Your message dated Sun, 17 Jan 2010 14:06:51 +0000
with message-id <e1nwvmf-00085b...@ries.debian.org>
and subject line Bug#510205: fixed in audiofile 0.2.6-7+lenny1
has caused the Debian Bug report #510205,
regarding buffer overflow in libaudiofile
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
510205: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510205
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libaudiofile0
Version: 0.2.6-6
Severity: critical
Today, the Music Player Daemon project received a bug report from
Anton Khirnov: MPD crashed when attempting to play a WAV file. "file"
says:
RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, stereo 44100
Hz
The MPD bug report: http://musicpd.org/mantis/view.php?id=1915
The test file: http://filebin.ca/meqmyu/max_theme.wav
Turns out that this is a bug in libaudiofile. When attempting to
decode the file, libaudiofile writes past the buffer in msadpcm.c:194
code = *encoded >> 4;
newSample = ms_adpcm_decode_sample(state[0], code,
coefficient[0]);
*decoded++ = newSample;
Valgrind output:
==4680== Invalid write of size 2
==4680== at 0x8CF0478: ms_adpcm_run_pull (msadpcm.c:194)
==4680== by 0x8CEAF75: _AFpull (modules.c:111)
==4680== by 0x8CF11A3: int2rebufferf2vrun_pull (rebuffer.template:409)
==4680== by 0x8CDE4ED: afReadFrames (data.c:228)
==4680== by 0x435EBA: audiofile_streamdecode (audiofile_plugin.c:159)
==4680== by 0x4145A2: decoder_stream_decode (decoder_thread.c:49)
==4680== by 0x414A5C: decoder_run (decoder_thread.c:189)
==4680== by 0x414B7B: decoder_task (decoder_thread.c:214)
==4680== by 0x72E0453: g_thread_create_proxy (gthread.c:635)
==4680== by 0x62CBFC6: start_thread (pthread_create.c:297)
==4680== by 0xAA595AC: clone (in /usr/lib/debug/libc-2.7.so)
==4680== Address 0x15a66de8 is 0 bytes after a block of size 4,096 alloc'd
==4680== at 0x4C2260E: malloc (vg_replace_malloc.c:207)
==4680== by 0x8CDF96A: _af_malloc (util.c:122)
==4680== by 0x8CEEEBA: _AFsetupmodules (modules.c:2539)
==4680== by 0x8CDE151: afGetFrameCount (format.c:218)
==4680== by 0x435CDD: audiofile_streamdecode (audiofile_plugin.c:141)
==4680== by 0x4145A2: decoder_stream_decode (decoder_thread.c:49)
==4680== by 0x414A5C: decoder_run (decoder_thread.c:189)
==4680== by 0x414B7B: decoder_task (decoder_thread.c:214)
==4680== by 0x72E0453: g_thread_create_proxy (gthread.c:635)
==4680== by 0x62CBFC6: start_thread (pthread_create.c:297)
==4680== by 0xAA595AC: clone (in /usr/lib/debug/libc-2.7.so)
A quick look at the code revealed that the allocated buffer size
depended on the following formula:
bufsize = outc->nframes * _af_format_frame_size(&outc->f, AF_TRUE);
outc->nframes basically comes from _AF_ATOMIC_NVFRAMES (1024), because
the msadpcm module does not implement the max_pull callback. This
results in a 4096 byte allocation in modules.c:2539 (frame size is 4).
In ms_adpcm_decode_block(), msadpcm->samplesPerBlock is set to 2036
(unverified value from the input file header). outputLength is 8144,
which obviously does not fit into the allocated 4096 byte buffer.
I could reproduce the same crash with "normalize-audio max_theme.wav".
The real crash happens after closing the file, probably due to heap
corruption. valgrind notices the problem before the crash actually
occurs.
Severity "critical" because this is may be used for a remote DoS
attack on software like MPD. I did not investigate whether it is
possible to inject code this way. Chances are good, since arbitrary
amounts of heap can be overwritten.
Both Debian Etch and Lenny are affected.
Solution: don't use libaudiofile. Change libaudiofile to allocate the
correct buffer size. Add buffer size checks to libaudiofile.
Regards,
Max Kellermann
--- End Message ---
--- Begin Message ---
Source: audiofile
Source-Version: 0.2.6-7+lenny1
We believe that the bug you reported is fixed in the latest version of
audiofile, which is due to be installed in the Debian FTP archive:
audiofile_0.2.6-7+lenny1.diff.gz
to main/a/audiofile/audiofile_0.2.6-7+lenny1.diff.gz
audiofile_0.2.6-7+lenny1.dsc
to main/a/audiofile/audiofile_0.2.6-7+lenny1.dsc
libaudiofile-dev_0.2.6-7+lenny1_i386.deb
to main/a/audiofile/libaudiofile-dev_0.2.6-7+lenny1_i386.deb
libaudiofile0-dbg_0.2.6-7+lenny1_i386.deb
to main/a/audiofile/libaudiofile0-dbg_0.2.6-7+lenny1_i386.deb
libaudiofile0_0.2.6-7+lenny1_i386.deb
to main/a/audiofile/libaudiofile0_0.2.6-7+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 510...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <s...@debian.org> (supplier of updated audiofile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 19 Dec 2009 14:45:38 +0100
Source: audiofile
Binary: libaudiofile-dev libaudiofile0 libaudiofile0-dbg
Architecture: source i386
Version: 0.2.6-7+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Daniel Kobras <kob...@debian.org>
Changed-By: Stefan Fritsch <s...@debian.org>
Description:
libaudiofile-dev - Open-source version of SGI's audiofile library (header
files)
libaudiofile0 - Open-source version of SGI's audiofile library
libaudiofile0-dbg - Open-source version of SGI's audiofile library
Closes: 510205
Changes:
audiofile (0.2.6-7+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2008-5824: Fix buffer overflow when decompressing MS ADPCM .wav
files (closes: #510205).
Checksums-Sha1:
d4335df98c12848c027658e754074a796419b282 1048 audiofile_0.2.6-7+lenny1.dsc
94a6ab8e5122bc1971cf186e5a52d032811c9bc5 374688 audiofile_0.2.6.orig.tar.gz
6abd8c2dc9b4d2ff93a2a20fbb0cf78072383888 300816
audiofile_0.2.6-7+lenny1.diff.gz
128134e12af2c4313c8df0286ccf95e13db3be35 118288
libaudiofile-dev_0.2.6-7+lenny1_i386.deb
b29e6ac5cd369b6f0540d74bc2925e67575a9737 77984
libaudiofile0_0.2.6-7+lenny1_i386.deb
36b6bfff9f2a1df27183d1db975445e5be884d1f 164582
libaudiofile0-dbg_0.2.6-7+lenny1_i386.deb
Checksums-Sha256:
d42e29ffc61b2cdb13b6a807e8e901efe44aa8090ee8494dd1bcb50da3ed82c5 1048
audiofile_0.2.6-7+lenny1.dsc
4b6167b56e21556fb07c9ef06962fe32817064c62181ba47afd3322e0d0f22a9 374688
audiofile_0.2.6.orig.tar.gz
219206ef3e107a6b91ad7ae488141b8147f20cb30ade32d5d38d1d29a919bde8 300816
audiofile_0.2.6-7+lenny1.diff.gz
1cff69b2043f63e9ede34be1d570a4f70ac1f0d566ff15c61d0c847a1496208d 118288
libaudiofile-dev_0.2.6-7+lenny1_i386.deb
43468a6d7a3abc612f6505533e5ac1cd90db458308e8dc6632b81a32387a2219 77984
libaudiofile0_0.2.6-7+lenny1_i386.deb
ad0d0d514b6aa1f7b13c22344281dd7d7f59df526a2330ffdf834260b400d0e6 164582
libaudiofile0-dbg_0.2.6-7+lenny1_i386.deb
Files:
ba1535425e02719cb32aaed448b9e615 1048 libs optional
audiofile_0.2.6-7+lenny1.dsc
9c1049876cd51c0f1b12c2886cce4d42 374688 libs optional
audiofile_0.2.6.orig.tar.gz
57eece898416b8ecf3aa5dac27f2c4fc 300816 libs optional
audiofile_0.2.6-7+lenny1.diff.gz
99ca6cf504847281ffee6095d6c56df9 118288 libdevel optional
libaudiofile-dev_0.2.6-7+lenny1_i386.deb
eaa5796ba0a90db7d759719ea46e3ea7 77984 libs optional
libaudiofile0_0.2.6-7+lenny1_i386.deb
7c84007f5260c1b9ce714d9e090b649c 164582 libdevel optional
libaudiofile0-dbg_0.2.6-7+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLLNzWbxelr8HyTqQRAqAZAJ4ulZ96Gmc83P4Au6KQ8y67WJeSCwCgsd6J
5SUq4hBCe8GWe8vEMpjV6DA=
=Yd3u
-----END PGP SIGNATURE-----
--- End Message ---
