Bug 1117954 - (CVE-2018-19758) VUL-1: CVE-2018-19758: libsndfile: There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service.
(CVE-2018-19758)
VUL-1: CVE-2018-19758: libsndfile: There is a heap-based buffer over-read at ...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/219988/
CVSSv3:SUSE:CVE-2018-19758:5.5:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-30 15:37 UTC by Marcus Meissner
Modified: 2021-08-19 19:23 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
poc0 (12.32 KB, audio/x-wav)
2018-11-30 16:02 UTC, Marcus Meissner
Details
Fix patch (780 bytes, patch)
2018-12-04 12:40 UTC, Takashi Iwai
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-11-30 15:37:52 UTC
CVE-2018-19758

There is a heap-based buffer over-read at wav.c in wav_write_header in
libsndfile 1.0.28 that will cause a denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19758
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19758.html
Comment 1 Marcus Meissner 2018-11-30 16:01:52 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=1643812
Comment 2 Marcus Meissner 2018-11-30 16:02:49 UTC
Created attachment 791473 [details]
poc0

QA REPRODUCER:

sndfile-convert poc0 a.wav

should not crash

(currently crashes on 42.3 at least)
Comment 3 Takashi Iwai 2018-12-04 12:38:17 UTC
It's a missing check of loop_count in wav.c.  The tentative fix patch is below.
Comment 4 Takashi Iwai 2018-12-04 12:40:37 UTC
Created attachment 791738 [details]
Fix patch
Comment 5 Takashi Iwai 2018-12-04 12:58:33 UTC
Submitted the fix to TW, SUSE:SLE-15:Update, SUSE:SLE-12:Update and SUSE:SLE-11-SP1:Update.

Reassigned back to security team.
Comment 7 Swamp Workflow Management 2018-12-04 13:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1117954) was mentioned in
https://build.opensuse.org/request/show/653853 Factory / libsndfile
Comment 8 Swamp Workflow Management 2019-04-02 16:30:26 UTC
SUSE-SU-2019:14008-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1071767,1071777,1117954
CVE References: CVE-2017-17456,CVE-2017-17457,CVE-2018-19758
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libsndfile-1.0.20-2.19.12.1
SUSE Linux Enterprise Server 11-SP4 (src):    libsndfile-1.0.20-2.19.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libsndfile-1.0.20-2.19.12.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-08-05 13:51:32 UTC
SUSE-SU-2021:2615-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 1100167,1116993,1117954,1188540
CVE References: CVE-2018-13139,CVE-2018-19432,CVE-2018-19758,CVE-2021-3246
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    libsndfile-1.0.25-36.23.1
SUSE OpenStack Cloud 9 (src):    libsndfile-1.0.25-36.23.1
SUSE OpenStack Cloud 8 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP5 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libsndfile-1.0.25-36.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-08-17 19:21:19 UTC
SUSE-SU-2021:2764-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 1100167,1116993,1117954,1188540
CVE References: CVE-2018-13139,CVE-2018-19432,CVE-2018-19758,CVE-2021-3246
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    libsndfile-1.0.28-5.12.1
SUSE Manager Retail Branch Server 4.0 (src):    libsndfile-1.0.28-5.12.1
SUSE Manager Proxy 4.0 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server for SAP 15 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server 15-LTSS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libsndfile-1.0.28-5.12.1
SUSE Enterprise Storage 6 (src):    libsndfile-1.0.28-5.12.1
SUSE CaaS Platform 4.0 (src):    libsndfile-1.0.28-5.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-08-17 19:30:12 UTC
openSUSE-SU-2021:2764-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 1100167,1116993,1117954,1188540
CVE References: CVE-2018-13139,CVE-2018-19432,CVE-2018-19758,CVE-2021-3246
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    libsndfile-1.0.28-5.12.1, libsndfile-progs-1.0.28-5.12.1
Comment 13 Swamp Workflow Management 2021-08-19 19:23:03 UTC
openSUSE-SU-2021:1166-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 1100167,1116993,1117954,1188540
CVE References: CVE-2018-13139,CVE-2018-19432,CVE-2018-19758,CVE-2021-3246
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libsndfile-1.0.28-lp152.6.3.1, libsndfile-progs-1.0.28-lp152.6.3.1