Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 192834 - media-libs/libsndfile-1.0.17 Heap-based buffer overflow in flac.c (CVE-2007-4974)
Summary: media-libs/libsndfile-1.0.17 Heap-based buffer overflow in flac.c (CVE-2007-4...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: C2? [glsa]
Depends on:
Reported: 2007-09-17 16:52 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-03 06:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

libsndfile-1.0.17-flac-buffer-overflow.patch (libsndfile-1.0.17-flac-buffer-overflow.patch,1.40 KB, patch)
2007-09-17 16:54 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
libsndfile-1.0.17-flac-buffer-overflow.patch (libsndfile-1.0.17-flac-buffer-overflow.patch,1.48 KB, patch)
2007-09-17 21:09 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
ebuild (libsndfile-1.0.17-r1.ebuild,1.37 KB, text/plain)
2007-09-19 05:52 UTC, Alexis Ballier
no flags Details
emerge --info output (,3.02 KB, text/plain)
2007-09-28 19:19 UTC, Friedrich Oslage (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-09-17 16:52:27 UTC
libsndfile-1.0.17 does not check the size of decoded PCM data coming from the FLAC library in flac_buffer_copy() and writes it to a previously allocated buffer on the heap.
When seeking through a FLAC file with variable blocksize, a buffer with the current blocksize is allocated and reused with a block of possibly greater size.

Since the PCM stream is decoded from a (lossless) FLAC, at most 24 bits of every 32 bit PCM sample is controllable by the file (eg, you can create 0x00414141 loops in memory). The buffer is allocated at minimum 16*4 bytes while the technical maximum blocksize is 32768*4 bytes.

The issue was already known upstream and a change in libsndfile-1.0.18pre17 addressed it, but does not fix it robustly. I'll attach a fix for 1.0.17 (including our FLAC patches) in a moment. Besides the the changes in the development version this is not public yet.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-09-17 16:54:31 UTC
Created attachment 131163 [details, diff]

Backported patch (not approved by upstream yet).
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-09-17 21:09:38 UTC
Created attachment 131171 [details, diff]

Updated, upstream approved patch.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-09-19 00:15:04 UTC
Setting whiteboard and cc'ing maintainers.
aballier and drac, can you please test the patch and prepare an ebuild.
Please attach the ebuild to this bug and do not commit it to CVS yet.
Comment 4 Alexis Ballier gentoo-dev 2007-09-19 05:52:50 UTC
Created attachment 131269 [details]

--- libsndfile-1.0.17.ebuild    2007-08-20 13:17:45.000000000 +0200
+++ libsndfile-1.0.17-r1.ebuild 2007-09-19 07:25:04.000000000 +0200
@@ -31,6 +31,7 @@
        epatch "${WORKDIR}/${P}+flac-1.1.3.patch"
        epatch "${FILESDIR}/${P}-ogg.patch"
+       epatch "${FILESDIR}/${P}-flac-buffer-overflow.patch"

patch seems to work fine from my basic testing.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-09-19 12:05:31 UTC
Alexis, we decided not to keep this confidential. Please commit the the ebuild and patch.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-19 12:25:14 UTC
Opening at the request of reporter.

[14:15] <rbu> i'll grab some food. please unrestrict bug when you get back
Comment 7 Alexis Ballier gentoo-dev 2007-09-19 15:37:58 UTC
(In reply to comment #5)
> Alexis, we decided not to keep this confidential. Please commit the the ebuild
> and patch.

done, I had forgot to set keywords to ~all in my attached ebuild, fixed that before comitting
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-09-19 15:52:47 UTC
Arches, please test and mark stable libsndfile-1.0.17-r1.
Targets are: "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86"

Also, degrading to C2 because the flac use flag is disabled by default.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2007-09-19 16:16:46 UTC
Stable for HPPA.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-09-19 17:21:05 UTC
CVE assigned CVE-2007-4974 to this issue.
Comment 11 Markus Meier gentoo-dev 2007-09-19 19:22:12 UTC
x86 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2007-09-20 13:47:17 UTC
alpha/ia64 stable
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-20 18:17:23 UTC
ppc stable
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2007-09-20 18:46:30 UTC
amd64 stable
Comment 15 Brent Baude (RETIRED) gentoo-dev 2007-09-20 20:46:12 UTC
ppc64 stable
Comment 16 Friedrich Oslage (RETIRED) gentoo-dev 2007-09-28 19:19:27 UTC
Created attachment 132116 [details]
emerge --info output

Tested media-libs/libsndfile-1.0.17-r1 (USE="alsa flac sqlite") on sparc.
No bugs found.
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2007-09-29 09:22:24 UTC
sparc stable, thanks Friedrich
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2007-10-07 21:32:47 UTC
GLSA 200710-04, thanks anyone.