Bugzilla – Bug 953516
VUL-0: CVE-2015-7805: libsndfile: 1.0.25 heap overflow
Last modified: 2018-10-19 18:39:59 UTC
Citing from Nemux site: "While parsing a specially crafted AIFF header the attacker can manage index values in order to use memcpy(...) to overwrite memory heap." CVE-2015-7805 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7805 http://seclists.org/oss-sec/2015/q4/216 http://www.nemux.org/2015/10/13/libsndfile-1-0-25-heap-overflow/ https://packetstormsecurity.com/files/133926/libsndfile-1.0.25-Heap-Overflow.html https://www.exploit-db.com/exploits/38447/
I checked the latest libsndfile git and the issue can't be reproduced there. There have been refactoring in src/aiff.c, and this magically fixes it. But backporting it to 1.0.25 isn't trivial. Let's see...
OK, I managed to fix this somehow for libsndfile 1.0.25. At least the given offender AIFF file is skipped properly now. Two patches needed, one from upstream git and one my own.
Created attachment 654617 [details] Patch #1 (upstream fix)
Created attachment 654618 [details] Patch #2 (additional fix)
bugbot adjusting priority
Submitted to openSUSE-13.1, openSUSE-13.2, SLE11-SP1 and SLE12.
This is an autogenerated message for OBS integration: This bug (953516) was mentioned in https://build.opensuse.org/request/show/342564 13.1 / libsndfile https://build.opensuse.org/request/show/342565 13.2 / libsndfile
Fixed in all relevant branches. Reassigning back to security team for the rest.
SUSE-SU-2015:1979-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 953516,953521 CVE References: CVE-2014-9756,CVE-2015-7805 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libsndfile-1.0.20-2.10.2 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): libsndfile-1.0.20-2.10.2 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): libsndfile-1.0.20-2.10.2 SUSE Linux Enterprise Server 11-SP4 (src): libsndfile-1.0.20-2.10.2 SUSE Linux Enterprise Server 11-SP3 (src): libsndfile-1.0.20-2.10.2 SUSE Linux Enterprise Desktop 11-SP4 (src): libsndfile-1.0.20-2.10.2 SUSE Linux Enterprise Desktop 11-SP3 (src): libsndfile-1.0.20-2.10.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libsndfile-1.0.20-2.10.2 SUSE Linux Enterprise Debuginfo 11-SP3 (src): libsndfile-1.0.20-2.10.2
openSUSE-SU-2015:1995-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 953516,953519,953521 CVE References: CVE-2014-9756,CVE-2015-7805,CVE-2015-8075 Sources used: openSUSE 13.2 (src): libsndfile-1.0.25-19.7.1, libsndfile-progs-1.0.25-19.7.1 openSUSE 13.1 (src): libsndfile-1.0.25-17.7.1, libsndfile-progs-1.0.25-17.7.1
SUSE-SU-2015:2000-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 953516,953519,953521 CVE References: CVE-2014-9756,CVE-2015-7805,CVE-2015-8075 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): libsndfile-1.0.25-24.1 SUSE Linux Enterprise Server 12 (src): libsndfile-1.0.25-24.1 SUSE Linux Enterprise Desktop 12 (src): libsndfile-1.0.25-24.1
openSUSE-SU-2015:2119-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 953516,953519,953521 CVE References: CVE-2014-9756,CVE-2015-7805,CVE-2015-8075 Sources used: openSUSE Leap 42.1 (src): libsndfile-1.0.25-24.1, libsndfile-progs-1.0.25-24.1
released
SUSE-SU-2015:2000-2: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 953516,953519,953521 CVE References: CVE-2014-9756,CVE-2015-7805,CVE-2015-8075 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libsndfile-1.0.25-25.1 SUSE Linux Enterprise Server 12-SP1 (src): libsndfile-1.0.25-25.1 SUSE Linux Enterprise Desktop 12-SP1 (src): libsndfile-1.0.25-25.1