Debian Bug report logs -
#530831
libsndfile1: Crafted files can trigger divide by zero
Reported by: Sami Liedes <sliedes@cc.hut.fi>
Date: Thu, 28 May 2009 06:33:02 UTC
Severity: normal
Found in version libsndfile/1.0.20-1
Done: Erik de Castro Lopo <erikd@mega-nerd.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Samuel Mimram <smimram@debian.org>:
Bug#530831; Package libsndfile1.
(Thu, 28 May 2009 06:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sami Liedes <sliedes@cc.hut.fi>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Samuel Mimram <smimram@debian.org>.
(Thu, 28 May 2009 06:33:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libsndfile1
Version: 1.0.20-1
Severity: normal
Tags: security
Hi,
I have discovered six different SIGFPE crashes with crafted input
files in libsndfile. Triggering input files are attached.
The crashes are:
1) in htk.c:198 (htk_read_header), divisor sample_period can be 0.
2) in alaw.c:72 (alaw_init), divisor psf->blockwidth can be 0.
3) in ulaw.c:62 (ulaw_init), divisor psf->blockwidth can be 0.
4) in pcm.c:274 (pcm_init), divisor psf->blockwidth can be 0.
5) in float32.c:244 (float32_init), divisor psf->blockwidth can be 0.
6) in sds.c:279 (sds_read_header), psds->bitwidth can be 0, resulting
in divisor ((psds->bitwidth + 6) / 7) getting the value of 0.
Run for example sndfile-info (from the sndfile-programs package) with
one of these files as parameter to see the crash.
I don't know what the security impact is, but since I assume
libsndfile is used by lots of applications for data obtained from
untrusted sources, I thought I'd tag this security. In any case it
should be at most denial of service. Untag if you think it's not
securitywise important.
Sami
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.29.3 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libsndfile1 depends on:
ii libc6 2.9-13 GNU C Library: Shared libraries
ii libflac8 1.2.1-1.2 Free Lossless Audio Codec - runtim
ii libogg0 1.1.3-5 Ogg Bitstream Library
ii libvorbis0a 1.2.0.dfsg-4 The Vorbis General Audio Compressi
ii libvorbisenc2 1.2.0.dfsg-4 The Vorbis General Audio Compressi
libsndfile1 recommends no packages.
libsndfile1 suggests no packages.
-- no debconf information
[1.data (application/octet-stream, attachment)]
[2.data (application/octet-stream, attachment)]
[3.data (application/octet-stream, attachment)]
[4.data (application/octet-stream, attachment)]
[5.data (application/octet-stream, attachment)]
[6.data (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>:
Bug#530831; Package libsndfile1.
(Thu, 28 May 2009 08:00:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Erik de Castro Lopo <erikd@mega-nerd.com>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>.
(Thu, 28 May 2009 08:00:08 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
Sami Liedes wrote:
> I have discovered six different SIGFPE crashes with crafted input
> files in libsndfile. Triggering input files are attached.
Seems the debian bug tracker filtered them out. Can you please send
them directly to me?
> I don't know what the security impact is, but since I assume
> libsndfile is used by lots of applications for data obtained from
> untrusted sources, I thought I'd tag this security. In any case it
> should be at most denial of service. Untag if you think it's not
> securitywise important.
Denial of service but not much else.
Erik
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
Information forwarded
to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>:
Bug#530831; Package libsndfile1.
(Thu, 28 May 2009 08:00:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Erik de Castro Lopo <erikd@mega-nerd.com>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>.
(Thu, 28 May 2009 08:00:16 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>:
Bug#530831; Package libsndfile1.
(Thu, 28 May 2009 08:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Sami Liedes <sliedes@cc.hut.fi>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>.
(Thu, 28 May 2009 08:33:03 GMT) (full text, mbox, link).
Message #20 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu, May 28, 2009 at 05:53:03PM +1000, Erik de Castro Lopo wrote:
> Sami Liedes wrote:
>
> > I have discovered six different SIGFPE crashes with crafted input
> > files in libsndfile. Triggering input files are attached.
>
> Seems the debian bug tracker filtered them out. Can you please send
> them directly to me?
Here's a link to them:
http://www.hut.fi/~sliedes/sndfile-fpe
Sami
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>:
Bug#530831; Package libsndfile1.
(Thu, 28 May 2009 08:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sami Liedes <sliedes@cc.hut.fi>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>.
(Thu, 28 May 2009 08:33:04 GMT) (full text, mbox, link).
Tags removed: security
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Thu, 28 May 2009 10:42:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>:
Bug#530831; Package libsndfile1.
(Thu, 28 May 2009 12:03:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>.
(Thu, 28 May 2009 12:03:16 GMT) (full text, mbox, link).
Message #32 received at 530831@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Erik de Castro Lopo <erikd@mega-nerd.com> [2009-05-28 11:52]:
> Sami Liedes wrote:
[...]
> > I don't know what the security impact is, but since I assume
> > libsndfile is used by lots of applications for data obtained from
> > untrusted sources, I thought I'd tag this security. In any case it
> > should be at most denial of service. Untag if you think it's not
> > securitywise important.
>
> Denial of service but not much else.
I even removed the security tag. libsndfile is no service so
speaking of denial of service here is a bit too much. This
is just a regular application bug.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Samuel Mimram <smimram@debian.org>:
Bug#530831; Package libsndfile1.
(Thu, 28 May 2009 23:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Erik de Castro Lopo <erikd@mega-nerd.com>:
Extra info received and forwarded to list. Copy sent to Samuel Mimram <smimram@debian.org>.
(Thu, 28 May 2009 23:18:02 GMT) (full text, mbox, link).
Message #37 received at 530831@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Attached is a patch which fixes all these problems.
Cheers,
Erik
PS : I am the upstream author and this is the patch I applied to my
development version.
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
[sigfpe.diff (text/x-diff, attachment)]
Reply sent
to Erik de Castro Lopo <erikd@mega-nerd.com>:
You have taken responsibility.
(Tue, 03 Aug 2010 08:09:09 GMT) (full text, mbox, link).
Notification sent
to Sami Liedes <sliedes@cc.hut.fi>:
Bug acknowledged by developer.
(Tue, 03 Aug 2010 08:09:09 GMT) (full text, mbox, link).
Message #42 received at 530831-done@bugs.debian.org (full text, mbox, reply):
This bug seems to have been fixed for some time. No divide by zero
on any of these file with libsndfile-1.0.21-3.
Cheers,
Erik
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 01 Sep 2010 07:34:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Aug 2 04:05:09 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.