Bugzilla – Bug 1036968
VUL-0: CVE-2017-8373: libmad: heap-based buffer overflow in mad_layer_III (layer3.c)
Last modified: 2024-06-07 07:42:43 UTC
Created attachment 723245 [details] 00213-libmad-heapoverflow-mad_layer_III_reproducer Ref: https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-in-mad_layer_iii-layer3-c/ ====================================================== Description: libmad stays for “M”peg “A”udio “D”ecoder library. There is an heap overflow discovered through madplay. The complete ASan output: # madplay -v -i -o raw:out $FILE ==14773==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e00000fa87 at pc 0x0000004bc8ec bp 0x7ffcda3263d0 sp 0x7ffcda325b80 WRITE of size 2060 at 0x61e00000fa87 thread T0 #0 0x4bc8eb in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413 #1 0x7f37ddfa397d in mad_layer_III /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:2635:2 #2 0x7f37ddf6784d in mad_frame_decode /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/frame.c:453:7 #3 0x7f37ddf8c4e4 in run_sync /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/decoder.c:404:11 #4 0x7f37ddf8ac59 in mad_decoder_run /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/decoder.c:557:12 #5 0x5277a1 in decode /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:1862:12 #6 0x5277a1 in play_one /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:1951 #7 0x5277a1 in play_all /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:2041 #8 0x5215a2 in player_run /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:2768:14 #9 0x50c46c in main /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/madplay.c:816:7 #10 0x7f37dce4f78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #11 0x41aa78 in _init (/usr/bin/madplay+0x41aa78) Affected version: 0.15.1b Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00213-libmad-heapoverflow-mad_layer_III Timeline: 2017-01-01: bug discovered and reported to upstream 2017-04-30: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: libmad: heap-based buffer overflow in mad_layer_III (layer3.c) ====================================================== (open-)SUSE: https://software.opensuse.org/package/libmad 0.15.1b (TW, 42.{1,2}, multimedia:libs repo)
CVE-2017-8373: https://nvd.nist.gov/vuln/detail/CVE-2017-8373
libmad is not in the distribution, but submitted to Factory: https://build.opensuse.org/request/show/491354 multimedia:libs/libmad has no maintainer set. Security team requests that project maintainers please set one. Assigning to last involved project maintainer.
fixed in Factory, no need to track it as security incident anymore. The request for adding a maintainer still stands
now included in leap, submit to Factory was revoked. Reopening
still missing for: - SUSE:SLE-15:Update/libmad
@Adam: could you have a look please found this would going though our backlog
I took the Factory patch and backported to: openSUSE:Backports:SLE-12-SP1: https://build.opensuse.org/request/show/1007718 SUSE:SLE-15:Update: https://build.suse.de/request/show/281510 (internal), sources are equal to openSUSE:Backports:SLE-12-SP1 The backport was straightforward.
SUSE-SU-2022:3782-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1036968,1036969 CVE References: CVE-2017-8372,CVE-2017-8373 JIRA References: Sources used: openSUSE Leap 15.4 (src): libmad-0.15.1b-150000.5.3.1 openSUSE Leap 15.3 (src): libmad-0.15.1b-150000.5.3.1 SUSE Manager Server 4.1 (src): libmad-0.15.1b-150000.5.3.1 SUSE Manager Retail Branch Server 4.1 (src): libmad-0.15.1b-150000.5.3.1 SUSE Manager Proxy 4.1 (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise Server for SAP 15 (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise Server 15-LTSS (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): libmad-0.15.1b-150000.5.3.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): libmad-0.15.1b-150000.5.3.1 SUSE Enterprise Storage 7 (src): libmad-0.15.1b-150000.5.3.1 SUSE Enterprise Storage 6 (src): libmad-0.15.1b-150000.5.3.1 SUSE CaaS Platform 4.0 (src): libmad-0.15.1b-150000.5.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:10169-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1036968 CVE References: CVE-2017-8373 JIRA References: Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): libmad-0.15.1b-8.1