Bug 1100167 – VUL-0: CVE-2018-13139: libsndfile: A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact

Bug 1100167 - (CVE-2018-13139) VUL-0: CVE-2018-13139: libsndfile: A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact

(CVE-2018-13139)
Summary:	VUL-0: CVE-2018-13139: libsndfile: A stack-based buffer overflow in psf_memse...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/209495/
Whiteboard:	CVSSv3:SUSE:CVE-2018-13139:8.4:(AV:L...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-07-05 06:46 UTC by Johannes Segitz
Modified:	2021-08-19 19:22 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Reproducer (34.92 KB, application/zip) 2018-07-05 06:46 UTC, Johannes Segitz	Details
Fix patch (484 bytes, patch) 2018-07-05 13:54 UTC, Takashi Iwai	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2018-07-05 06:46:27 UTC

Created attachment 776151 [details]
Reproducer

CVE-2018-13139

A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28
allows remote attackers to cause a denial of service (application crash) or
possibly have unspecified other impact via a crafted audio file. The
vulnerability can be triggered by the executable sndfile-deinterleave.

All maintained codestreams affected

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13139
http://www.cvedetails.com/cve/CVE-2018-13139/
https://github.com/erikd/libsndfile/issues/397

Comment 1 Marcus Meissner 2018-07-05 07:29:04 UTC

not caught by overflow protection mechanisms.

Comment 2 Johannes Segitz 2018-07-05 08:21:40 UTC

then lets get this out fast please

Comment 3 Takashi Iwai 2018-07-05 09:58:47 UTC

No fix provided at all.

And why it's "major"?  It happens only on the specific program that is bundled with libsndfile.

Comment 4 Takashi Iwai 2018-07-05 13:53:49 UTC

The bug isn't in the library code, but it's just a missing channel number check in sndfile-deinterlace program.

That said, this is no security issue.  Reassigned back.

Comment 5 Takashi Iwai 2018-07-05 13:54:14 UTC

Created attachment 776234 [details]
Fix patch

Comment 6 Johannes Segitz 2018-07-05 14:39:34 UTC

(In reply to Takashi Iwai from comment #4)
isn't sf_readf_int part of the library? I would expect the fix to be there, not in the calling code

Comment 7 Takashi Iwai 2018-07-05 14:45:38 UTC

(In reply to Johannes Segitz from comment #6)
> (In reply to Takashi Iwai from comment #4)
> isn't sf_readf_int part of the library?

Yes.

> I would expect the fix to be there,
> not in the calling code

Why, and how?  It's simply a bug in the caller side.  Very obvious.

Comment 8 Takashi Iwai 2018-07-05 14:58:52 UTC

Simply put, the situation is like running the following code:

    char buf[1024 * MAX_CHANNELS];

    int channels = read_from_some_file();
    read(fd, buf, 1024 * channels);

You wouldn't suggest to fix read() in the case above, right?

Comment 10 Johannes Segitz 2018-07-26 08:57:49 UTC

(In reply to Takashi Iwai from comment #8)
yes, you're right.

Comment 11 Swamp Workflow Management 2018-07-26 19:09:00 UTC

SUSE-SU-2018:2065-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1071767,1071777,1100167
CVE References: CVE-2017-17456,CVE-2017-17457,CVE-2018-13139
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libsndfile-1.0.25-36.13.1
SUSE Linux Enterprise Server 12-SP3 (src):    libsndfile-1.0.25-36.13.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libsndfile-1.0.25-36.13.1

Comment 12 Swamp Workflow Management 2018-07-26 19:16:13 UTC

SUSE-SU-2018:2074-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1071767,1071777,1100167
CVE References: CVE-2017-17456,CVE-2017-17457,CVE-2018-13139
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    libsndfile-1.0.28-5.5.1

Comment 13 Swamp Workflow Management 2018-08-06 13:11:57 UTC

openSUSE-SU-2018:2209-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1071767,1071777,1100167
CVE References: CVE-2017-17456,CVE-2017-17457,CVE-2018-13139
Sources used:
openSUSE Leap 15.0 (src):    libsndfile-1.0.28-lp150.3.3.1, libsndfile-progs-1.0.28-lp150.3.3.1

Comment 14 Swamp Workflow Management 2018-08-06 13:17:04 UTC

openSUSE-SU-2018:2214-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1071767,1071777,1100167
CVE References: CVE-2017-17456,CVE-2017-17457,CVE-2018-13139
Sources used:
openSUSE Leap 42.3 (src):    libsndfile-1.0.25-34.1, libsndfile-progs-1.0.25-34.1

Comment 15 Marcus Meissner 2018-08-06 13:51:10 UTC

released

Comment 16 Swamp Workflow Management 2018-11-23 14:30:47 UTC

This is an autogenerated message for OBS integration:
This bug (1100167) was mentioned in
https://build.opensuse.org/request/show/651387 Factory / libsndfile

Comment 18 Swamp Workflow Management 2018-11-23 16:00:06 UTC

This is an autogenerated message for OBS integration:
This bug (1100167) was mentioned in
https://build.opensuse.org/request/show/651403 Factory / libsndfile

Comment 22 Swamp Workflow Management 2021-08-05 13:51:16 UTC

SUSE-SU-2021:2615-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 1100167,1116993,1117954,1188540
CVE References: CVE-2018-13139,CVE-2018-19432,CVE-2018-19758,CVE-2021-3246
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    libsndfile-1.0.25-36.23.1
SUSE OpenStack Cloud 9 (src):    libsndfile-1.0.25-36.23.1
SUSE OpenStack Cloud 8 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP5 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libsndfile-1.0.25-36.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Swamp Workflow Management 2021-08-17 19:21:05 UTC

SUSE-SU-2021:2764-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 1100167,1116993,1117954,1188540
CVE References: CVE-2018-13139,CVE-2018-19432,CVE-2018-19758,CVE-2021-3246
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    libsndfile-1.0.28-5.12.1
SUSE Manager Retail Branch Server 4.0 (src):    libsndfile-1.0.28-5.12.1
SUSE Manager Proxy 4.0 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server for SAP 15 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server 15-LTSS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libsndfile-1.0.28-5.12.1
SUSE Enterprise Storage 6 (src):    libsndfile-1.0.28-5.12.1
SUSE CaaS Platform 4.0 (src):    libsndfile-1.0.28-5.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 24 Swamp Workflow Management 2021-08-17 19:29:57 UTC

openSUSE-SU-2021:2764-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 1100167,1116993,1117954,1188540
CVE References: CVE-2018-13139,CVE-2018-19432,CVE-2018-19758,CVE-2021-3246
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    libsndfile-1.0.28-5.12.1, libsndfile-progs-1.0.28-5.12.1

Comment 25 Swamp Workflow Management 2021-08-19 19:22:49 UTC

openSUSE-SU-2021:1166-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 1100167,1116993,1117954,1188540
CVE References: CVE-2018-13139,CVE-2018-19432,CVE-2018-19758,CVE-2021-3246
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libsndfile-1.0.28-lp152.6.3.1, libsndfile-progs-1.0.28-lp152.6.3.1