Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626696 (CVE-2017-11548) - media-libs/libao:memory corruption vulnerability
Summary: media-libs/libao:memory corruption vulnerability
Status: RESOLVED INVALID
Alias: CVE-2017-11548
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/fulldisclosure/20...
Whiteboard: B3 [ebuild cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-31 13:04 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2021-04-29 18:59 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-31 13:04:49 UTC
From URL:

Introduction:
=============
Libao is a cross-platform audio library that allows programs to output audio using a simple API on a wide variety of 
platforms.


Affected version:
=====
1.2.0


Vulnerability Description:
==========================
the _tokenize_matrix function in audio_out.c in Xiph.Org libao 1.2.0 can cause a denial of service(memory corruption) 
via a crafted mp3 file.


I found this bug when I test mpg321 0.3.2 which used the libao library.


./mpg321 libao_1.2.0_memory_corruption.mp3


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
_int_malloc (av=av@entry=0x7ffff6f7f760 <main_arena>, bytes=bytes@entry=3)
    at malloc.c:3740
3740malloc.c: No such file or directory.
(gdb) bt
#0  _int_malloc (av=av@entry=0x7ffff6f7f760 <main_arena>, bytes=bytes@entry=3)
    at malloc.c:3740
#1  0x00007ffff6c442cc in __libc_calloc (n=<optimized out>, 
    elem_size=<optimized out>) at malloc.c:3219
#2  0x00007ffff728e189 in _tokenize_matrix () from /usr/local/lib/libao.so.4
#3  0x00007ffff728e607 in _matrix_to_channelmask ()
   from /usr/local/lib/libao.so.4
#4  0x00007ffff72906f2 in _open_device () from /usr/local/lib/libao.so.4
#5  0x000000000040a6aa in open_ao_playdevice (header=header@entry=0x624af8)
    at ao.c:411
#6  0x0000000000407e50 in output (data=<optimized out>, header=0x624af8, 
    pcm=0x627f44) at mad.c:974
#7  0x00007ffff749a85c in run_sync (decoder=0x7fffffffbc40) at decoder.c:439
#8  0x00007ffff749ab38 in mad_decoder_run (
    decoder=decoder@entry=0x7fffffffbc40, 
    mode=mode@entry=MAD_DECODER_MODE_SYNC) at decoder.c:557
#9  0x0000000000403d5d in main (argc=<optimized out>, argv=<optimized out>)
    at mpg321.c:1092
(gdb)
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 18:27:46 UTC
Maintainer(s), RedHat has addressed this bug with version #: libao-1.2.0-13.fc28
Our version in tree is Version: 1.2.2, please confirm if our current version has this fix in it.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-23 04:50:36 UTC
I can't reproduce. Debian maintainer also isn't sure that this is actually an issue in libao.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870608
Comment 3 Miroslav Šulc gentoo-dev 2021-04-29 06:31:47 UTC
i can't reproduce it:

$ mpg321-mpg123 libao_1.2.0_memory_corruption.mp3 
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3.
Version 0.3.2-1 (2012/03/25). Written and copyrights by Joe Drew,
now maintained by Nanakos Chrysostomos and others.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
Illegal bit allocation value

Playing MPEG stream from libao_1.2.0_memory_corruption.mp3 ...
MPEG 1.0 layer III, 192 kbit/s, 44100 Hz mono
                                                                            
[0:00] Decoding of libao_1.2.0_memory_corruption.mp3 finished.


$ equery list libao
 * Searching for libao ...
[IP-] [  ] media-libs/libao-1.2.2-r1:0


so i suppose you can proceed.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-29 18:59:18 UTC
Let's close as invalid then. Thanks for the second opinion!