1117954 – (CVE-2018-19758) VUL-1: CVE-2018-19758: libsndfile: There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service.

Bug 1117954 (CVE-2018-19758) - VUL-1: CVE-2018-19758: libsndfile: There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service.

Summary: VUL-1: CVE-2018-19758: libsndfile: There is a heap-based buffer over-read at ...

Status:	RESOLVED FIXED

Alias:	CVE-2018-19758

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/219988/
Whiteboard:	CVSSv3:SUSE:CVE-2018-19758:5.5:(AV:L/...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2018-11-30 15:37 UTC by Marcus Meissner
Modified:	2024-05-07 14:32 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
poc0 (12.32 KB, audio/x-wav) 2018-11-30 16:02 UTC, Marcus Meissner	Details
Fix patch (780 bytes, patch) 2018-12-04 12:40 UTC, Takashi Iwai	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2018-11-30 15:37:52 UTC

CVE-2018-19758

There is a heap-based buffer over-read at wav.c in wav_write_header in
libsndfile 1.0.28 that will cause a denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19758
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19758.html

Comment 1 Marcus Meissner 2018-11-30 16:01:52 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=1643812

Comment 2 Marcus Meissner 2018-11-30 16:02:49 UTC

Created attachment 791473 [details]
poc0

QA REPRODUCER:

sndfile-convert poc0 a.wav

should not crash

(currently crashes on 42.3 at least)

Comment 3 Takashi Iwai 2018-12-04 12:38:17 UTC

It's a missing check of loop_count in wav.c.  The tentative fix patch is below.

Comment 4 Takashi Iwai 2018-12-04 12:40:37 UTC

Created attachment 791738 [details]
Fix patch

Comment 5 Takashi Iwai 2018-12-04 12:58:33 UTC

Submitted the fix to TW, SUSE:SLE-15:Update, SUSE:SLE-12:Update and SUSE:SLE-11-SP1:Update.

Reassigned back to security team.

Comment 7 Swamp Workflow Management 2018-12-04 13:40:06 UTC

This is an autogenerated message for OBS integration:
This bug (1117954) was mentioned in
https://build.opensuse.org/request/show/653853 Factory / libsndfile

Comment 8 Swamp Workflow Management 2019-04-02 16:30:26 UTC

SUSE-SU-2019:14008-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1071767,1071777,1117954
CVE References: CVE-2017-17456,CVE-2017-17457,CVE-2018-19758
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libsndfile-1.0.20-2.19.12.1
SUSE Linux Enterprise Server 11-SP4 (src):    libsndfile-1.0.20-2.19.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libsndfile-1.0.20-2.19.12.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2021-08-05 13:51:32 UTC

SUSE-SU-2021:2615-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 1100167,1116993,1117954,1188540
CVE References: CVE-2018-13139,CVE-2018-19432,CVE-2018-19758,CVE-2021-3246
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    libsndfile-1.0.25-36.23.1
SUSE OpenStack Cloud 9 (src):    libsndfile-1.0.25-36.23.1
SUSE OpenStack Cloud 8 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP5 (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libsndfile-1.0.25-36.23.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libsndfile-1.0.25-36.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2021-08-17 19:21:19 UTC

SUSE-SU-2021:2764-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 1100167,1116993,1117954,1188540
CVE References: CVE-2018-13139,CVE-2018-19432,CVE-2018-19758,CVE-2021-3246
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    libsndfile-1.0.28-5.12.1
SUSE Manager Retail Branch Server 4.0 (src):    libsndfile-1.0.28-5.12.1
SUSE Manager Proxy 4.0 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server for SAP 15 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Server 15-LTSS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    libsndfile-1.0.28-5.12.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    libsndfile-1.0.28-5.12.1
SUSE Enterprise Storage 6 (src):    libsndfile-1.0.28-5.12.1
SUSE CaaS Platform 4.0 (src):    libsndfile-1.0.28-5.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2021-08-17 19:30:12 UTC

openSUSE-SU-2021:2764-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 1100167,1116993,1117954,1188540
CVE References: CVE-2018-13139,CVE-2018-19432,CVE-2018-19758,CVE-2021-3246
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    libsndfile-1.0.28-5.12.1, libsndfile-progs-1.0.28-5.12.1

Comment 13 Swamp Workflow Management 2021-08-19 19:23:03 UTC

openSUSE-SU-2021:1166-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 1100167,1116993,1117954,1188540
CVE References: CVE-2018-13139,CVE-2018-19432,CVE-2018-19758,CVE-2021-3246
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libsndfile-1.0.28-lp152.6.3.1, libsndfile-progs-1.0.28-lp152.6.3.1

Comment 14 Thomas Leroy 2024-05-07 14:32:30 UTC

All done, closing.