Your message dated Sat, 28 Nov 2009 16:03:45 +0000
with message-id <[email protected]>
and subject line Bug#510205: fixed in audiofile 0.2.6-7.1
has caused the Debian Bug report #510205,
regarding buffer overflow in libaudiofile
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
510205: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510205
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libaudiofile0
Version: 0.2.6-6
Severity: critical
Today, the Music Player Daemon project received a bug report from
Anton Khirnov: MPD crashed when attempting to play a WAV file. "file"
says:
RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, stereo 44100
Hz
The MPD bug report: http://musicpd.org/mantis/view.php?id=1915
The test file: http://filebin.ca/meqmyu/max_theme.wav
Turns out that this is a bug in libaudiofile. When attempting to
decode the file, libaudiofile writes past the buffer in msadpcm.c:194
code = *encoded >> 4;
newSample = ms_adpcm_decode_sample(state[0], code,
coefficient[0]);
*decoded++ = newSample;
Valgrind output:
==4680== Invalid write of size 2
==4680== at 0x8CF0478: ms_adpcm_run_pull (msadpcm.c:194)
==4680== by 0x8CEAF75: _AFpull (modules.c:111)
==4680== by 0x8CF11A3: int2rebufferf2vrun_pull (rebuffer.template:409)
==4680== by 0x8CDE4ED: afReadFrames (data.c:228)
==4680== by 0x435EBA: audiofile_streamdecode (audiofile_plugin.c:159)
==4680== by 0x4145A2: decoder_stream_decode (decoder_thread.c:49)
==4680== by 0x414A5C: decoder_run (decoder_thread.c:189)
==4680== by 0x414B7B: decoder_task (decoder_thread.c:214)
==4680== by 0x72E0453: g_thread_create_proxy (gthread.c:635)
==4680== by 0x62CBFC6: start_thread (pthread_create.c:297)
==4680== by 0xAA595AC: clone (in /usr/lib/debug/libc-2.7.so)
==4680== Address 0x15a66de8 is 0 bytes after a block of size 4,096 alloc'd
==4680== at 0x4C2260E: malloc (vg_replace_malloc.c:207)
==4680== by 0x8CDF96A: _af_malloc (util.c:122)
==4680== by 0x8CEEEBA: _AFsetupmodules (modules.c:2539)
==4680== by 0x8CDE151: afGetFrameCount (format.c:218)
==4680== by 0x435CDD: audiofile_streamdecode (audiofile_plugin.c:141)
==4680== by 0x4145A2: decoder_stream_decode (decoder_thread.c:49)
==4680== by 0x414A5C: decoder_run (decoder_thread.c:189)
==4680== by 0x414B7B: decoder_task (decoder_thread.c:214)
==4680== by 0x72E0453: g_thread_create_proxy (gthread.c:635)
==4680== by 0x62CBFC6: start_thread (pthread_create.c:297)
==4680== by 0xAA595AC: clone (in /usr/lib/debug/libc-2.7.so)
A quick look at the code revealed that the allocated buffer size
depended on the following formula:
bufsize = outc->nframes * _af_format_frame_size(&outc->f, AF_TRUE);
outc->nframes basically comes from _AF_ATOMIC_NVFRAMES (1024), because
the msadpcm module does not implement the max_pull callback. This
results in a 4096 byte allocation in modules.c:2539 (frame size is 4).
In ms_adpcm_decode_block(), msadpcm->samplesPerBlock is set to 2036
(unverified value from the input file header). outputLength is 8144,
which obviously does not fit into the allocated 4096 byte buffer.
I could reproduce the same crash with "normalize-audio max_theme.wav".
The real crash happens after closing the file, probably due to heap
corruption. valgrind notices the problem before the crash actually
occurs.
Severity "critical" because this is may be used for a remote DoS
attack on software like MPD. I did not investigate whether it is
possible to inject code this way. Chances are good, since arbitrary
amounts of heap can be overwritten.
Both Debian Etch and Lenny are affected.
Solution: don't use libaudiofile. Change libaudiofile to allocate the
correct buffer size. Add buffer size checks to libaudiofile.
Regards,
Max Kellermann
--- End Message ---
--- Begin Message ---
Source: audiofile
Source-Version: 0.2.6-7.1
We believe that the bug you reported is fixed in the latest version of
audiofile, which is due to be installed in the Debian FTP archive:
audiofile_0.2.6-7.1.diff.gz
to main/a/audiofile/audiofile_0.2.6-7.1.diff.gz
audiofile_0.2.6-7.1.dsc
to main/a/audiofile/audiofile_0.2.6-7.1.dsc
libaudiofile-dev_0.2.6-7.1_i386.deb
to main/a/audiofile/libaudiofile-dev_0.2.6-7.1_i386.deb
libaudiofile0-dbg_0.2.6-7.1_i386.deb
to main/a/audiofile/libaudiofile0-dbg_0.2.6-7.1_i386.deb
libaudiofile0_0.2.6-7.1_i386.deb
to main/a/audiofile/libaudiofile0_0.2.6-7.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <[email protected]> (supplier of updated audiofile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 28 Nov 2009 15:41:28 +0100
Source: audiofile
Binary: libaudiofile-dev libaudiofile0 libaudiofile0-dbg
Architecture: source i386
Version: 0.2.6-7.1
Distribution: unstable
Urgency: medium
Maintainer: Daniel Kobras <[email protected]>
Changed-By: Stefan Fritsch <[email protected]>
Description:
libaudiofile-dev - Open-source version of SGI's audiofile library (header
files)
libaudiofile0 - Open-source version of SGI's audiofile library
libaudiofile0-dbg - Open-source version of SGI's audiofile library
Closes: 510205
Changes:
audiofile (0.2.6-7.1) unstable; urgency=medium
.
* Non-maintainer upload by the Security Team.
* CVE-2008-5824: Fix buffer overflow when decompressing MS ADPCM .wav files
(closes: #510205).
Checksums-Sha1:
18b1e30599ae9cf4a78602b100647492c6ed2d68 1027 audiofile_0.2.6-7.1.dsc
3db3254de7197bad0041a81e597daef4a14f8e04 301045 audiofile_0.2.6-7.1.diff.gz
7b829611d261e200bcdada0eda467a36eafe81ba 117640
libaudiofile-dev_0.2.6-7.1_i386.deb
b335b1921d831ae1a496747c6390c5fcffb9571e 77972 libaudiofile0_0.2.6-7.1_i386.deb
8ee57ab5eeb314538b8277cb19e2b83d197d4e3b 164910
libaudiofile0-dbg_0.2.6-7.1_i386.deb
Checksums-Sha256:
74d065f7a84ff192ce552bbedae63bc947ebdb36481399a87e2f96fdb3210dad 1027
audiofile_0.2.6-7.1.dsc
ea1e582b8dc65912671869621a35649030e9095882231e782f474d866ae2a46e 301045
audiofile_0.2.6-7.1.diff.gz
407f073269671d944e501b8ad016d52a6c4c6a6dcb2494c7020b9801e2c8efc3 117640
libaudiofile-dev_0.2.6-7.1_i386.deb
24b89b16f492d82e36482c82b3661cd436f509cbf39c3fab48b3abbbaf38f3c2 77972
libaudiofile0_0.2.6-7.1_i386.deb
db5d8162d80d43cce4c0a545b711402541126788ce94a4fc04d29846e5ccd7f8 164910
libaudiofile0-dbg_0.2.6-7.1_i386.deb
Files:
c6b164ace07ee38609b39f722d30261a 1027 libs optional audiofile_0.2.6-7.1.dsc
280d9ba76fa4767e45cc67302192c4f6 301045 libs optional
audiofile_0.2.6-7.1.diff.gz
ae8d6e209243f2451b8e4ea45a64aa6b 117640 libdevel optional
libaudiofile-dev_0.2.6-7.1_i386.deb
db46468fab8ecb57a2039ac91ef1f042 77972 libs optional
libaudiofile0_0.2.6-7.1_i386.deb
d5b0aa8b171c9bcd5fa09f6e1c564f1a 164910 libdevel optional
libaudiofile0-dbg_0.2.6-7.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLEUh+bxelr8HyTqQRAm25AJ9/L4nOPK5uVdE6D4WpnBf8UGuSnQCdH4pA
5z5X4emPc250KMyDi2CeZJw=
=rZ1y
-----END PGP SIGNATURE-----
--- End Message ---
