Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 687766 (CVE-2018-13440, CVE-2018-17095) - <media-libs/audiofile-0.3.6-r4: multiple vulnerabilities (CVE-2018-{13440,17095})
Summary: <media-libs/audiofile-0.3.6-r4: multiple vulnerabilities (CVE-2018-{13440,170...
Status: RESOLVED FIXED
Alias: CVE-2018-13440, CVE-2018-17095
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2017-6827, CVE-2017-6828, CVE-2017-6829, CVE-2017-6830, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833, CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, CVE-2017-6837, CVE-2017-6838, CVE-2017-6839
Blocks:
  Show dependency tree
 
Reported: 2019-06-10 03:44 UTC by D'juan McDonald (domhnall)
Modified: 2020-07-29 00:21 UTC (History)
2 users (show)

See Also:
Package list:
media-libs/audiofile-0.3.6-r4
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-06-10 03:44:32 UTC 
(https://nvd.nist.gov/vuln/detail/CVE-2018-17095):

An issue has been discovered in mpruett Audio File Library (aka audiofile) 0.3.6. A heap-based buffer overflow in Expand3To4Module::run has occurred when running sfconvert.

Upstream Reference: https://github.com/mpruett/audiofile/issues/50


(https://nvd.nist.gov/vuln/detail/CVE-2018-13440):

The audiofile Audio File Library 0.3.6 has a NULL pointer dereference bug in ModuleState::setup in modules/ModuleState.cpp, which allows an attacker to cause a denial of service via a crafted caf file, as demonstrated by sfconvert.

Upstream Reference: https://github.com/mpruett/audiofile/issues/49


@security, On Thu, 06 Jun 2019 Debian announces	Fix for issues [CVE-2018-13440] and [CVE-2018-17095]. However, upstream's last changelog was 3 years ago, and non-descriptive of fix. 

"2016-08-29  Michael Pruett <michael@68k.org>

* libaudiofile/modules/SimpleModule.h:
Fix undefined behavior in sign conversion."


On March 26, 2019 there was https://github.com/mpruett/audiofile/issues/53 saying: 
"Can you please roll a new release with all these security fixes?"

Gentoo last interest in security for this package was: 2017-06-17 in bug #614046. 



Gentoo Security Padawan
(domhnall)
Comment 1 Agostino Sarubbo gentoo-dev 2019-06-10 10:28:43 UTC 
CVE-2018-17095 seems a duplicate of CVE-2017-6836
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-30 15:13:45 UTC 
@maintainer(s), please include the useful patches available at:

https://sources.debian.org/patches/audiofile/0.3.6-5/

This will be most of them provided they're not already applied, including but not limited to the relevant CVE patches (tagged as such).
Comment 3 Larry the Git Cow gentoo-dev 2020-07-19 18:28:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2bb2dc35eccffb4adbcc7f4057b6e2ea458d1b8

commit f2bb2dc35eccffb4adbcc7f4057b6e2ea458d1b8
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-07-19 18:28:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-19 18:28:17 +0000

    media-libs/audiofile: Add security patches
    
    Dropping the system-gtest patch is necessary to make the tests run, as
    mentioned here: https://bugs.gentoo.org/680482#c8
    
    The three closed bugs are reported test failures fixed by dropping the
    aforementioned patch and a slight repair of src_test. Because we're not
    using system gtest anymore, we can drop the test dependency on
    dev-cpp/gtest, and by extension the IUSE=test boilerplate.
    
    Bug: https://bugs.gentoo.org/614046
    Bug: https://bugs.gentoo.org/687766
    Closes: https://bugs.gentoo.org/680482
    Closes: https://bugs.gentoo.org/715192
    Closes: https://bugs.gentoo.org/720836
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/16141
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/audiofile/audiofile-0.3.6-r4.ebuild     |  55 +++
 .../files/audiofile-0.3.6-CVE-2017-68xx.patch      | 379 +++++++++++++++++++++
 ...ofile-0.3.6-CVE-2018-13440-CVE-2018-17095.patch |  82 +++++
 3 files changed, 516 insertions(+)
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2020-07-27 20:15:04 UTC 
HPPA was missed.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2020-07-27 20:16:30 UTC 
depends on bug has it... whoops.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2020-07-28 20:10:39 UTC 
GLSA Vote: no
Comment 7 Rolf Eike Beer archtester 2020-07-28 21:53:54 UTC 
dropped to ~hppa
Comment 8 Larry the Git Cow gentoo-dev 2020-07-29 00:20:06 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99c6a8c3924a9938c21a05f0498046c3e73c50c8

commit 99c6a8c3924a9938c21a05f0498046c3e73c50c8
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-29 00:19:22 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-29 00:19:37 +0000

    media-libs/audiofile: security cleanup
    
    Bug: https://bugs.gentoo.org/687766
    Bug: https://bugs.gentoo.org/614046
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/audiofile/audiofile-0.3.6-r3.ebuild | 50 --------------------------
 1 file changed, 50 deletions(-)