Bug 631674 (CVE-2017-14245, CVE-2017-14246, CVE-2019-3832)

Summary:	<media-libs/libsndfile-1.0.29_pre2_p20191024: multiple vulnerabilities (CVE-2017-{14246,14245}, CVE-2019-3832)
Product:	Gentoo Security	Reporter:	D'juan McDonald (domhnall) <flopwiki>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	ajak, fordfrog, sound
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/erikd/libsndfile/issues/317
Whiteboard:	B3 [glsa+ cleanup cve]
Package list:	media-libs/libsndfile-1.0.29	Runtime testing required:	---
Bug Depends on:	719020
Bug Blocks:	671834

Description D'juan McDonald (domhnall) 2017-09-21 19:49:52 UTC

CVE-2017-14245(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14245):
An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values.


CVE-2017-14246(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14246):
An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values.

@maintainer(s), fixed package already in tree, please verify if stabilization is needed, thank you.

Daj Uan (jmbailey)
Gentoo Security Padawan

Comment 1 Aleksandr Wagner (Kivak) 2017-10-27 18:19:26 UTC

The current ebuild in the tree, 1.0.28-r1, still contains these bugs. Currently patches are available, however no official release contains the fixes.

Comment 2 Andreas Sturmlechner gentoo-dev

2018-10-03 19:26:59 UTC

Still not fixed in git master.

Comment 3 D'juan McDonald (domhnall) 2018-10-04 11:28:13 UTC

(In reply to Andreas Sturmlechner from comment #2)
>Still not fixed in git master.

Ack! Seeding whiteboard to reflect still no released fix from upstream.


Gentoo Security Padawan
(domhnall/jmbailey)

Comment 4 Larry the Git Cow gentoo-dev

2019-10-26 23:11:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=571be2db1daddd62cad5716ef4c649595129ca81

commit 571be2db1daddd62cad5716ef4c649595129ca81
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-26 23:10:59 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-26 23:11:31 +0000

    media-libs/libsndfile: bump to v1.0.29_pre2_p20191024
    
    Bug: https://bugs.gentoo.org/631674
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/libsndfile/Manifest                     |  1 +
 .../libsndfile-1.0.29_pre2_p20191024.ebuild        | 65 ++++++++++++++++++++++
 media-libs/libsndfile/libsndfile-9999.ebuild       |  1 +
 3 files changed, 67 insertions(+)

Comment 5 Sam James archtester

2020-03-19 01:05:45 UTC

@maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2020-04-22 22:00:28 UTC

CVE-2019-3832 (https://nvd.nist.gov/vuln/detail/CVE-2019-3832):
  It was discovered the fix for CVE-2018-19758 (libsndfile) was not complete
  and still allows a read beyond the limits of a buffer in wav_write_header()
  function in wav.c. A local attacker may use this flaw to make the
  application crash.

Comment 7 Agostino Sarubbo gentoo-dev

2020-04-23 10:09:38 UTC

arm stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-04-23 10:42:09 UTC

x86 stable

Comment 9 Mikle Kolyada (RETIRED) archtester

2020-04-25 10:49:01 UTC

amd64 stable

Comment 10 Rolf Eike Beer archtester

2020-04-27 17:48:26 UTC

hppa stable

Comment 11 Rolf Eike Beer archtester

2020-04-28 19:05:10 UTC

sparc stable

Comment 12 Sam James archtester

2020-04-28 19:27:44 UTC

arm64 stable

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2020-07-31 19:59:41 UTC

This issue was resolved and addressed in
 GLSA 202007-65 at https://security.gentoo.org/glsa/202007-65
by GLSA coordinator Sam James (sam_c).

Comment 14 Sam James archtester

2020-07-31 20:00:38 UTC

Reopening for ppc{,64}.

Comment 15 ernsteiswuerfel archtester

2020-08-20 16:25:14 UTC

Fails 1 test (bug #719020) but looks otherwise good on ppc64.

 # cat libsndfile-631674.report 
USE tests started on Do 20. Aug 15:06:11 CEST 2020

 FEATURES=' test' failed for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa -minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa -minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa -minimal sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa minimal sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa -minimal -sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa -minimal -sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa minimal -sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa -minimal sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa -minimal sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa minimal sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024

revdep tests started on Do 20. Aug 17:34:13 CEST 2020

FEATURES=' test' USE='sndfile' succeeded for media-libs/aubio
FEATURES=' test' USE='sndfile' succeeded for media-sound/sox
FEATURES=' test' USE='' succeeded for media-libs/vamp-plugin-sdk
FEATURES=' test' USE='' succeeded for media-libs/dssi
FEATURES=' test' USE='sndfile' succeeded for media-sound/moc
FEATURES=' test' USE='' succeeded for media-libs/libbs2b
FEATURES=' test' USE='sndfile' succeeded for media-sound/fluidsynth
FEATURES=' test' USE='' succeeded for media-libs/lilv
FEATURES=' test' USE='sndfile' succeeded for media-sound/twolame
FEATURES=' test' USE='' succeeded for media-sound/pulseaudio

Comment 16 ernsteiswuerfel archtester

2020-08-21 12:49:10 UTC

Fails 1 test (bug #719020) but looks otherwise good on ppc.

 # cat libsndfile-631674.report 
USE tests started on Fr 21. Aug 11:39:26 CEST 2020

 FEATURES=' test' failed for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa -minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa -minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa -minimal sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa minimal sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa minimal sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa -minimal -sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa minimal -sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa minimal -sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa -minimal sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa -minimal sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024

revdep tests started on Fr 21. Aug 13:57:11 CEST 2020

FEATURES=' test' USE='' succeeded for media-libs/lilv
FEATURES=' test' USE='' succeeded for media-libs/libbs2b
FEATURES=' test' USE='sndfile' succeeded for media-sound/twolame
FEATURES=' test' USE='plugins' succeeded for media-libs/lv2
FEATURES=' test' USE='sndfile' succeeded for media-sound/herrie
FEATURES=' test' USE='' succeeded for media-libs/dssi
FEATURES=' test' USE='' succeeded for media-sound/hydrogen
FEATURES=' test' USE='sndfile' succeeded for media-sound/sox
FEATURES=' test' USE='sndfile' succeeded for media-sound/moc
FEATURES=' test' USE='ao' succeeded for x11-wm/icewm

Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev

2020-08-23 08:16:20 UTC

ppc/ppc64 stable thanks to ernsteiswuerfel!

Comment 18 Miroslav Šulc gentoo-dev

2020-08-23 09:11:04 UTC

looking at versions 1.0.28-r4 and 1.0.28-r4, the older one also has s390 keyword whereas the new one does not have it.

for the older version it was introduced in this commit:

commit 44fd362462b7d1fa0a0a65d7b74c6d68eda86e8f
Author: Mikle Kolyada <zlogene@gentoo.org>
Date:   Wed Mar 20 22:01:08 2019 +0300

    media-libs/libsndfile: mark s390 stable
    
    Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

diff --git a/media-libs/libsndfile/libsndfile-1.0.28-r4.ebuild b/media-libs/libsndfile/libsndfile-1.0.28-r4.ebuild
index 99e86b43f8eb..9edee782210f 100644
--- a/media-libs/libsndfile/libsndfile-1.0.28-r4.ebuild
+++ b/media-libs/libsndfile/libsndfile-1.0.28-r4.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2018 Gentoo Authors
+# Copyright 1999-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -19,7 +19,7 @@ fi
 
 LICENSE="LGPL-2.1"
 SLOT="0"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
 IUSE="alsa minimal sqlite static-libs test"
 
 RDEPEND="


the new one never had it since this commit when it was introduced:

commit 571be2db1daddd62cad5716ef4c649595129ca81
Author: Thomas Deutschmann <whissi@gentoo.org>
Date:   Sun Oct 27 01:10:59 2019 +0200

    media-libs/libsndfile: bump to v1.0.29_pre2_p20191024
    
    Bug: https://bugs.gentoo.org/631674
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>


it nowhere says whether it was dropped on purpose or not so adding s390@ so we can clear this up and remove the old version.

Comment 19 NATTkA bot gentoo-dev

2020-08-23 09:14:41 UTC

Resetting sanity check; package list is empty or all packages are done.

Comment 20 John Helmert III archtester

2020-09-20 16:29:10 UTC

s390: ping

Comment 21 Miroslav Šulc gentoo-dev

2020-10-02 09:32:47 UTC

this one also fixes test issues in the pre-release

Comment 22 Sam James archtester

2020-10-04 13:46:32 UTC

Let's just leave s390. please cleanup

Comment 23 Sam James archtester

2020-10-04 13:46:48 UTC

(In reply to Miroslav Šulc from comment #21)
> this one also fixes test issues in the pre-release

We'll do this in a separate bug (or .30)?

Comment 24 David Seifert gentoo-dev

2020-10-04 13:48:36 UTC

(In reply to Miroslav Šulc from comment #21)
> this one also fixes test issues in the pre-release

Hi Miroslav,
I just fixed the 1.0.30 tarball upstream (so we dont need the CRLF patch anymore), and I'd like to stabilise that version instead, so we can prune out all the patches.

Comment 25 Larry the Git Cow gentoo-dev

2020-10-04 13:55:23 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=455ff240b6739983b52aa3d63f9f2cb2c0f4c654

commit 455ff240b6739983b52aa3d63f9f2cb2c0f4c654
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2020-10-04 13:55:09 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2020-10-04 13:55:09 +0000

    media-libs/libsndfile: Remove old 1.0.28-r4 and 1.0.29
    
    Closes: https://bugs.gentoo.org/631674
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: David Seifert <soap@gentoo.org>

 media-libs/libsndfile/Manifest                     |   2 -
 .../files/libsndfile-1.0.28-CVE-2017-12562.patch   |  88 --------------
 .../files/libsndfile-1.0.28-CVE-2017-14634.patch   |  35 ------
 .../files/libsndfile-1.0.28-CVE-2017-6892.patch    |  25 ----
 .../files/libsndfile-1.0.28-CVE-2017-8362.patch    |  50 --------
 .../files/libsndfile-1.0.28-CVE-2017-8363.patch    |  28 -----
 .../files/libsndfile-1.0.28-CVE-2017-8365.patch    |  64 -----------
 .../files/libsndfile-1.0.28-CVE-2018-13139.patch   |  31 -----
 .../libsndfile-1.0.28-arm-varargs-failure.patch    |  32 ------
 .../files/libsndfile-1.0.29-pointer-aliasing.patch | 128 ---------------------
 media-libs/libsndfile/libsndfile-1.0.28-r4.ebuild  |  71 ------------
 media-libs/libsndfile/libsndfile-1.0.29.ebuild     |  79 -------------
 12 files changed, 633 deletions(-)

Comment 26 Miroslav Šulc gentoo-dev

2020-10-04 16:30:22 UTC

David, ok, thanks :-)