Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Samuel Mimram <smimram@debian.org>: Bug#530831; Package libsndfile1.
(Thu, 28 May 2009 06:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sami Liedes <sliedes@cc.hut.fi>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Samuel Mimram <smimram@debian.org>.
(Thu, 28 May 2009 06:33:05 GMT) (full text, mbox, link).
Package: libsndfile1
Version: 1.0.20-1
Severity: normal
Tags: security
Hi,
I have discovered six different SIGFPE crashes with crafted input
files in libsndfile. Triggering input files are attached.
The crashes are:
1) in htk.c:198 (htk_read_header), divisor sample_period can be 0.
2) in alaw.c:72 (alaw_init), divisor psf->blockwidth can be 0.
3) in ulaw.c:62 (ulaw_init), divisor psf->blockwidth can be 0.
4) in pcm.c:274 (pcm_init), divisor psf->blockwidth can be 0.
5) in float32.c:244 (float32_init), divisor psf->blockwidth can be 0.
6) in sds.c:279 (sds_read_header), psds->bitwidth can be 0, resulting
in divisor ((psds->bitwidth + 6) / 7) getting the value of 0.
Run for example sndfile-info (from the sndfile-programs package) with
one of these files as parameter to see the crash.
I don't know what the security impact is, but since I assume
libsndfile is used by lots of applications for data obtained from
untrusted sources, I thought I'd tag this security. In any case it
should be at most denial of service. Untag if you think it's not
securitywise important.
Sami
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.29.3 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libsndfile1 depends on:
ii libc6 2.9-13 GNU C Library: Shared libraries
ii libflac8 1.2.1-1.2 Free Lossless Audio Codec - runtim
ii libogg0 1.1.3-5 Ogg Bitstream Library
ii libvorbis0a 1.2.0.dfsg-4 The Vorbis General Audio Compressi
ii libvorbisenc2 1.2.0.dfsg-4 The Vorbis General Audio Compressi
libsndfile1 recommends no packages.
libsndfile1 suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>: Bug#530831; Package libsndfile1.
(Thu, 28 May 2009 08:00:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Erik de Castro Lopo <erikd@mega-nerd.com>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>.
(Thu, 28 May 2009 08:00:08 GMT) (full text, mbox, link).
To: Sami Liedes <sliedes@cc.hut.fi>, 530831@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#530831: libsndfile1: Crafted files can trigger divide by
zero
Date: Thu, 28 May 2009 17:53:03 +1000
Sami Liedes wrote:
> I have discovered six different SIGFPE crashes with crafted input
> files in libsndfile. Triggering input files are attached.
Seems the debian bug tracker filtered them out. Can you please send
them directly to me?
> I don't know what the security impact is, but since I assume
> libsndfile is used by lots of applications for data obtained from
> untrusted sources, I thought I'd tag this security. In any case it
> should be at most denial of service. Untag if you think it's not
> securitywise important.
Denial of service but not much else.
Erik
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
Information forwarded
to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>: Bug#530831; Package libsndfile1.
(Thu, 28 May 2009 08:00:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Erik de Castro Lopo <erikd@mega-nerd.com>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>.
(Thu, 28 May 2009 08:00:16 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>: Bug#530831; Package libsndfile1.
(Thu, 28 May 2009 08:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Sami Liedes <sliedes@cc.hut.fi>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>.
(Thu, 28 May 2009 08:33:03 GMT) (full text, mbox, link).
On Thu, May 28, 2009 at 05:53:03PM +1000, Erik de Castro Lopo wrote:
> Sami Liedes wrote:
>
> > I have discovered six different SIGFPE crashes with crafted input
> > files in libsndfile. Triggering input files are attached.
>
> Seems the debian bug tracker filtered them out. Can you please send
> them directly to me?
Here's a link to them:
http://www.hut.fi/~sliedes/sndfile-fpe
Sami
Information forwarded
to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>: Bug#530831; Package libsndfile1.
(Thu, 28 May 2009 08:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sami Liedes <sliedes@cc.hut.fi>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>.
(Thu, 28 May 2009 08:33:04 GMT) (full text, mbox, link).
Tags removed: security
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Thu, 28 May 2009 10:42:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>: Bug#530831; Package libsndfile1.
(Thu, 28 May 2009 12:03:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>.
(Thu, 28 May 2009 12:03:16 GMT) (full text, mbox, link).
Hi,
* Erik de Castro Lopo <erikd@mega-nerd.com> [2009-05-28 11:52]:
> Sami Liedes wrote:
[...]
> > I don't know what the security impact is, but since I assume
> > libsndfile is used by lots of applications for data obtained from
> > untrusted sources, I thought I'd tag this security. In any case it
> > should be at most denial of service. Untag if you think it's not
> > securitywise important.
>
> Denial of service but not much else.
I even removed the security tag. libsndfile is no service so
speaking of denial of service here is a bit too much. This
is just a regular application bug.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded
to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>: Bug#530831; Package libsndfile1.
(Thu, 28 May 2009 23:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Erik de Castro Lopo <erikd@mega-nerd.com>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>.
(Thu, 28 May 2009 23:18:02 GMT) (full text, mbox, link).
Attached is a patch which fixes all these problems.
Cheers,
Erik
PS : I am the upstream author and this is the patch I applied to my
development version.
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
Subject: libsndfile1: Crafted files can trigger divide by zero
Date: Tue, 3 Aug 2010 18:05:34 +1000
This bug seems to have been fixed for some time. No divide by zero
on any of these file with libsndfile-1.0.21-3.
Cheers,
Erik
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 01 Sep 2010 07:34:44 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.