Bugzilla – Bug 1196487
VUL-1: CVE-2022-24599: audiofile: memory leak in printinfo.c
Last modified: 2022-08-01 13:59:57 UTC
rh#2058371 In autofile Audio File Library 0.3.6, there exists one memory leak vulnerability in printfileinfo, in printinfo.c, which allows an attacker to leak sensitive information via a crafted file. The printfileinfo function calls the copyrightstring function to get data, however, it dosn't use zero bytes to truncate the data. https://github.com/mpruett/audiofile/issues/60 References: https://bugzilla.redhat.com/show_bug.cgi?id=2058371 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24599 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24599 https://github.com/mpruett/audiofile/issues/60
Affected: - SUSE:SLE-11-SP1:Update - SUSE:SLE-12:Update - SUSE:SLE-15:Update - openSUSE:Factory
The "crafted" file is not as complicated. It is just a AIFF mangled AIFF with a chunk that declares a shorter length than it actually is. As a result, printf() gets an unterminated string and it could swallow part of heap following the string. And the AIFF parser will try to read a random garbage somewhere later. So I will start with proposed zeroing of the memory and look what is happening there. The goal is simple: - printf() should always get a NUL terminated string, even if the provided string is not terminated. - If the AIFF parser gets a random garbage, nothing bad could happen.