Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 192834
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
libsndfile-1.0.17-flac-buffer-overflow.patch libsndfile-1.0.17-flac-buffer-overflow.patch patch Robert Buchholz 2007-09-17 16:54 0000 1.40 KB Details | Diff
libsndfile-1.0.17-flac-buffer-overflow.patch libsndfile-1.0.17-flac-buffer-overflow.patch patch Robert Buchholz 2007-09-17 21:09 0000 1.48 KB Details | Diff
libsndfile-1.0.17-r1.ebuild ebuild text/plain Alexis Ballier 2007-09-19 05:52 0000 1.37 KB Details
emerge.info emerge --info output text/plain Friedrich Oslage 2007-09-28 19:19 0000 3.02 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 192834 depends on: Show dependency tree
Bug 192834 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-09-17 16:52 0000 
libsndfile-1.0.17 does not check the size of decoded PCM data coming from the
FLAC library in flac_buffer_copy() and writes it to a previously allocated
buffer on the heap.
When seeking through a FLAC file with variable blocksize, a buffer with the
current blocksize is allocated and reused with a block of possibly greater
size.

Since the PCM stream is decoded from a (lossless) FLAC, at most 24 bits of
every 32 bit PCM sample is controllable by the file (eg, you can create
0x00414141 loops in memory). The buffer is allocated at minimum 16*4 bytes
while the technical maximum blocksize is 32768*4 bytes.

The issue was already known upstream and a change in libsndfile-1.0.18pre17
addressed it, but does not fix it robustly. I'll attach a fix for 1.0.17
(including our FLAC patches) in a moment. Besides the the changes in the
development version this is not public yet.

------- Comment #1 From Robert Buchholz 2007-09-17 16:54:31 0000 ------- 
Created an attachment (id=131163) [details]
libsndfile-1.0.17-flac-buffer-overflow.patch

Backported patch (not approved by upstream yet).

------- Comment #2 From Robert Buchholz 2007-09-17 21:09:38 0000 ------- 
Created an attachment (id=131171) [details]
libsndfile-1.0.17-flac-buffer-overflow.patch

Updated, upstream approved patch.

------- Comment #3 From Robert Buchholz 2007-09-19 00:15:04 0000 ------- 
Setting whiteboard and cc'ing maintainers.
aballier and drac, can you please test the patch and prepare an ebuild.
Please attach the ebuild to this bug and do not commit it to CVS yet.

------- Comment #4 From Alexis Ballier 2007-09-19 05:52:50 0000 ------- 
Created an attachment (id=131269) [details]
ebuild

--- libsndfile-1.0.17.ebuild    2007-08-20 13:17:45.000000000 +0200
+++ libsndfile-1.0.17-r1.ebuild 2007-09-19 07:25:04.000000000 +0200
@@ -31,6 +31,7 @@

        epatch "${WORKDIR}/${P}+flac-1.1.3.patch"
        epatch "${FILESDIR}/${P}-ogg.patch"
+       epatch "${FILESDIR}/${P}-flac-buffer-overflow.patch"
        eautoreconf
        epunt_cxx
 }


patch seems to work fine from my basic testing.

------- Comment #5 From Robert Buchholz 2007-09-19 12:05:31 0000 ------- 
Alexis, we decided not to keep this confidential. Please commit the the ebuild
and patch.
Thanks!

------- Comment #6 From Sune Kloppenborg Jeppesen 2007-09-19 12:25:14 0000 ------- 
Opening at the request of reporter.

[14:15] <rbu> i'll grab some food. please unrestrict bug
https://bugs.gentoo.org/192834 when you get back

------- Comment #7 From Alexis Ballier 2007-09-19 15:37:58 0000 ------- 
(In reply to comment #5)
> Alexis, we decided not to keep this confidential. Please commit the the ebuild
> and patch.

done, I had forgot to set keywords to ~all in my attached ebuild, fixed that
before comitting

------- Comment #8 From Robert Buchholz 2007-09-19 15:52:47 0000 ------- 
Arches, please test and mark stable libsndfile-1.0.17-r1.
Targets are: "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86"

Also, degrading to C2 because the flac use flag is disabled by default.

------- Comment #9 From Jeroen Roovers 2007-09-19 16:16:46 0000 ------- 
Stable for HPPA.

------- Comment #10 From Robert Buchholz 2007-09-19 17:21:05 0000 ------- 
CVE assigned CVE-2007-4974 to this issue.

------- Comment #11 From Markus Meier 2007-09-19 19:22:12 0000 ------- 
x86 stable

------- Comment #12 From Raúl Porcel 2007-09-20 13:47:17 0000 ------- 
alpha/ia64 stable

------- Comment #13 From Tobias Scherbaum 2007-09-20 18:17:23 0000 ------- 
ppc stable

------- Comment #14 From Robert Buchholz 2007-09-20 18:46:30 0000 ------- 
amd64 stable

------- Comment #15 From Brent Baude 2007-09-20 20:46:12 0000 ------- 
ppc64 stable

------- Comment #16 From Friedrich Oslage 2007-09-28 19:19:27 0000 ------- 
Created an attachment (id=132116) [details]
emerge --info output

Tested media-libs/libsndfile-1.0.17-r1 (USE="alsa flac sqlite") on sparc.
No bugs found.

------- Comment #17 From Raúl Porcel 2007-09-29 09:22:24 0000 ------- 
sparc stable, thanks Friedrich

------- Comment #18 From Robert Buchholz 2007-10-07 21:32:47 0000 ------- 
GLSA 200710-04, thanks anyone.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug