Bug 910763 – VUL-1: CVE-2014-8145: sox: memory corruptions on the heap

Bug 910763 - (CVE-2014-8145) VUL-1: CVE-2014-8145: sox: memory corruptions on the heap

(CVE-2014-8145)
Summary:	VUL-1: CVE-2014-8145: sox: memory corruptions on the heap

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/111722/
Whiteboard:	maint:running:60104:moderate CVSSv2:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-12-19 08:13 UTC by Alexander Bergmann
Modified:	2020-09-23 15:41 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2014-12-19 08:13:10 UTC

This issue is not public yet. Waiting for CRD.

---------------------------
Hello,

The following vulnerability report was received by Michele Spagnuolo of Google
Security Team.

The instrumented tool is "sox", run with arguments: filename.format x.wav.

We have 2 heap-oob (one sometimes also causes SIGSEGV), 1 null pointer
dereference and 6 divisions by zero that reproduce in both 14.3.1 and 14.4.1.
The memory corruptions on the heap are potentially exploitable.

The divisions by zero and the *(0x0), of course, are not security relevant, so
please ignore them in this Drive folder:

https://drive.google.com/folderview?id=0B52EFul-UCEIdWJYMzZFMk52WHc&usp=sharing

The maintainer provided 2 patches (they are attached) which have been
validated by original report.

As usual we would welcome CVEs, disclosure date is set one week from now:
December 22nd 15:00 CET.

Cheers
---------------------------

---
 src/sphere.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/sphere.c b/src/sphere.c
index 479a552..a3fd1c6 100644
--- a/src/sphere.c
+++ b/src/sphere.c
@@ -47,6 +47,11 @@ static int start_read(sox_format_t * ft)

   /* Determine header size, and allocate a buffer large enough to hold it. */
   sscanf(fldsval, "%lu", &header_size_ul);
+  if (header_size_ul < 16) {
+    lsx_fail_errno(ft, SOX_EHDR, "Error reading Sphere header");
+    return (SOX_EOF);
+  }
+
   buf = lsx_malloc(header_size = header_size_ul);

   /* Skip what we have read so far */
-- 
2.1.0


CVE-2014-8145 was assigned to the heap corruptions as they are potentially exploitable.

Comment 1 Alexander Bergmann 2014-12-19 08:39:54 UTC

CRD: 2014-12-22 15:00 CET

Comment 2 Alexander Bergmann 2014-12-19 17:27:37 UTC

This affects only openSUSE:12.3, openSUSE:13.1 and openSUSE:13.2.

Please wait with a submition to OBS after this went public.

Comment 4 Swamp Workflow Management 2014-12-19 23:00:25 UTC

bugbot adjusting priority

Comment 5 Swamp Workflow Management 2014-12-22 14:27:21 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-01-05.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60104

Comment 6 Marcus Meissner 2014-12-22 18:08:41 UTC

was published by ocert

Comment 7 Marcus Meissner 2014-12-22 18:35:00 UTC

not sure if pavol is still active, last updates were by reddwarf (cced)

Comment 10 Swamp Workflow Management 2018-02-16 06:41:55 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-03-02.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63981

Comment 12 Wolfgang Frisch 2020-09-23 15:41:38 UTC

Resolved.