[Secure-testing-team] Bug#878810: sox: CVE-2017-15370: heap-buffer-overflow src/ima_rw.c:126 in ImaExpandS
Salvatore Bonaccorso
carnil at debian.org
Mon Oct 16 19:57:12 UTC 2017
Source: sox
Version: 14.4.1-5
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for sox.
CVE-2017-15370[0]:
| There is a heap-based buffer overflow in the ImaExpandS function of
| ima_rw.c in Sound eXchange (SoX) 14.4.2. A Crafted input will lead to a
| denial of service attack during conversion of an audio file.
With attached reproducer (from the original reference in case it would
disapear):
$ ./src/sox ~/02-heap-buffer-over tt.snd
=================================================================
==4925==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000952 at pc 0x7ff7f48bc233 bp 0x7ffd29283c90 sp 0x7ffd29283c88
WRITE of size 2 at 0x619000000952 thread T0
#0 0x7ff7f48bc232 in ImaExpandS src/ima_rw.c:126
#1 0x7ff7f48bc2a2 in lsx_ima_block_expand_i src/ima_rw.c:142
#2 0x7ff7f48bd402 in ImaAdpcmReadBlock src/wav.c:139
#3 0x7ff7f48c4564 in read_samples src/wav.c:1027
#4 0x7ff7f47951fb in sox_read src/formats.c:973
#5 0x406096 in sox_read_wide src/sox.c:490
#6 0x406a6e in combiner_drain src/sox.c:552
#7 0x7ff7f47c8fe1 in drain_effect src/effects.c:318
#8 0x7ff7f47c9ffe in sox_flow_effects src/effects.c:387
#9 0x4122da in process src/sox.c:1794
#10 0x41b386 in main src/sox.c:3012
#11 0x7ff7f3c692e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#12 0x402f49 in _start (/root/sox-14.4.1/src/.libs/sox+0x402f49)
0x619000000952 is located 0 bytes to the right of 978-byte region [0x619000000580,0x619000000952)
allocated by thread T0 here:
#0 0x7ff7f4c39fd0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
#1 0x7ff7f479bd6d in lsx_realloc src/xmalloc.c:37
#2 0x7ff7f48c1d3b in startread src/wav.c:730
#3 0x7ff7f4790d17 in open_read src/formats.c:540
#4 0x7ff7f4791563 in sox_open_read src/formats.c:580
#5 0x41a81f in main src/sox.c:2949
#6 0x7ff7f3c692e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
SUMMARY: AddressSanitizer: heap-buffer-overflow src/ima_rw.c:126 in ImaExpandS
Shadow bytes around the buggy address:
0x0c327fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa fa
0x0c327fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4925==ABORTING
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15370
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15370
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 02-heap-buffer-over
Type: audio/x-wav
Size: 3538 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20171016/69c79c1e/attachment.wav>
More information about the Secure-testing-team
mailing list