Bugzilla – Bug 949399
VUL-1: CVE-2015-7747: audiofile: Re: CVE Request: Audio File Library
Last modified: 2020-02-28 23:05:37 UTC
Fabrizio Gennari reported an issue in The Audio File library to the Ubuntu bugtracker: https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721 His description included, in part: When libaudiofile is used to change both the number of channels of an audio file (e.g. from stereo to mono) and the sample format (e.g. from 16-bit samples to 8-bit samples), the output file will contain corrupted data. If the new sample format is smaller than the old one, there is a risk of buffer overflow: e.g. when the input file has 16-bit samples and the output file has 8-bit samples, afReadFrames will treat the buffer to read the samples (argument void *data) as a pointer to int16_t instead of int8_t, therefore it will write past its end. He proposed a solution and test case to the Audio File library: https://github.com/mpruett/audiofile/pull/25/files References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7747 http://seclists.org/oss-sec/2015/q4/47
Reproducers attached to https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1502721
bugbot adjusting priority
Just a note: The test program attached in the Ubuntu bug is incorrect, and always returns some error. The correct on is in the git@github.com:fabzzap/audiofile.git repository: c++ sixteen-stereo-to-eight-mono.c TestUtilities.cpp $(pkg-config --cflags --libs audiofile) -o sixteen-stereo-to-eight-mono Patch is easy to apply for SLE12* and openSUSE. SLE11* has a different code. Probably corresponding code is here: https://github.com/mpruett/audiofile/blob/00fc96498d4c117bf2592ecc1c0530152f44c724/libaudiofile/modules.c#L1794 The bug seems to be introduced in time of conversion of this code to constructor and its use. The testcase above returns 0 for SLE11 SP1, so I expect, that the SLE11 code is not affected.
There is something wrong with the test suite: When compiled in live system (Tumbleweed): PASS: sixteen-to-eight When started by osc build (: [ 54s] ../test-driver: line 95: 17232 Segmentation fault (core dumped) "$@" > $log_file 2>&1 [ 54s] FAIL: sixteen-stereo-to-eight-mono I will search for reason of this crash: #4 0x00007ffff7bbab06 in afOpenFile ( filename=0x7869732f706d742f <error: Cannot access memory at address 0x7869732f706d742f>, mode=mode@entry=0x401525 "w", setup=setup@entry=0x6150b0) at openclose.cpp:212 access = 2 f = 0x0 filehandle = 0x401525 #5 0x00000000004010cd in main (argc=<optimized out>, argv=<optimized out>) at sixteen-stereo-to-eight-mono.c:67 file = <optimized out> setup = 0x6150b0 frames16 = {25972, 28261, 29741, 11631, 26981, 26727} frames8 = "\034\006\376" i = <optimized out> byte = 0 '\000' result = <optimized out> testFileName = 0x7869732f706d742f <error: Cannot access memory at address 0x7869732f706d742f>
I just confirmed that it is a problem of the testcase, and not a problem of the fix itself: Test program built in Factory, ran in SLE12 Update: Without fix: error expected 0, got -101 With fix: OK With fix, test program compiled in SLE12 Update: crash, see comment 4 The crash seems to be completely unrelated to the buffer overflow, as it happens much earlier in the code. It has something to do with createTemporaryFile() from TestUtilities.cpp. Hopefully, TestUtilities.cpp is used only inside test suite, and results are not installed. So we can either fix it to not crash, or simply don't add patch chunks related to the test suite.
The reason for the testcase fault is simple: There is an important difference in the TestUtilities.h API between audiofile-0.3.6 and GIT https://github.com/mpruett/audiofile. audiofile-0.3.6: bool createTemporaryFile(const char *prefix, char *path); GIT: bool createTemporaryFile(const char *prefix, char **path);
Created attachment 653225 [details] Backport of the test case.
Factory: https://build.opensuse.org/request/show/341056 openSUSE (13.1, 13.2, Leap 42.1): https://build.opensuse.org/request/show/341057 SLE11 *: Not affected. (Verified by sixteen-stereo-to-eight-mono compiled against audiofile-0.2.6.) SLE12 Update: https://build.suse.de/request/show/76366 SLE12 SP1: https://build.suse.de/request/show/76362
openSUSE-SU-2015:1903-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 949399 CVE References: CVE-2015-7747 Sources used: openSUSE Leap 42.1 (src): audiofile-0.3.6-9.1 openSUSE 13.2 (src): audiofile-0.3.6-6.3.1 openSUSE 13.1 (src): audiofile-0.3.6-2.3.1
A fix was already released in November 2015
SUSE-SU-2017:0940-1: An update that fixes 14 vulnerabilities is now available. Category: security (low) Bug References: 1026978,1026979,1026980,1026981,1026982,1026983,1026984,1026985,1026986,1026987,1026988,949399 CVE References: CVE-2015-7747,CVE-2017-6827,CVE-2017-6828,CVE-2017-6829,CVE-2017-6830,CVE-2017-6831,CVE-2017-6832,CVE-2017-6833,CVE-2017-6834,CVE-2017-6835,CVE-2017-6836,CVE-2017-6837,CVE-2017-6838,CVE-2017-6839 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): audiofile-0.3.6-10.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): audiofile-0.3.6-10.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): audiofile-0.3.6-10.1 SUSE Linux Enterprise Server 12-SP2 (src): audiofile-0.3.6-10.1 SUSE Linux Enterprise Server 12-SP1 (src): audiofile-0.3.6-10.1 SUSE Linux Enterprise Desktop 12-SP2 (src): audiofile-0.3.6-10.1 SUSE Linux Enterprise Desktop 12-SP1 (src): audiofile-0.3.6-10.1