Debian Bug report logs - #530831
libsndfile1: Crafted files can trigger divide by zero

version graph

Package: libsndfile1; Maintainer for libsndfile1 is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>; Source for libsndfile1 is src:libsndfile (PTS, buildd, popcon).

Reported by: Sami Liedes <sliedes@cc.hut.fi>

Date: Thu, 28 May 2009 06:33:02 UTC

Severity: normal

Found in version libsndfile/1.0.20-1

Done: Erik de Castro Lopo <erikd@mega-nerd.com>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Samuel Mimram <smimram@debian.org>:
Bug#530831; Package libsndfile1. (Thu, 28 May 2009 06:33:04 GMT) (full text, mbox, link).


Acknowledgement sent to Sami Liedes <sliedes@cc.hut.fi>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Samuel Mimram <smimram@debian.org>. (Thu, 28 May 2009 06:33:05 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sami Liedes <sliedes@cc.hut.fi>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libsndfile1: Crafted files can trigger divide by zero
Date: Thu, 28 May 2009 09:26:19 +0300
[Message part 1 (text/plain, inline)]
Package: libsndfile1
Version: 1.0.20-1
Severity: normal
Tags: security

Hi,

I have discovered six different SIGFPE crashes with crafted input
files in libsndfile. Triggering input files are attached.

The crashes are:

1) in htk.c:198 (htk_read_header), divisor sample_period can be 0.

2) in alaw.c:72 (alaw_init), divisor psf->blockwidth can be 0.

3) in ulaw.c:62 (ulaw_init), divisor psf->blockwidth can be 0.

4) in pcm.c:274 (pcm_init), divisor psf->blockwidth can be 0.

5) in float32.c:244 (float32_init), divisor psf->blockwidth can be 0.

6) in sds.c:279 (sds_read_header), psds->bitwidth can be 0, resulting
   in divisor ((psds->bitwidth + 6) / 7) getting the value of 0.

Run for example sndfile-info (from the sndfile-programs package) with
one of these files as parameter to see the crash.

I don't know what the security impact is, but since I assume
libsndfile is used by lots of applications for data obtained from
untrusted sources, I thought I'd tag this security. In any case it
should be at most denial of service. Untag if you think it's not
securitywise important.

	Sami


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29.3 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libsndfile1 depends on:
ii  libc6                       2.9-13       GNU C Library: Shared libraries
ii  libflac8                    1.2.1-1.2    Free Lossless Audio Codec - runtim
ii  libogg0                     1.1.3-5      Ogg Bitstream Library
ii  libvorbis0a                 1.2.0.dfsg-4 The Vorbis General Audio Compressi
ii  libvorbisenc2               1.2.0.dfsg-4 The Vorbis General Audio Compressi

libsndfile1 recommends no packages.

libsndfile1 suggests no packages.

-- no debconf information
[1.data (application/octet-stream, attachment)]
[2.data (application/octet-stream, attachment)]
[3.data (application/octet-stream, attachment)]
[4.data (application/octet-stream, attachment)]
[5.data (application/octet-stream, attachment)]
[6.data (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>:
Bug#530831; Package libsndfile1. (Thu, 28 May 2009 08:00:08 GMT) (full text, mbox, link).


Acknowledgement sent to Erik de Castro Lopo <erikd@mega-nerd.com>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>. (Thu, 28 May 2009 08:00:08 GMT) (full text, mbox, link).


Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Erik de Castro Lopo <erikd@mega-nerd.com>
To: Sami Liedes <sliedes@cc.hut.fi>, 530831@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#530831: libsndfile1: Crafted files can trigger divide by zero
Date: Thu, 28 May 2009 17:53:03 +1000
Sami Liedes wrote:

> I have discovered six different SIGFPE crashes with crafted input
> files in libsndfile. Triggering input files are attached.

Seems the debian bug tracker filtered them out. Can you please  send
them directly to me?

> I don't know what the security impact is, but since I assume
> libsndfile is used by lots of applications for data obtained from
> untrusted sources, I thought I'd tag this security. In any case it
> should be at most denial of service. Untag if you think it's not
> securitywise important.

Denial of service but not much else.

Erik
-- 
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/




Information forwarded to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>:
Bug#530831; Package libsndfile1. (Thu, 28 May 2009 08:00:16 GMT) (full text, mbox, link).


Acknowledgement sent to Erik de Castro Lopo <erikd@mega-nerd.com>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>. (Thu, 28 May 2009 08:00:16 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>:
Bug#530831; Package libsndfile1. (Thu, 28 May 2009 08:33:02 GMT) (full text, mbox, link).


Acknowledgement sent to Sami Liedes <sliedes@cc.hut.fi>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>. (Thu, 28 May 2009 08:33:03 GMT) (full text, mbox, link).


Message #20 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sami Liedes <sliedes@cc.hut.fi>
To: Erik de Castro Lopo <erikd@mega-nerd.com>
Cc: 530831@bugs.debian.org, Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#530831: libsndfile1: Crafted files can trigger divide by zero
Date: Thu, 28 May 2009 11:30:21 +0300
[Message part 1 (text/plain, inline)]
On Thu, May 28, 2009 at 05:53:03PM +1000, Erik de Castro Lopo wrote:
> Sami Liedes wrote:
> 
> > I have discovered six different SIGFPE crashes with crafted input
> > files in libsndfile. Triggering input files are attached.
> 
> Seems the debian bug tracker filtered them out. Can you please  send
> them directly to me?

Here's a link to them:

  http://www.hut.fi/~sliedes/sndfile-fpe

	Sami
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>:
Bug#530831; Package libsndfile1. (Thu, 28 May 2009 08:33:04 GMT) (full text, mbox, link).


Acknowledgement sent to Sami Liedes <sliedes@cc.hut.fi>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>. (Thu, 28 May 2009 08:33:04 GMT) (full text, mbox, link).


Tags removed: security Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 28 May 2009 10:42:04 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>:
Bug#530831; Package libsndfile1. (Thu, 28 May 2009 12:03:16 GMT) (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>. (Thu, 28 May 2009 12:03:16 GMT) (full text, mbox, link).


Message #32 received at 530831@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: Erik de Castro Lopo <erikd@mega-nerd.com>, 530831@bugs.debian.org
Cc: Sami Liedes <sliedes@cc.hut.fi>
Subject: Re: Bug#530831: libsndfile1: Crafted files can trigger divide by zero
Date: Thu, 28 May 2009 13:48:42 +0200
[Message part 1 (text/plain, inline)]
Hi,
* Erik de Castro Lopo <erikd@mega-nerd.com> [2009-05-28 11:52]:
> Sami Liedes wrote:
[...] 
> > I don't know what the security impact is, but since I assume
> > libsndfile is used by lots of applications for data obtained from
> > untrusted sources, I thought I'd tag this security. In any case it
> > should be at most denial of service. Untag if you think it's not
> > securitywise important.
> 
> Denial of service but not much else.

I even removed the security tag. libsndfile is no service so 
speaking of denial of service here is a bit too much. This 
is just a regular application bug.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>:
Bug#530831; Package libsndfile1. (Thu, 28 May 2009 23:18:02 GMT) (full text, mbox, link).


Acknowledgement sent to Erik de Castro Lopo <erikd@mega-nerd.com>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>. (Thu, 28 May 2009 23:18:02 GMT) (full text, mbox, link).


Message #37 received at 530831@bugs.debian.org (full text, mbox, reply):

From: Erik de Castro Lopo <erikd@mega-nerd.com>
To: 530831@bugs.debian.org
Subject: Re: Bug#530831: libsndfile1: Crafted files can trigger divide by zero
Date: Fri, 29 May 2009 09:15:54 +1000
[Message part 1 (text/plain, inline)]

Attached is a patch which fixes all these problems.

Cheers,
Erik

PS : I am the upstream author and this is the patch I applied to my
     development version.
-- 
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
[sigfpe.diff (text/x-diff, attachment)]

Reply sent to Erik de Castro Lopo <erikd@mega-nerd.com>:
You have taken responsibility. (Tue, 03 Aug 2010 08:09:09 GMT) (full text, mbox, link).


Notification sent to Sami Liedes <sliedes@cc.hut.fi>:
Bug acknowledged by developer. (Tue, 03 Aug 2010 08:09:09 GMT) (full text, mbox, link).


Message #42 received at 530831-done@bugs.debian.org (full text, mbox, reply):

From: Erik de Castro Lopo <erikd@mega-nerd.com>
To: 530831-done@bugs.debian.org
Subject: libsndfile1: Crafted files can trigger divide by zero
Date: Tue, 3 Aug 2010 18:05:34 +1000

This bug seems to have been fixed for some time. No divide by zero
on any of these file with libsndfile-1.0.21-3.

Cheers,
Erik
-- 
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 01 Sep 2010 07:34:44 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 21:59:25 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.