Bug 1026985 (CVE-2017-6833) - VUL-1: CVE-2017-6833: audiofile: divide-by-zero in BlockCodec::runPull (BlockCodec.cpp)
Summary: VUL-1: CVE-2017-6833: audiofile: divide-by-zero in BlockCodec::runPull (Block...
Status: RESOLVED FIXED
Alias: CVE-2017-6833
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: unspecified
Assignee: E-mail List
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-26 12:50 UTC by Mikhail Kasimov
Modified: 2017-07-13 12:24 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-02-26 12:50:31 UTC 
Ref: http://seclists.org/oss-sec/2017/q1/511
=============================================
Description:
audiofile is a C-based library for reading and writing audio files in many common formats.

A fuzz on it discovered a division by zero.

The complete ASan output:

# sfconvert @@ out.mp3 format aiff
==2529==ERROR: AddressSanitizer: FPE on unknown address 0x7ff06b121920 (pc 0x7ff06b121920 bp 0x7ffd0ddf2d90 sp 
0x7ffd0ddf2d00 T0)                                                                                                      
                                        
    #0 0x7ff06b12191f in BlockCodec::runPull() 
/tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp:50:46               
                                                                                                        
    #1 0x7ff06b15ac20 in RebufferModule::runPull() 
/tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/RebufferModule.cpp:122:3           
                                                                                                    
    #2 0x7ff06b10b05a in afReadFrames 
/tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/data.cpp:222:14                            
                                                                                                                 
    #3 0x50bbeb in copyaudiodata 
/tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:340:29                           
                                                                                                                      
    #4 0x50b050 in main /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:248:17   
                                                                                                                        
                               
    #5 0x7ff06a1e078f in __libc_start_main 
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                         
                                                                                                            
    #6 0x419f48 in _init (/usr/bin/sfconvert+0x419f48)                                                                  
                                                                                                                        
                               
                                                                                                                        
                                                                                                                        
                               
AddressSanitizer can not provide additional info.                                                                       
                                                                                                                        
                               
SUMMARY: AddressSanitizer: FPE 
/tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp:50:46 in 
BlockCodec::runPull()                                                                                                   
           
==2529==ABORTING

Affected version:
0.3.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00187-audiofile-fpe-BlockCodec-runPull

Timeline:
2017-02-20: bug discovered and reported to upstream
2017-02-20: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecrunpull-blockcodec-cpp
=============================================

https://software.opensuse.org/package/audiofile

TW|42.{1,2}: 0.3.6

VUL-1 because: http://seclists.org/oss-sec/2017/q1/504
========================================================
Hello all.

I discovered multiple crashes in the audiofile library.
The maintainer was informed privately, I didn't see reactions and all details are public on my blog.
I posted them to the cveform too, but I didn't get response.
I'll send update if something will change. 

--
Agostino Sarubbo
Gentoo Linux Developer
========================================================
Comment 1 Swamp Workflow Management 2017-02-26 23:01:41 UTC 
bugbot adjusting priority
Comment 3 Antonio Larrosa 2017-03-09 10:17:29 UTC 
The check for the number of coefficients in boo#1026978 also fixes this issue.

*** This bug has been marked as a duplicate of bug 1026978 ***
Comment 9 Swamp Workflow Management 2017-04-05 16:19:12 UTC 
SUSE-SU-2017:0940-1: An update that fixes 14 vulnerabilities is now available.

Category: security (low)
Bug References: 1026978,1026979,1026980,1026981,1026982,1026983,1026984,1026985,1026986,1026987,1026988,949399
CVE References: CVE-2015-7747,CVE-2017-6827,CVE-2017-6828,CVE-2017-6829,CVE-2017-6830,CVE-2017-6831,CVE-2017-6832,CVE-2017-6833,CVE-2017-6834,CVE-2017-6835,CVE-2017-6836,CVE-2017-6837,CVE-2017-6838,CVE-2017-6839
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    audiofile-0.3.6-10.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    audiofile-0.3.6-10.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    audiofile-0.3.6-10.1
SUSE Linux Enterprise Server 12-SP2 (src):    audiofile-0.3.6-10.1
SUSE Linux Enterprise Server 12-SP1 (src):    audiofile-0.3.6-10.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    audiofile-0.3.6-10.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    audiofile-0.3.6-10.1
Comment 11 Swamp Workflow Management 2017-04-18 10:17:15 UTC 
openSUSE-SU-2017:1038-1: An update that fixes 13 vulnerabilities is now available.

Category: security (low)
Bug References: 1026978,1026979,1026980,1026981,1026982,1026983,1026984,1026985,1026986,1026987,1026988
CVE References: CVE-2017-6827,CVE-2017-6828,CVE-2017-6829,CVE-2017-6830,CVE-2017-6831,CVE-2017-6832,CVE-2017-6833,CVE-2017-6834,CVE-2017-6835,CVE-2017-6836,CVE-2017-6837,CVE-2017-6838,CVE-2017-6839
Sources used:
openSUSE Leap 42.2 (src):    audiofile-0.3.6-10.3.1
openSUSE Leap 42.1 (src):    audiofile-0.3.6-12.1
Comment 13 Swamp Workflow Management 2017-05-05 13:10:41 UTC 
SUSE-SU-2017:1182-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1026978,1026979,1026980,1026981,1026982,1026983,1026984,1026985,1026986,1026987,1026988
CVE References: CVE-2017-6827,CVE-2017-6828,CVE-2017-6829,CVE-2017-6830,CVE-2017-6831,CVE-2017-6832,CVE-2017-6833,CVE-2017-6834,CVE-2017-6835,CVE-2017-6836,CVE-2017-6837,CVE-2017-6838,CVE-2017-6839
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    audiofile-0.2.6-142.17.1
SUSE Linux Enterprise Server 11-SP4 (src):    audiofile-0.2.6-142.17.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    audiofile-0.2.6-142.17.1
Comment 14 Marcus Meissner 2017-07-13 12:24:56 UTC 
was released