Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631674 (CVE-2017-14245, CVE-2017-14246, CVE-2019-3832) - <media-libs/libsndfile-1.0.29_pre2_p20191024: multiple vulnerabilities (CVE-2017-{14246,14245}, CVE-2019-3832)
Summary: <media-libs/libsndfile-1.0.29_pre2_p20191024: multiple vulnerabilities (CVE-2...
Status: CONFIRMED
Alias: CVE-2017-14245, CVE-2017-14246, CVE-2019-3832
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/erikd/libsndfile/i...
Whiteboard: B3 [glsa+ stable cve]
Keywords: CC-ARCHES
Depends on: 719020
Blocks: CVE-2018-19432
  Show dependency tree
 
Reported: 2017-09-21 19:49 UTC by D'juan McDonald (domhnall)
Modified: 2020-07-31 20:00 UTC (History)
3 users (show)

See Also:
Package list:
=media-libs/libsndfile-1.0.29_pre2_p20191024 amd64 arm arm64 hppa ppc ppc64 sparc x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-09-21 19:49:52 UTC
CVE-2017-14245(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14245):
An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values.


CVE-2017-14246(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14246):
An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values.

@maintainer(s), fixed package already in tree, please verify if stabilization is needed, thank you.

Daj Uan (jmbailey)
Gentoo Security Padawan
Comment 1 Aleksandr Wagner (Kivak) 2017-10-27 18:19:26 UTC
The current ebuild in the tree, 1.0.28-r1, still contains these bugs. Currently patches are available, however no official release contains the fixes.
Comment 2 Andreas Sturmlechner gentoo-dev 2018-10-03 19:26:59 UTC
Still not fixed in git master.
Comment 3 D'juan McDonald (domhnall) 2018-10-04 11:28:13 UTC
(In reply to Andreas Sturmlechner from comment #2)
>Still not fixed in git master.

Ack! Seeding whiteboard to reflect still no released fix from upstream.


Gentoo Security Padawan
(domhnall/jmbailey)
Comment 4 Larry the Git Cow gentoo-dev 2019-10-26 23:11:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=571be2db1daddd62cad5716ef4c649595129ca81

commit 571be2db1daddd62cad5716ef4c649595129ca81
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-26 23:10:59 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-26 23:11:31 +0000

    media-libs/libsndfile: bump to v1.0.29_pre2_p20191024
    
    Bug: https://bugs.gentoo.org/631674
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-libs/libsndfile/Manifest                     |  1 +
 .../libsndfile-1.0.29_pre2_p20191024.ebuild        | 65 ++++++++++++++++++++++
 media-libs/libsndfile/libsndfile-9999.ebuild       |  1 +
 3 files changed, 67 insertions(+)
Comment 5 Sam James gentoo-dev Security 2020-03-19 01:05:45 UTC
@maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-04-22 22:00:28 UTC
CVE-2019-3832 (https://nvd.nist.gov/vuln/detail/CVE-2019-3832):
  It was discovered the fix for CVE-2018-19758 (libsndfile) was not complete
  and still allows a read beyond the limits of a buffer in wav_write_header()
  function in wav.c. A local attacker may use this flaw to make the
  application crash.
Comment 7 Agostino Sarubbo gentoo-dev 2020-04-23 10:09:38 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-04-23 10:42:09 UTC
x86 stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-04-25 10:49:01 UTC
amd64 stable
Comment 10 Rolf Eike Beer 2020-04-27 17:48:26 UTC
hppa stable
Comment 11 Rolf Eike Beer 2020-04-28 19:05:10 UTC
sparc stable
Comment 12 Sam James gentoo-dev Security 2020-04-28 19:27:44 UTC
arm64 stable
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-07-31 19:59:41 UTC
This issue was resolved and addressed in
 GLSA 202007-65 at https://security.gentoo.org/glsa/202007-65
by GLSA coordinator Sam James (sam_c).
Comment 14 Sam James gentoo-dev Security 2020-07-31 20:00:38 UTC
Reopening for ppc{,64}.