libsndfile-1.0.17 does not check the size of decoded PCM data coming from the FLAC library in flac_buffer_copy() and writes it to a previously allocated buffer on the heap. When seeking through a FLAC file with variable blocksize, a buffer with the current blocksize is allocated and reused with a block of possibly greater size. Since the PCM stream is decoded from a (lossless) FLAC, at most 24 bits of every 32 bit PCM sample is controllable by the file (eg, you can create 0x00414141 loops in memory). The buffer is allocated at minimum 16*4 bytes while the technical maximum blocksize is 32768*4 bytes. The issue was already known upstream and a change in libsndfile-1.0.18pre17 addressed it, but does not fix it robustly. I'll attach a fix for 1.0.17 (including our FLAC patches) in a moment. Besides the the changes in the development version this is not public yet.
Created attachment 131163 [details, diff] libsndfile-1.0.17-flac-buffer-overflow.patch Backported patch (not approved by upstream yet).
Created attachment 131171 [details, diff] libsndfile-1.0.17-flac-buffer-overflow.patch Updated, upstream approved patch.
Setting whiteboard and cc'ing maintainers. aballier and drac, can you please test the patch and prepare an ebuild. Please attach the ebuild to this bug and do not commit it to CVS yet.
Created attachment 131269 [details] ebuild --- libsndfile-1.0.17.ebuild 2007-08-20 13:17:45.000000000 +0200 +++ libsndfile-1.0.17-r1.ebuild 2007-09-19 07:25:04.000000000 +0200 @@ -31,6 +31,7 @@ epatch "${WORKDIR}/${P}+flac-1.1.3.patch" epatch "${FILESDIR}/${P}-ogg.patch" + epatch "${FILESDIR}/${P}-flac-buffer-overflow.patch" eautoreconf epunt_cxx } patch seems to work fine from my basic testing.
Alexis, we decided not to keep this confidential. Please commit the the ebuild and patch. Thanks!
Opening at the request of reporter. [14:15] <rbu> i'll grab some food. please unrestrict bug https://bugs.gentoo.org/192834 when you get back
(In reply to comment #5) > Alexis, we decided not to keep this confidential. Please commit the the ebuild > and patch. done, I had forgot to set keywords to ~all in my attached ebuild, fixed that before comitting
Arches, please test and mark stable libsndfile-1.0.17-r1. Targets are: "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86" Also, degrading to C2 because the flac use flag is disabled by default.
Stable for HPPA.
CVE assigned CVE-2007-4974 to this issue.
x86 stable
alpha/ia64 stable
ppc stable
amd64 stable
ppc64 stable
Created attachment 132116 [details] emerge --info output Tested media-libs/libsndfile-1.0.17-r1 (USE="alsa flac sqlite") on sparc. No bugs found.
sparc stable, thanks Friedrich
GLSA 200710-04, thanks anyone.