[Secure-testing-team] Bug#878810: sox: CVE-2017-15370: heap-buffer-overflow src/ima_rw.c:126 in ImaExpandS

Salvatore Bonaccorso carnil at debian.org
Mon Oct 16 19:57:12 UTC 2017 

Source: sox
Version: 14.4.1-5
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for sox.

CVE-2017-15370[0]:
| There is a heap-based buffer overflow in the ImaExpandS function of
| ima_rw.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a
| denial of service attack during conversion of an audio file.

With attached reproducer (from the original reference in case it would
disapear):

$ ./src/sox ~/02-heap-buffer-over tt.snd
=================================================================
==4925==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000952 at pc 0x7ff7f48bc233 bp 0x7ffd29283c90 sp 0x7ffd29283c88
WRITE of size 2 at 0x619000000952 thread T0
    #0 0x7ff7f48bc232 in ImaExpandS src/ima_rw.c:126
    #1 0x7ff7f48bc2a2 in lsx_ima_block_expand_i src/ima_rw.c:142
    #2 0x7ff7f48bd402 in ImaAdpcmReadBlock src/wav.c:139
    #3 0x7ff7f48c4564 in read_samples src/wav.c:1027
    #4 0x7ff7f47951fb in sox_read src/formats.c:973
    #5 0x406096 in sox_read_wide src/sox.c:490
    #6 0x406a6e in combiner_drain src/sox.c:552
    #7 0x7ff7f47c8fe1 in drain_effect src/effects.c:318
    #8 0x7ff7f47c9ffe in sox_flow_effects src/effects.c:387
    #9 0x4122da in process src/sox.c:1794
    #10 0x41b386 in main src/sox.c:3012
    #11 0x7ff7f3c692e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #12 0x402f49 in _start (/root/sox-14.4.1/src/.libs/sox+0x402f49)

0x619000000952 is located 0 bytes to the right of 978-byte region [0x619000000580,0x619000000952)
allocated by thread T0 here:
    #0 0x7ff7f4c39fd0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
    #1 0x7ff7f479bd6d in lsx_realloc src/xmalloc.c:37
    #2 0x7ff7f48c1d3b in startread src/wav.c:730
    #3 0x7ff7f4790d17 in open_read src/formats.c:540
    #4 0x7ff7f4791563 in sox_open_read src/formats.c:580
    #5 0x41a81f in main src/sox.c:2949
    #6 0x7ff7f3c692e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-buffer-overflow src/ima_rw.c:126 in ImaExpandS
Shadow bytes around the buggy address:
  0x0c327fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa fa
  0x0c327fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4925==ABORTING
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-15370
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15370

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 02-heap-buffer-over
Type: audio/x-wav
Size: 3538 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20171016/69c79c1e/attachment.wav>

More information about the Secure-testing-team mailing list