Bug 910763 - (CVE-2014-8145) VUL-1: CVE-2014-8145: sox: memory corruptions on the heap
(CVE-2014-8145)
VUL-1: CVE-2014-8145: sox: memory corruptions on the heap
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/111722/
maint:running:60104:moderate CVSSv2:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-12-19 08:13 UTC by Alexander Bergmann
Modified: 2020-09-23 15:41 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-12-19 08:13:10 UTC
This issue is not public yet. Waiting for CRD.

---------------------------
Hello,

The following vulnerability report was received by Michele Spagnuolo of Google
Security Team.

The instrumented tool is "sox", run with arguments: filename.format x.wav.

We have 2 heap-oob (one sometimes also causes SIGSEGV), 1 null pointer
dereference and 6 divisions by zero that reproduce in both 14.3.1 and 14.4.1.
The memory corruptions on the heap are potentially exploitable.

The divisions by zero and the *(0x0), of course, are not security relevant, so
please ignore them in this Drive folder:

https://drive.google.com/folderview?id=0B52EFul-UCEIdWJYMzZFMk52WHc&usp=sharing

The maintainer provided 2 patches (they are attached) which have been
validated by original report.

As usual we would welcome CVEs, disclosure date is set one week from now:
December 22nd 15:00 CET.

Cheers
---------------------------

---
 src/sphere.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/sphere.c b/src/sphere.c
index 479a552..a3fd1c6 100644
--- a/src/sphere.c
+++ b/src/sphere.c
@@ -47,6 +47,11 @@ static int start_read(sox_format_t * ft)

   /* Determine header size, and allocate a buffer large enough to hold it. */
   sscanf(fldsval, "%lu", &header_size_ul);
+  if (header_size_ul < 16) {
+    lsx_fail_errno(ft, SOX_EHDR, "Error reading Sphere header");
+    return (SOX_EOF);
+  }
+
   buf = lsx_malloc(header_size = header_size_ul);

   /* Skip what we have read so far */
-- 
2.1.0


CVE-2014-8145 was assigned to the heap corruptions as they are potentially exploitable.
Comment 1 Alexander Bergmann 2014-12-19 08:39:54 UTC
CRD: 2014-12-22 15:00 CET
Comment 2 Alexander Bergmann 2014-12-19 17:27:37 UTC
This affects only openSUSE:12.3, openSUSE:13.1 and openSUSE:13.2.

Please wait with a submition to OBS after this went public.
Comment 4 Swamp Workflow Management 2014-12-19 23:00:25 UTC
bugbot adjusting priority
Comment 5 Swamp Workflow Management 2014-12-22 14:27:21 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-01-05.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60104
Comment 6 Marcus Meissner 2014-12-22 18:08:41 UTC
was published by ocert
Comment 7 Marcus Meissner 2014-12-22 18:35:00 UTC
not sure if pavol is still active, last updates were by reddwarf (cced)
Comment 10 Swamp Workflow Management 2018-02-16 06:41:55 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-03-02.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63981
Comment 12 Wolfgang Frisch 2020-09-23 15:41:38 UTC
Resolved.