Package: sox Version: 14.4.1-5+b2 Severity: normal Tags: security null pointer dereference while running play with "poc bass +3" option
Running 'play poc bass +3' with the attached file raises null pointer dereference which may allow a remote attack to cause a denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow I sent this to debian security team before, but I didn't get any response. So I send this to public. ------------------------------------------- june@yuweol:~/poc/play/crash1$ play poc bass +3 poc: File Size: 48 Bit Rate: 0.00394 Encoding: WavPack Channels: 2 @ 16-bit Samplerate: 44100Hz Replaygain: off Duration: 27:03:11.55 In:0.00% 00:00:00.00 [27:03:11.55] Out:0 [ | ] Clip:0 Segmentation fault ------------------------------------------- Thread 1 "play" received signal SIGSEGV, Segmentation fault. 0x00007fffed796f34 in WavpackUnpackSamples () from /usr/lib/x86_64-linux-gnu/libwavpack.so.1 (gdb) x/i $rip => 0x7fffed796f34 <WavpackUnpackSamples+20>: mov 0x1e0(%rdi),%rax (gdb) i r rdi rdi 0x0 0 ------------------------------------------- This bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages sox depends on: ii libc6 2.24-17 ii libgomp1 7.2.0-12 ii libsox-fmt-alsa 14.4.1-5+b2 ii libsox-fmt-ao 14.4.1-5+b2 ii libsox-fmt-base 14.4.1-5+b2 ii libsox-fmt-oss 14.4.1-5+b2 ii libsox-fmt-pulse 14.4.1-5+b2 ii libsox2 14.4.1-5+b2 sox recommends no packages. Versions of packages sox suggests: ii libsox-fmt-all 14.4.1-5+b2 -- no debconf information
wvpk