UTC
openSUSE-SU-2018:2209-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1071767,1071777,1100167
CVE References: CVE-2017-17456,CVE-2017-17457,CVE-2018-13139
Sources used:
openSUSE Leap 15.0 (src):    libsndfile-1.0.28-lp150.3.3.1, libsndfile-progs-1.0.28-lp150.3.3.1
Comment 12 Swamp Workflow Management 2018-08-06 13:16:48 UTC
openSUSE-SU-2018:2214-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1071767,1071777,1100167
CVE References: CVE-2017-17456,CVE-2017-17457,CVE-2018-13139
Sources used:
openSUSE Leap 42.3 (src):    libsndfile-1.0.25-34.1, libsndfile-progs-1.0.25-34.1
Comment 13 Marcus Meissner 2018-08-06 14:19:28 UTC
released
Comment 15 Swamp Workflow Management 2018-11-23 14:30:26 UTC
This is an autogenerated message for OBS integration:
This bug (1071767) was mentioned in
https://build.opensuse.org/request/show/651387 Factory / libsndfile
Comment 17 Swamp Workflow Management 2019-04-02 16:30:09 UTC
SUSE-SU-2019:14008-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1071767,1071777,1117954
CVE References: CVE-2017-17456,CVE-2017-17457,CVE-2018-19758
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libsndfile-1.0.20-2.19.12.1
SUSE Linux Enterprise Server 11-SP4 (src):    libsndfile-1.0.20-2.19.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libsndfile-1.0.20-2.19.12.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.