Bugzilla – Bug 953519
VUL-0: CVE-2015-8075: libsndfile 1.0.25 heap overflow
Last modified: 2018-10-19 18:40:08 UTC
Citing from permalink URL: "When running the test suite of libsndfile (1.0.25) with address sanitizer enabled it'll show an out of bounds read access in the function psf_strlcpy_crlf." CVE-2015-8075 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8075 http://seclists.org/oss-sec/2015/q4/217 http://permalink.gmane.org/gmane.comp.audio.libsndfile.devel/681
bugbot adjusting priority
The impact of this bug is very minor. The code in question is: void psf_strlcpy_crlf (char *dest, const char *src, size_t destmax, size_t srcmax) { /* Must be minus 2 so it can still expand a single trailing '\n' or '\r'. */ char * destend = dest + destmax - 2 ; const char * srcend = src + srcmax ; while (*src && dest < destend && src < srcend) { if ((src [0] == '\r' && src [1] == '\n') || (src [0] == '\n' && src [1] == '\r')) ...... So src[1] is accessed over the source string size. The fix is just to add the string termination check in the loop, --- a/src/common.c +++ b/src/common.c @@ -1332,7 +1332,7 @@ psf_strlcpy_crlf (char *dest, const char char * destend = dest + destmax - 2 ; const char * srcend = src + srcmax ; - while (dest < destend && src < srcend) + while (*src && dest < destend && src < srcend) { if ((src [0] == '\r' && src [1] == '\n') || (src [0] == '\n' && src [1] == '\r')) { *dest++ = '\r' ; *dest++ = '\n' ;
The function doesn't exist in the older version, so affected only openSUSE-13.1, openSUSE-13.2, openSUSE-Leap-42.1, SLE12, and FACTORY. The fix submitted to oS 13.1, oS 13.2, SLE12 and FACTORY now.
This is an autogenerated message for OBS integration: This bug (953519) was mentioned in https://build.opensuse.org/request/show/342564 13.1 / libsndfile https://build.opensuse.org/request/show/342565 13.2 / libsndfile
Fixed in all relevant branches. Reassigning back to security team for the rest.
openSUSE-SU-2015:1995-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 953516,953519,953521 CVE References: CVE-2014-9756,CVE-2015-7805,CVE-2015-8075 Sources used: openSUSE 13.2 (src): libsndfile-1.0.25-19.7.1, libsndfile-progs-1.0.25-19.7.1 openSUSE 13.1 (src): libsndfile-1.0.25-17.7.1, libsndfile-progs-1.0.25-17.7.1
SUSE-SU-2015:2000-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 953516,953519,953521 CVE References: CVE-2014-9756,CVE-2015-7805,CVE-2015-8075 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): libsndfile-1.0.25-24.1 SUSE Linux Enterprise Server 12 (src): libsndfile-1.0.25-24.1 SUSE Linux Enterprise Desktop 12 (src): libsndfile-1.0.25-24.1
openSUSE-SU-2015:2119-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 953516,953519,953521 CVE References: CVE-2014-9756,CVE-2015-7805,CVE-2015-8075 Sources used: openSUSE Leap 42.1 (src): libsndfile-1.0.25-24.1, libsndfile-progs-1.0.25-24.1
released
SUSE-SU-2015:2000-2: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 953516,953519,953521 CVE References: CVE-2014-9756,CVE-2015-7805,CVE-2015-8075 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libsndfile-1.0.25-25.1 SUSE Linux Enterprise Server 12-SP1 (src): libsndfile-1.0.25-25.1 SUSE Linux Enterprise Desktop 12-SP1 (src): libsndfile-1.0.25-25.1