Your message dated Fri, 22 Jan 2010 19:52:41 +0000
with message-id <e1nypyf-0004v5...@ries.debian.org>
and subject line Bug#510205: fixed in audiofile 0.2.6-6+etch1
has caused the Debian Bug report #510205,
regarding buffer overflow in libaudiofile
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
510205: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510205
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libaudiofile0
Version: 0.2.6-6
Severity: critical
Today, the Music Player Daemon project received a bug report from
Anton Khirnov: MPD crashed when attempting to play a WAV file. "file"
says:
RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, stereo 44100
Hz
The MPD bug report: http://musicpd.org/mantis/view.php?id=1915
The test file: http://filebin.ca/meqmyu/max_theme.wav
Turns out that this is a bug in libaudiofile. When attempting to
decode the file, libaudiofile writes past the buffer in msadpcm.c:194
code = *encoded >> 4;
newSample = ms_adpcm_decode_sample(state[0], code,
coefficient[0]);
*decoded++ = newSample;
Valgrind output:
==4680== Invalid write of size 2
==4680== at 0x8CF0478: ms_adpcm_run_pull (msadpcm.c:194)
==4680== by 0x8CEAF75: _AFpull (modules.c:111)
==4680== by 0x8CF11A3: int2rebufferf2vrun_pull (rebuffer.template:409)
==4680== by 0x8CDE4ED: afReadFrames (data.c:228)
==4680== by 0x435EBA: audiofile_streamdecode (audiofile_plugin.c:159)
==4680== by 0x4145A2: decoder_stream_decode (decoder_thread.c:49)
==4680== by 0x414A5C: decoder_run (decoder_thread.c:189)
==4680== by 0x414B7B: decoder_task (decoder_thread.c:214)
==4680== by 0x72E0453: g_thread_create_proxy (gthread.c:635)
==4680== by 0x62CBFC6: start_thread (pthread_create.c:297)
==4680== by 0xAA595AC: clone (in /usr/lib/debug/libc-2.7.so)
==4680== Address 0x15a66de8 is 0 bytes after a block of size 4,096 alloc'd
==4680== at 0x4C2260E: malloc (vg_replace_malloc.c:207)
==4680== by 0x8CDF96A: _af_malloc (util.c:122)
==4680== by 0x8CEEEBA: _AFsetupmodules (modules.c:2539)
==4680== by 0x8CDE151: afGetFrameCount (format.c:218)
==4680== by 0x435CDD: audiofile_streamdecode (audiofile_plugin.c:141)
==4680== by 0x4145A2: decoder_stream_decode (decoder_thread.c:49)
==4680== by 0x414A5C: decoder_run (decoder_thread.c:189)
==4680== by 0x414B7B: decoder_task (decoder_thread.c:214)
==4680== by 0x72E0453: g_thread_create_proxy (gthread.c:635)
==4680== by 0x62CBFC6: start_thread (pthread_create.c:297)
==4680== by 0xAA595AC: clone (in /usr/lib/debug/libc-2.7.so)
A quick look at the code revealed that the allocated buffer size
depended on the following formula:
bufsize = outc->nframes * _af_format_frame_size(&outc->f, AF_TRUE);
outc->nframes basically comes from _AF_ATOMIC_NVFRAMES (1024), because
the msadpcm module does not implement the max_pull callback. This
results in a 4096 byte allocation in modules.c:2539 (frame size is 4).
In ms_adpcm_decode_block(), msadpcm->samplesPerBlock is set to 2036
(unverified value from the input file header). outputLength is 8144,
which obviously does not fit into the allocated 4096 byte buffer.
I could reproduce the same crash with "normalize-audio max_theme.wav".
The real crash happens after closing the file, probably due to heap
corruption. valgrind notices the problem before the crash actually
occurs.
Severity "critical" because this is may be used for a remote DoS
attack on software like MPD. I did not investigate whether it is
possible to inject code this way. Chances are good, since arbitrary
amounts of heap can be overwritten.
Both Debian Etch and Lenny are affected.
Solution: don't use libaudiofile. Change libaudiofile to allocate the
correct buffer size. Add buffer size checks to libaudiofile.
Regards,
Max Kellermann
--- End Message ---
--- Begin Message ---
Source: audiofile
Source-Version: 0.2.6-6+etch1
We believe that the bug you reported is fixed in the latest version of
audiofile, which is due to be installed in the Debian FTP archive:
audiofile_0.2.6-6+etch1.diff.gz
to main/a/audiofile/audiofile_0.2.6-6+etch1.diff.gz
audiofile_0.2.6-6+etch1.dsc
to main/a/audiofile/audiofile_0.2.6-6+etch1.dsc
libaudiofile-dev_0.2.6-6+etch1_i386.deb
to main/a/audiofile/libaudiofile-dev_0.2.6-6+etch1_i386.deb
libaudiofile0_0.2.6-6+etch1_i386.deb
to main/a/audiofile/libaudiofile0_0.2.6-6+etch1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 510...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <s...@debian.org> (supplier of updated audiofile package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 19 Dec 2009 14:45:04 +0100
Source: audiofile
Binary: libaudiofile-dev libaudiofile0
Architecture: source i386
Version: 0.2.6-6+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Daniel Kobras <kob...@debian.org>
Changed-By: Stefan Fritsch <s...@debian.org>
Description:
libaudiofile-dev - Open-source version of SGI's audiofile library (header
files)
libaudiofile0 - Open-source version of SGI's audiofile library
Closes: 510205
Changes:
audiofile (0.2.6-6+etch1) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2008-5824: Fix buffer overflow when decompressing MS ADPCM .wav
files (closes: #510205).
Files:
f9f760bd11ccb13c85266ace4f87d25d 629 libs optional audiofile_0.2.6-6+etch1.dsc
dbc542c9c87880f436083facfb3ccc28 300089 libs optional
audiofile_0.2.6-6+etch1.diff.gz
4e3e58094cfa7314a7160d7f936baafb 118410 libdevel optional
libaudiofile-dev_0.2.6-6+etch1_i386.deb
e572289bc7e52fc49f256ed6d9ccbf80 77204 libs optional
libaudiofile0_0.2.6-6+etch1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLU3IEbxelr8HyTqQRAjQ1AJ9fLEtnx2Uw+urm3z0g2o6jaCZmTwCaA53+
YJvhka4Rp12ZV6G+lIlWByA=
=8pXp
-----END PGP SIGNATURE-----
--- End Message ---
