Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631674 (CVE-2017-14245, CVE-2017-14246, CVE-2019-3832) - <media-libs/libsndfile-1.0.29_pre2_p20191024: multiple vulnerabilities (CVE-2017-{14246,14245}, CVE-2019-3832)
Summary: <media-libs/libsndfile-1.0.29_pre2_p20191024: multiple vulnerabilities (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2017-14245, CVE-2017-14246, CVE-2019-3832
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/erikd/libsndfile/i...
Whiteboard: B3 [glsa+ cleanup cve]
Keywords:
Depends on: 719020
Blocks: CVE-2018-19432
  Show dependency tree
 
Reported: 2017-09-21 19:49 UTC by D'juan McDonald (domhnall)
Modified: 2020-10-04 16:30 UTC (History)
3 users (show)

See Also:
Package list:
media-libs/libsndfile-1.0.29
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-09-21 19:49:52 UTC
CVE-2017-14245(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14245):
An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values.


CVE-2017-14246(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14246):
An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values.

@maintainer(s), fixed package already in tree, please verify if stabilization is needed, thank you.

Daj Uan (jmbailey)
Gentoo Security Padawan
Comment 1 Aleksandr Wagner (Kivak) 2017-10-27 18:19:26 UTC
The current ebuild in the tree, 1.0.28-r1, still contains these bugs. Currently patches are available, however no official release contains the fixes.
Comment 2 Andreas Sturmlechner gentoo-dev 2018-10-03 19:26:59 UTC
Still not fixed in git master.
Comment 3 D'juan McDonald (domhnall) 2018-10-04 11:28:13 UTC
(In reply to Andreas Sturmlechner from comment #2)
>Still not fixed in git master.

Ack! Seeding whiteboard to reflect still no released fix from upstream.


Gentoo Security Padawan
(domhnall/jmbailey)
Comment 4 Larry the Git Cow gentoo-dev 2019-10-26 23:11:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=571be2db1daddd62cad5716ef4c649595129ca81

commit 571be2db1daddd62cad5716ef4c649595129ca81
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-26 23:10:59 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-26 23:11:31 +0000

    media-libs/libsndfile: bump to v1.0.29_pre2_p20191024
    
    Bug: https://bugs.gentoo.org/631674
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/libsndfile/Manifest                     |  1 +
 .../libsndfile-1.0.29_pre2_p20191024.ebuild        | 65 ++++++++++++++++++++++
 media-libs/libsndfile/libsndfile-9999.ebuild       |  1 +
 3 files changed, 67 insertions(+)
Comment 5 Sam James archtester gentoo-dev Security 2020-03-19 01:05:45 UTC
@maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-04-22 22:00:28 UTC
CVE-2019-3832 (https://nvd.nist.gov/vuln/detail/CVE-2019-3832):
  It was discovered the fix for CVE-2018-19758 (libsndfile) was not complete
  and still allows a read beyond the limits of a buffer in wav_write_header()
  function in wav.c. A local attacker may use this flaw to make the
  application crash.
Comment 7 Agostino Sarubbo gentoo-dev 2020-04-23 10:09:38 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-04-23 10:42:09 UTC
x86 stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-04-25 10:49:01 UTC
amd64 stable
Comment 10 Rolf Eike Beer 2020-04-27 17:48:26 UTC
hppa stable
Comment 11 Rolf Eike Beer 2020-04-28 19:05:10 UTC
sparc stable
Comment 12 Sam James archtester gentoo-dev Security 2020-04-28 19:27:44 UTC
arm64 stable
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-07-31 19:59:41 UTC
This issue was resolved and addressed in
 GLSA 202007-65 at https://security.gentoo.org/glsa/202007-65
by GLSA coordinator Sam James (sam_c).
Comment 14 Sam James archtester gentoo-dev Security 2020-07-31 20:00:38 UTC
Reopening for ppc{,64}.
Comment 15 ernsteiswuerfel 2020-08-20 16:25:14 UTC
Fails 1 test (bug #719020) but looks otherwise good on ppc64.

 # cat libsndfile-631674.report 
USE tests started on Do 20. Aug 15:06:11 CEST 2020

 FEATURES=' test' failed for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa -minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa -minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa -minimal sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa minimal sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa -minimal -sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa -minimal -sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa minimal -sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa -minimal sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa -minimal sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa minimal sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024

revdep tests started on Do 20. Aug 17:34:13 CEST 2020

FEATURES=' test' USE='sndfile' succeeded for media-libs/aubio
FEATURES=' test' USE='sndfile' succeeded for media-sound/sox
FEATURES=' test' USE='' succeeded for media-libs/vamp-plugin-sdk
FEATURES=' test' USE='' succeeded for media-libs/dssi
FEATURES=' test' USE='sndfile' succeeded for media-sound/moc
FEATURES=' test' USE='' succeeded for media-libs/libbs2b
FEATURES=' test' USE='sndfile' succeeded for media-sound/fluidsynth
FEATURES=' test' USE='' succeeded for media-libs/lilv
FEATURES=' test' USE='sndfile' succeeded for media-sound/twolame
FEATURES=' test' USE='' succeeded for media-sound/pulseaudio
Comment 16 ernsteiswuerfel 2020-08-21 12:49:10 UTC
Fails 1 test (bug #719020) but looks otherwise good on ppc.

 # cat libsndfile-631674.report 
USE tests started on Fr 21. Aug 11:39:26 CEST 2020

 FEATURES=' test' failed for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa -minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa -minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa minimal -sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa -minimal sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa minimal sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa minimal sqlite -static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa -minimal -sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa minimal -sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa minimal -sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='-alsa -minimal sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024
USE='alsa -minimal sqlite static-libs' succeeded for =media-libs/libsndfile-1.0.29_pre2_p20191024

revdep tests started on Fr 21. Aug 13:57:11 CEST 2020

FEATURES=' test' USE='' succeeded for media-libs/lilv
FEATURES=' test' USE='' succeeded for media-libs/libbs2b
FEATURES=' test' USE='sndfile' succeeded for media-sound/twolame
FEATURES=' test' USE='plugins' succeeded for media-libs/lv2
FEATURES=' test' USE='sndfile' succeeded for media-sound/herrie
FEATURES=' test' USE='' succeeded for media-libs/dssi
FEATURES=' test' USE='' succeeded for media-sound/hydrogen
FEATURES=' test' USE='sndfile' succeeded for media-sound/sox
FEATURES=' test' USE='sndfile' succeeded for media-sound/moc
FEATURES=' test' USE='ao' succeeded for x11-wm/icewm
Comment 17 Sergei Trofimovich gentoo-dev 2020-08-23 08:16:20 UTC
ppc/ppc64 stable thanks to ernsteiswuerfel!
Comment 18 Miroslav Šulc gentoo-dev 2020-08-23 09:11:04 UTC
looking at versions 1.0.28-r4 and 1.0.28-r4, the older one also has s390 keyword whereas the new one does not have it.

for the older version it was introduced in this commit:

commit 44fd362462b7d1fa0a0a65d7b74c6d68eda86e8f
Author: Mikle Kolyada <zlogene@gentoo.org>
Date:   Wed Mar 20 22:01:08 2019 +0300

    media-libs/libsndfile: mark s390 stable
    
    Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

diff --git a/media-libs/libsndfile/libsndfile-1.0.28-r4.ebuild b/media-libs/libsndfile/libsndfile-1.0.28-r4.ebuild
index 99e86b43f8eb..9edee782210f 100644
--- a/media-libs/libsndfile/libsndfile-1.0.28-r4.ebuild
+++ b/media-libs/libsndfile/libsndfile-1.0.28-r4.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2018 Gentoo Authors
+# Copyright 1999-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -19,7 +19,7 @@ fi
 
 LICENSE="LGPL-2.1"
 SLOT="0"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
 IUSE="alsa minimal sqlite static-libs test"
 
 RDEPEND="


the new one never had it since this commit when it was introduced:

commit 571be2db1daddd62cad5716ef4c649595129ca81
Author: Thomas Deutschmann <whissi@gentoo.org>
Date:   Sun Oct 27 01:10:59 2019 +0200

    media-libs/libsndfile: bump to v1.0.29_pre2_p20191024
    
    Bug: https://bugs.gentoo.org/631674
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>


it nowhere says whether it was dropped on purpose or not so adding s390@ so we can clear this up and remove the old version.
Comment 19 NATTkA bot gentoo-dev 2020-08-23 09:14:41 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 20 John Helmert III (ajak) 2020-09-20 16:29:10 UTC
s390: ping
Comment 21 Miroslav Šulc gentoo-dev 2020-10-02 09:32:47 UTC
this one also fixes test issues in the pre-release
Comment 22 Sam James archtester gentoo-dev Security 2020-10-04 13:46:32 UTC
Let's just leave s390. please cleanup
Comment 23 Sam James archtester gentoo-dev Security 2020-10-04 13:46:48 UTC
(In reply to Miroslav Šulc from comment #21)
> this one also fixes test issues in the pre-release

We'll do this in a separate bug (or .30)?
Comment 24 David Seifert gentoo-dev 2020-10-04 13:48:36 UTC
(In reply to Miroslav Šulc from comment #21)
> this one also fixes test issues in the pre-release

Hi Miroslav,
I just fixed the 1.0.30 tarball upstream (so we dont need the CRLF patch anymore), and I'd like to stabilise that version instead, so we can prune out all the patches.
Comment 25 Larry the Git Cow gentoo-dev 2020-10-04 13:55:23 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=455ff240b6739983b52aa3d63f9f2cb2c0f4c654

commit 455ff240b6739983b52aa3d63f9f2cb2c0f4c654
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2020-10-04 13:55:09 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2020-10-04 13:55:09 +0000

    media-libs/libsndfile: Remove old 1.0.28-r4 and 1.0.29
    
    Closes: https://bugs.gentoo.org/631674
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: David Seifert <soap@gentoo.org>

 media-libs/libsndfile/Manifest                     |   2 -
 .../files/libsndfile-1.0.28-CVE-2017-12562.patch   |  88 --------------
 .../files/libsndfile-1.0.28-CVE-2017-14634.patch   |  35 ------
 .../files/libsndfile-1.0.28-CVE-2017-6892.patch    |  25 ----
 .../files/libsndfile-1.0.28-CVE-2017-8362.patch    |  50 --------
 .../files/libsndfile-1.0.28-CVE-2017-8363.patch    |  28 -----
 .../files/libsndfile-1.0.28-CVE-2017-8365.patch    |  64 -----------
 .../files/libsndfile-1.0.28-CVE-2018-13139.patch   |  31 -----
 .../libsndfile-1.0.28-arm-varargs-failure.patch    |  32 ------
 .../files/libsndfile-1.0.29-pointer-aliasing.patch | 128 ---------------------
 media-libs/libsndfile/libsndfile-1.0.28-r4.ebuild  |  71 ------------
 media-libs/libsndfile/libsndfile-1.0.29.ebuild     |  79 -------------
 12 files changed, 633 deletions(-)
Comment 26 Miroslav Šulc gentoo-dev 2020-10-04 16:30:22 UTC
David, ok, thanks :-)