Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 614046 (CVE-2017-6827, CVE-2017-6828, CVE-2017-6829, CVE-2017-6830, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833, CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, CVE-2017-6837, CVE-2017-6838, CVE-2017-6839)

Summary: <media-libs/audiofile-0.3.6-r4: multiple vulnerabilities (CVE-2017-{6827,6828,6829,6830,6831,6832,6833,6834,6835,6836,6839})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome, jchelmert3, nobrowser, sound
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/16141
https://bugs.gentoo.org/show_bug.cgi?id=711394
Whiteboard: B3 [noglsa cve]
Package list:
media-libs/audiofile-0.3.6-r4
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 687766    
Attachments:
Description Flags
audiofile-0.3.6-cve-2015.patch none

Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-06-17 21:20:09 UTC
CVE-2017-6834 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6834):
  Heap-based buffer overflow in the ulaw2linear_buf function in G711.cpp in
  Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a
  denial of service (crash) via a crafted file.

CVE-2017-6839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6839):
  Integer overflow in modules/MSADPCM.cpp in Audio File Library (aka
  audiofile) 0.3.6 allows remote attackers to cause a denial of service
  (crash) via a crafted file.

CVE-2017-6836 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6836):
  Heap-based buffer overflow in the Expand3To4Module::run function in
  libaudiofile/modules/SimpleModule.h in Audio File Library (aka audiofile)
  0.3.6 allows remote attackers to cause a denial of service (crash) via a
  crafted file.

CVE-2017-6835 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6835):
  The reset1 function in libaudiofile/modules/BlockCodec.cpp in Audio File
  Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of
  service (divide-by-zero error and crash) via a crafted file.

CVE-2017-6833 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6833):
  The runPull function in libaudiofile/modules/BlockCodec.cpp in Audio File
  Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of
  service (divide-by-zero error and crash) via a crafted file.

CVE-2017-6832 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6832):
  Heap-based buffer overflow in the decodeBlock in MSADPCM.cpp in Audio File
  Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of
  service (crash) via a crafted file.

CVE-2017-6831 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6831):
  Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in
  Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a
  denial of service (crash) via a crafted file.

CVE-2017-6830 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6830):
  Heap-based buffer overflow in the alaw2linear_buf function in G711.cpp in
  Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a
  denial of service (crash) via a crafted file.

CVE-2017-6829 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6829):
  The decodeSample function in IMA.cpp in Audio File Library (aka audiofile)
  0.3.6 allows remote attackers to cause a denial of service (crash) via a
  crafted file.

CVE-2017-6828 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6828):
  Heap-based buffer overflow in the readValue function in FileHandle.cpp in
  audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote
  attackers to have unspecified impact via a crafted WAV file.

CVE-2017-6827 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6827):
  Heap-based buffer overflow in the MSADPCM::initializeCoefficients function
  in MSADPCM.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6
  allows remote attackers to have unspecified impact via a crafted audio file.
Comment 2 Sam James archtester gentoo-dev Security 2020-04-22 22:13:30 UTC
@maintainer(s): ping
Comment 3 John Helmert III (ajak) 2020-06-09 06:29:22 UTC
Created attachment 644044 [details, diff]
audiofile-0.3.6-cve-2015.patch

This is a series of commits I found referenced on Debian CVE tracker bugs, found here[1]. I was able to verify this patchset fixed each of the CVEs in this bug, except for CVE-2017-{6829,6832,6838,6839} none of which I was able to reproduce. However, the Debian tracker references one of the commits I included for each of these CVEs.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857651
Comment 4 Larry the Git Cow gentoo-dev 2020-07-19 18:28:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2bb2dc35eccffb4adbcc7f4057b6e2ea458d1b8

commit f2bb2dc35eccffb4adbcc7f4057b6e2ea458d1b8
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-07-19 18:28:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-19 18:28:17 +0000

    media-libs/audiofile: Add security patches
    
    Dropping the system-gtest patch is necessary to make the tests run, as
    mentioned here: https://bugs.gentoo.org/680482#c8
    
    The three closed bugs are reported test failures fixed by dropping the
    aforementioned patch and a slight repair of src_test. Because we're not
    using system gtest anymore, we can drop the test dependency on
    dev-cpp/gtest, and by extension the IUSE=test boilerplate.
    
    Bug: https://bugs.gentoo.org/614046
    Bug: https://bugs.gentoo.org/687766
    Closes: https://bugs.gentoo.org/680482
    Closes: https://bugs.gentoo.org/715192
    Closes: https://bugs.gentoo.org/720836
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/16141
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/audiofile/audiofile-0.3.6-r4.ebuild     |  55 +++
 .../files/audiofile-0.3.6-CVE-2017-68xx.patch      | 379 +++++++++++++++++++++
 ...ofile-0.3.6-CVE-2018-13440-CVE-2018-17095.patch |  82 +++++
 3 files changed, 516 insertions(+)
Comment 5 Sam James archtester gentoo-dev Security 2020-07-20 15:36:41 UTC
arm stable
Comment 6 Sam James archtester gentoo-dev Security 2020-07-20 16:41:38 UTC
arm64 stable
Comment 7 Sam James archtester gentoo-dev Security 2020-07-20 18:25:37 UTC
ppc stable
Comment 8 Sam James archtester gentoo-dev Security 2020-07-20 18:25:50 UTC
ppc64 stable
Comment 9 Sam James archtester gentoo-dev Security 2020-07-20 19:22:52 UTC
x86 stable
Comment 10 Sam James archtester gentoo-dev Security 2020-07-20 21:35:44 UTC
amd64 stable
Comment 11 Sam James archtester gentoo-dev Security 2020-07-24 07:12:04 UTC
sparc stabled by slyfox (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90d2a67ef40811d7f8adf3e0d6a6dbc235541ff1) on 22nd
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-07-28 20:10:08 UTC
GLSA Vote: no
Comment 13 Rolf Eike Beer 2020-07-28 21:53:47 UTC
dropped to ~hppa
Comment 14 Sam James archtester gentoo-dev Security 2020-07-28 21:54:48 UTC
Please cleanup.
Comment 15 Larry the Git Cow gentoo-dev 2020-07-29 00:19:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99c6a8c3924a9938c21a05f0498046c3e73c50c8

commit 99c6a8c3924a9938c21a05f0498046c3e73c50c8
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-29 00:19:22 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-29 00:19:37 +0000

    media-libs/audiofile: security cleanup
    
    Bug: https://bugs.gentoo.org/687766
    Bug: https://bugs.gentoo.org/614046
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/audiofile/audiofile-0.3.6-r3.ebuild | 50 --------------------------
 1 file changed, 50 deletions(-)