Bugzilla – Bug 1081767
VUL-1: CVE-2017-11548: libao: Invalid memory allocation in _tokenize_matrix function in audio_out.c
Last modified: 2024-05-22 14:23:54 UTC
The _tokenize_matrix function in audio_out.c in Xiph.Org libao 1.2.0 allows remote attackers to cause a denial of service (memory corruption) via a crafted MP3 file. References: https://bugzilla.redhat.com/show_bug.cgi?id=1478946 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11548 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11548.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11548 http://seclists.org/fulldisclosure/2017/Jul/84
Created attachment 760804 [details] Reproducer
Based on the version we are probably affected. The reproducer does not trigger for me, I get segfaults within libmad already. My stacktrace looks something like this: (gdb) bt #0 0x00007ffff68018d7 in raise () from /lib64/libc.so.6 #1 0x00007ffff6802caa in abort () from /lib64/libc.so.6 #2 0x00007ffff683f1b4 in __libc_message () from /lib64/libc.so.6 #3 0x00007ffff6844706 in malloc_printerr () from /lib64/libc.so.6 #4 0x00007ffff6845453 in _int_free () from /lib64/libc.so.6 #5 0x00007ffff72806be in mad_decoder_run () from /usr/lib64/libmad.so.0 #6 0x0000000000403fcd in main (argc=<optimized out>, argv=<optimized out>) at mpg321.c:1092 The backtrace from the original report looks like this: (gdb) bt #0 _int_malloc (av=av@entry=0x7ffff6f7f760 <main_arena>, bytes=bytes@entry=3) at malloc.c:3740 #1 0x00007ffff6c442cc in __libc_calloc (n=<optimized out>, elem_size=<optimized out>) at malloc.c:3219 #2 0x00007ffff728e189 in _tokenize_matrix () from /usr/local/lib/libao.so.4 #3 0x00007ffff728e607 in _matrix_to_channelmask () from /usr/local/lib/libao.so.4 #4 0x00007ffff72906f2 in _open_device () from /usr/local/lib/libao.so.4 #5 0x000000000040a6aa in open_ao_playdevice (header=header@entry=0x624af8) at ao.c:411 #6 0x0000000000407e50 in output (data=<optimized out>, header=0x624af8, pcm=0x627f44) at mad.c:974 #7 0x00007ffff749a85c in run_sync (decoder=0x7fffffffbc40) at decoder.c:439 #8 0x00007ffff749ab38 in mad_decoder_run ( decoder=decoder@entry=0x7fffffffbc40, mode=mode@entry=MAD_DECODER_MODE_SYNC) at decoder.c:557 #9 0x0000000000403d5d in main (argc=<optimized out>, argv=<optimized out>) at mpg321.c:1092 (gdb)
I suppose upstream did not provide any fix yet eh? Anyhow I've updated to 1.2.2+git release on TW to match up what debian does (but that does not fix this issue, just mentioning it).
Nope, there seems to be no upstream fix. The Debian guys experienced the same issue with libmad: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870608
The affected function was introduced upstream with commit e90fb041b82ac6b6105bb6265f0622b41e056bf5, which first appeared in version 1.0.0. Based on this only SUSE:SLE-12:Update is affected, where as SUSE:SLE-10-SP3:Update and SUSE:SLE-11:Update are not.
Based on the analysis done by debian guys it seems the libao is not the culprit but more libmad or mpg321. Could you please recheck it?
All done, closing.