Bug 1125575 - (CVE-2019-3832) VUL-1: CVE-2019-3832: libsndfile: libsndfile: incomplete fix for still allow to read beyond buffer limits
(CVE-2019-3832)
VUL-1: CVE-2019-3832: libsndfile: libsndfile: incomplete fix for still allow...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Minor
: ---
Assigned To: Takashi Iwai
Security Team bot
https://smash.suse.de/issue/224754/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-15 10:55 UTC by Robert Frohl
Modified: 2019-02-15 12:47 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-02-15 10:55:46 UTC
rh#1677216

It was discovered the fix for CVE-2018-19758 is not complete and it still allows to read beyond the limit of the buffer in function wav_write_header() in wav.c. Function wav_write_header() iterates through the `loops` array for an amount of times read from the file itself. However, this value is not correctly checked and the library can read beyond the limits of the `loops` array, possibly making the application crash.

Upstream issue:
https://github.com/erikd/libsndfile/issues/456#issuecomment-463542436

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1677216
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3832
Comment 1 Robert Frohl 2019-02-15 10:57:44 UTC
Hi Takashi,
I think we are not affected because the fix you developed looks to solve the issue completely. I still would like you to confirm this understanding.

Maybe your fix could also help upstream to solve the issue correctly ?
Comment 2 Takashi Iwai 2019-02-15 11:11:51 UTC
Yes, my fix should avoid this OOB access, if I understand the issue correctly.
Comment 3 Robert Frohl 2019-02-15 12:47:54 UTC
thanks for the confirmation.
-> closing