[Secure-testing-team] Bug#881145: sox: null pointer dereference while running play

Joonun Jang joonun.jang at gmail.com
Wed Nov 8 06:47:56 UTC 2017 

Package: sox
Version: 14.4.1-5+b2
Severity: normal
Tags: security

null pointer dereference while running play with "poc bass +3" option

Running 'play poc bass +3' with the attached file raises null pointer dereference
which may allow a remote attack to cause a denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow

I sent this to debian security team before, but I didn't get any response.
So I send this to public.

-------------------------------------------

june at yuweol:~/poc/play/crash1$ play poc bass +3

poc:

 File Size: 48        Bit Rate: 0.00394
  Encoding: WavPack
  Channels: 2 @ 16-bit
Samplerate: 44100Hz
Replaygain: off
  Duration: 27:03:11.55

In:0.00% 00:00:00.00 [27:03:11.55] Out:0     [      |      ]        Clip:0    Segmentation fault

-------------------------------------------

Thread 1 "play" received signal SIGSEGV, Segmentation fault.
0x00007fffed796f34 in WavpackUnpackSamples () from /usr/lib/x86_64-linux-gnu/libwavpack.so.1
(gdb) x/i $rip
=> 0x7fffed796f34 <WavpackUnpackSamples+20>:  mov    0x1e0(%rdi),%rax
(gdb) i r rdi
rdi            0x0  0

-------------------------------------------

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sox depends on:
ii  libc6             2.24-17
ii  libgomp1          7.2.0-12
ii  libsox-fmt-alsa   14.4.1-5+b2
ii  libsox-fmt-ao     14.4.1-5+b2
ii  libsox-fmt-base   14.4.1-5+b2
ii  libsox-fmt-oss    14.4.1-5+b2
ii  libsox-fmt-pulse  14.4.1-5+b2
ii  libsox2           14.4.1-5+b2

sox recommends no packages.

Versions of packages sox suggests:
ii  libsox-fmt-all  14.4.1-5+b2

-- no debconf information
-------------- next part --------------
wvpk

More information about the Secure-testing-team mailing list