Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 192834

Summary: media-libs/libsndfile-1.0.17 Heap-based buffer overflow in flac.c (CVE-2007-4974)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: aballier, ssuominen
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C2? [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
libsndfile-1.0.17-flac-buffer-overflow.patch
none
libsndfile-1.0.17-flac-buffer-overflow.patch
none
ebuild
none
emerge --info output none

Description Robert Buchholz (RETIRED) gentoo-dev 2007-09-17 16:52:27 UTC 
libsndfile-1.0.17 does not check the size of decoded PCM data coming from the FLAC library in flac_buffer_copy() and writes it to a previously allocated buffer on the heap.
When seeking through a FLAC file with variable blocksize, a buffer with the current blocksize is allocated and reused with a block of possibly greater size.

Since the PCM stream is decoded from a (lossless) FLAC, at most 24 bits of every 32 bit PCM sample is controllable by the file (eg, you can create 0x00414141 loops in memory). The buffer is allocated at minimum 16*4 bytes while the technical maximum blocksize is 32768*4 bytes.

The issue was already known upstream and a change in libsndfile-1.0.18pre17 addressed it, but does not fix it robustly. I'll attach a fix for 1.0.17 (including our FLAC patches) in a moment. Besides the the changes in the development version this is not public yet.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-09-17 16:54:31 UTC 
Created attachment 131163 [details, diff]
libsndfile-1.0.17-flac-buffer-overflow.patch

Backported patch (not approved by upstream yet).
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-09-17 21:09:38 UTC 
Created attachment 131171 [details, diff]
libsndfile-1.0.17-flac-buffer-overflow.patch

Updated, upstream approved patch.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-09-19 00:15:04 UTC 
Setting whiteboard and cc'ing maintainers.
aballier and drac, can you please test the patch and prepare an ebuild.
Please attach the ebuild to this bug and do not commit it to CVS yet.
Comment 4 Alexis Ballier gentoo-dev 2007-09-19 05:52:50 UTC 
Created attachment 131269 [details]
ebuild

--- libsndfile-1.0.17.ebuild    2007-08-20 13:17:45.000000000 +0200
+++ libsndfile-1.0.17-r1.ebuild 2007-09-19 07:25:04.000000000 +0200
@@ -31,6 +31,7 @@
 
        epatch "${WORKDIR}/${P}+flac-1.1.3.patch"
        epatch "${FILESDIR}/${P}-ogg.patch"
+       epatch "${FILESDIR}/${P}-flac-buffer-overflow.patch"
        eautoreconf
        epunt_cxx
 }


patch seems to work fine from my basic testing.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-09-19 12:05:31 UTC 
Alexis, we decided not to keep this confidential. Please commit the the ebuild and patch.
Thanks!
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-19 12:25:14 UTC 
Opening at the request of reporter.

[14:15] <rbu> i'll grab some food. please unrestrict bug https://bugs.gentoo.org/192834 when you get back
Comment 7 Alexis Ballier gentoo-dev 2007-09-19 15:37:58 UTC 
(In reply to comment #5)
> Alexis, we decided not to keep this confidential. Please commit the the ebuild
> and patch.

done, I had forgot to set keywords to ~all in my attached ebuild, fixed that before comitting
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-09-19 15:52:47 UTC 
Arches, please test and mark stable libsndfile-1.0.17-r1.
Targets are: "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86"

Also, degrading to C2 because the flac use flag is disabled by default.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2007-09-19 16:16:46 UTC 
Stable for HPPA.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-09-19 17:21:05 UTC 
CVE assigned CVE-2007-4974 to this issue.
Comment 11 Markus Meier gentoo-dev 2007-09-19 19:22:12 UTC 
x86 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2007-09-20 13:47:17 UTC 
alpha/ia64 stable
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-20 18:17:23 UTC 
ppc stable
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2007-09-20 18:46:30 UTC 
amd64 stable
Comment 15 Brent Baude (RETIRED) gentoo-dev 2007-09-20 20:46:12 UTC 
ppc64 stable
Comment 16 Friedrich Oslage (RETIRED) gentoo-dev 2007-09-28 19:19:27 UTC 
Created attachment 132116 [details]
emerge --info output

Tested media-libs/libsndfile-1.0.17-r1 (USE="alsa flac sqlite") on sparc.
No bugs found.
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2007-09-29 09:22:24 UTC 
sparc stable, thanks Friedrich
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2007-10-07 21:32:47 UTC 
GLSA 200710-04, thanks anyone.