Ubuntu
audiofile package

CVE-2008-5824 audiofile denial of service (application crash) or possibly execute arbitrary code via a crafted WAV file

Bug #527033 reported by Stefan Lesicnik
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
audiofile (Ubuntu)
Invalid
Medium
Unassigned
Dapper
Fix Released
Medium
Unassigned
Hardy
Fix Released
Medium
Unassigned
Intrepid
Fix Released
Medium
Unassigned
Jaunty
Fix Released
Medium
Unassigned
Karmic
Fix Released
Medium
Unassigned
Lucid
Invalid
Medium
Unassigned

Bug Description

Heap-based buffer overflow in msadpcm.c in libaudiofile in audiofile 0.2.6
allows context-dependent attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via a crafted WAV
file.

References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5824

Tags: patch
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

This is fixed in Lucid already and CVE tracker can be updated.

visibility: private → public
Changed in audiofile (Ubuntu):
assignee: nobody → Stefan Lesicnik (stefanlsd)
importance: Undecided → Low
status: New → Confirmed
Marc Deslauriers (mdeslaur)
Changed in audiofile (Ubuntu):
importance: Low → Medium
Changed in audiofile (Ubuntu Dapper):
status: New → Confirmed
Changed in audiofile (Ubuntu Hardy):
status: New → Confirmed
Changed in audiofile (Ubuntu Intrepid):
status: New → Confirmed
Changed in audiofile (Ubuntu Jaunty):
status: New → Confirmed
Changed in audiofile (Ubuntu Hardy):
importance: Undecided → Medium
Changed in audiofile (Ubuntu Karmic):
importance: Undecided → Medium
Changed in audiofile (Ubuntu Jaunty):
importance: Undecided → Medium
Changed in audiofile (Ubuntu Karmic):
status: New → Confirmed
Changed in audiofile (Ubuntu Dapper):
importance: Undecided → Medium
Changed in audiofile (Ubuntu Intrepid):
importance: Undecided → Medium
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Two packages are currently affected. audiofile and normalize-audio. Both are currently fixed for Lucid. Currently doing testing for Karmic.

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :
Download full text (6.1 KiB)

Karmic diff for audiofile is in branch (linked at top of this report), attached is patch for normalize-audio for karmic

ldd /usr/bin/normalize-audio
 linux-vdso.so.1 => (0x00007fffb5894000)
 libmad.so.0 => /usr/lib/libmad.so.0 (0x00007f5f8244c000)
 libaudiofile.so.0 => /usr/lib/libaudiofile.so.0 (0x00007f5f82224000)
 libm.so.6 => /lib/libm.so.6 (0x00007f5f81fa0000)
 libc.so.6 => /lib/libc.so.6 (0x00007f5f81c31000)
 /lib64/ld-linux-x86-64.so.2 (0x00007f5f8266c000)

normalize-audio max_theme.wav
Computing levels...
*** glibc detected *** normalize-audio: double free or corruption (out): 0x0000000000df2c00 ***
======= Backtrace: =========
/lib/libc.so.6[0x7fc1c455fdd6]
/lib/libc.so.6(cfree+0x6c)[0x7fc1c456474c]
/usr/lib/libaudiofile.so.0[0x7fc1c4af5a7e]
/usr/lib/libaudiofile.so.0[0x7fc1c4af5ac9]
/usr/lib/libaudiofile.so.0[0x7fc1c4ae3736]
/usr/lib/libaudiofile.so.0(afCloseFile+0x3d)[0x7fc1c4ae3b2d]
normalize-audio[0x405106]
normalize-audio[0x402ff4]
normalize-audio[0x404556]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7fc1c4508abd]
normalize-audio[0x402489]
======= Memory map: ========
00400000-0040f000 r-xp 00000000 fc:03 414364 /usr/bin/normalize-audio
0060e000-0060f000 r--p 0000e000 fc:03 414364 /usr/bin/normalize-audio
0060f000-00610000 rw-p 0000f000 fc:03 414364 /usr/bin/normalize-audio
00de5000-00e06000 rw-p 00000000 00:00 0 [heap]
7fc1c0000000-7fc1c0021000 rw-p 00000000 00:00 0
7fc1c0021000-7fc1c4000000 ---p 00000000 00:00 0
7fc1c42d3000-7fc1c42e9000 r-xp 00000000 fc:01 5155 /lib/libgcc_s.so.1
7fc1c42e9000-7fc1c44e8000 ---p 00016000 fc:01 5155 /lib/libgcc_s.so.1
7fc1c44e8000-7fc1c44e9000 r--p 00015000 fc:01 5155 /lib/libgcc_s.so.1
7fc1c44e9000-7fc1c44ea000 rw-p 00016000 fc:01 5155 /lib/libgcc_s.so.1
7fc1c44ea000-7fc1c4650000 r-xp 00000000 fc:01 6737 /lib/libc-2.10.1.so
7fc1c4650000-7fc1c484f000 ---p 00166000 fc:01 6737 /lib/libc-2.10.1.so
7fc1c484f000-7fc1c4853000 r--p 00165000 fc:01 6737 /lib/libc-2.10.1.so
7fc1c4853000-7fc1c4854000 rw-p 00169000 fc:01 6737 /lib/libc-2.10.1.so
7fc1c4854000-7fc1c4859000 rw-p 00000000 00:00 0
7fc1c4859000-7fc1c48db000 r-xp 00000000 fc:01 7108 /lib/libm-2.10.1.so
7fc1c48db000-7fc1c4adb000 ---p 00082000 fc:01 7108 /lib/libm-2.10.1.so
7fc1c4adb000-7fc1c4adc000 r--p 00082000 fc:01 7108 /lib/libm-2.10.1.so
7fc1c4adc000-7fc1c4add000 rw-p 00083000 fc:01 7108 /lib/libm-2.10.1.so
7fc1c4add000-7fc1c4b02000 r-xp 00000000 fc:03 298071 /usr/lib/libaudiofile.so.0.0.2
7fc1c4b02000-7fc1c4d01000 ---p 00025000 fc:03 298071 /usr/lib/libaudiofile.so.0.0.2
7fc1c4d01000-7fc1c4d02000 r--p 00024000 fc:03 298071 /usr/lib/libaudiofile.so.0.0.2
7fc1c4d02000-7fc1c4d05000 rw-p 00025000 fc:03 298071 /usr/lib/libaudiofile.so.0.0.2
7fc1c4d05000-7fc1c4d23000 r-xp 00000000 fc:03 68268 ...

Read more...

Brian Murray (brian-murray)
tags: added: patch
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Above test done with the POC max_theme.wav
mdeslaur> PoC: http://filebin.ca/meqmyu/max_theme.wav

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Attaching debdiff for audiofile and normalize-audio for hardy. These are applicable to hardy, intrepid, jaunty (same versions).

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :
Download full text (5.6 KiB)

normalize audio patch.

testing for hardy as follows

Before

normalize-audio max_theme.wav
Computing levels...
*** glibc detected *** normalize-audio: double free or corruption (out): 0x00000000006162c0 ***
======= Backtrace: =========
/lib/libc.so.6[0x7ffa4670b08a]
/lib/libc.so.6(cfree+0x8c)[0x7ffa4670ec1c]
/usr/lib/libaudiofile.so.0[0x7ffa46c9231e]
/usr/lib/libaudiofile.so.0[0x7ffa46c92369]
/usr/lib/libaudiofile.so.0[0x7ffa46c80bd3]
/usr/lib/libaudiofile.so.0(afCloseFile+0x33)[0x7ffa46c80f73]
normalize-audio[0x404b95]
normalize-audio[0x402dce]
normalize-audio[0x4040a0]
/lib/libc.so.6(__libc_start_main+0xf4)[0x7ffa466b51c4]
normalize-audio[0x4023a9]
======= Memory map: ========
00400000-0040f000 r-xp 00000000 fe:01 524675 /usr/bin/normalize-audio
0060e000-0060f000 rw-p 0000e000 fe:01 524675 /usr/bin/normalize-audio
0060f000-00630000 rw-p 0060f000 00:00 0 [heap]
7ffa40000000-7ffa40021000 rw-p 7ffa40000000 00:00 0
7ffa40021000-7ffa44000000 ---p 7ffa40021000 00:00 0
7ffa46489000-7ffa46496000 r-xp 00000000 fe:00 49763 /lib/libgcc_s.so.1
7ffa46496000-7ffa46696000 ---p 0000d000 fe:00 49763 /lib/libgcc_s.so.1
7ffa46696000-7ffa46697000 rw-p 0000d000 fe:00 49763 /lib/libgcc_s.so.1
7ffa46697000-7ffa467ef000 r-xp 00000000 fe:00 49750 /lib/libc-2.7.so
7ffa467ef000-7ffa469ef000 ---p 00158000 fe:00 49750 /lib/libc-2.7.so
7ffa469ef000-7ffa469f2000 r--p 00158000 fe:00 49750 /lib/libc-2.7.so
7ffa469f2000-7ffa469f4000 rw-p 0015b000 fe:00 49750 /lib/libc-2.7.so
7ffa469f4000-7ffa469f9000 rw-p 7ffa469f4000 00:00 0
7ffa469f9000-7ffa46a79000 r-xp 00000000 fe:00 49769 /lib/libm-2.7.so
7ffa46a79000-7ffa46c78000 ---p 00080000 fe:00 49769 /lib/libm-2.7.so
7ffa46c78000-7ffa46c7a000 rw-p 0007f000 fe:00 49769 /lib/libm-2.7.so
7ffa46c7a000-7ffa46c9f000 r-xp 00000000 fe:01 578436 /usr/lib/libaudiofile.so.0.0.2
7ffa46c9f000-7ffa46e9e000 ---p 00025000 fe:01 578436 /usr/lib/libaudiofile.so.0.0.2
7ffa46e9e000-7ffa46ea2000 rw-p 00024000 fe:01 578436 /usr/lib/libaudiofile.so.0.0.2
7ffa46ea2000-7ffa46ec0000 r-xp 00000000 fe:01 578538 /usr/lib/libmad.so.0.2.1
7ffa46ec0000-7ffa470c0000 ---p 0001e000 fe:01 578538 /usr/lib/libmad.so.0.2.1
7ffa470c0000-7ffa470c1000 rw-p 0001e000 fe:01 578538 /usr/lib/libmad.so.0.2.1
7ffa470c1000-7ffa470de000 r-xp 00000000 fe:00 49741 /lib/ld-2.7.so
7ffa47293000-7ffa472c9000 r--p 00000000 fe:01 575430 /usr/lib/locale/en_GB/LC_CTYPE
7ffa472c9000-7ffa472ca000 r--p 00000000 fe:01 575435 /usr/lib/locale/en_GB/LC_NUMERIC
7ffa472ca000-7ffa472cb000 r--p 00000000 fe:01 575438 /usr/lib/locale/en_GB/LC_TIME
7ffa472cb000-7ffa472d0000 r--p 00000000 fe:01 575429 /usr/lib/locale/en_GB/LC_COLLATE
7ffa472d0000-7ffa472d1000 r--p 00000000 fe:01 575433 ...

Read more...

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

0.2.6-7.1 has the fix and Lucid has 0.2.6-8ubuntu1. Marking Lucid task as 'Invalid'.

Changed in audiofile (Ubuntu Lucid):
assignee: Stefan Lesicnik (stefanlsd) → nobody
status: Confirmed → Invalid
Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Untested (My dapper vm is awol)

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Normalize audio. Untested again (apart from patching and building)

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

Should be all patches. Sec team can test and upload. If there's anything else, plpease let me know

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package audiofile - 0.2.6-7ubuntu2.1

---------------
audiofile (0.2.6-7ubuntu2.1) karmic-security; urgency=high

  * SECURITY UPDATE: Heap-based buffer overflow in msadpcm.c in libaudiofile
    in audiofile 0.2.6 allows context-dependent attackers to cause a denial
    of service (application crash) or possibly execute arbitrary code via a
    crafted WAV file. (LP: #527033)
    - debian/patches/22_CVE-2008-5824.dpatch: Fix buffer overflow when
      decompressing MS ADPCM .wav files.
    - CVE-2008-5824
 -- Stefan Lesicnik <email address hidden> Wed, 24 Feb 2010 19:13:42 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package audiofile - 0.2.6-7ubuntu1.9.04.1

---------------
audiofile (0.2.6-7ubuntu1.9.04.1) jaunty-security; urgency=low

  * SECURITY UPDATE: Heap-based buffer overflow in msadpcm.c in libaudiofile
    in audiofile 0.2.6 allows context-dependent attackers to cause a denial
    of service (application crash) or possibly execute arbitrary code via a
    crafted WAV file. (LP: #527033)
    - debian/patches/22_CVE-2008-5824.dpatch: Fix buffer overflow when
      decompressing MS ADPCM .wav files.
    - CVE-2008-5824
 -- Stefan Lesicnik <email address hidden> Tue, 02 Mar 2010 15:59:08 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package audiofile - 0.2.6-7ubuntu1.8.10.1

---------------
audiofile (0.2.6-7ubuntu1.8.10.1) intrepid-security; urgency=low

  * SECURITY UPDATE: Heap-based buffer overflow in msadpcm.c in libaudiofile
    in audiofile 0.2.6 allows context-dependent attackers to cause a denial
    of service (application crash) or possibly execute arbitrary code via a
    crafted WAV file. (LP: #527033)
    - debian/patches/22_CVE-2008-5824.dpatch: Fix buffer overflow when
      decompressing MS ADPCM .wav files.
    - CVE-2008-5824
 -- Stefan Lesicnik <email address hidden> Tue, 02 Mar 2010 15:59:08 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package audiofile - 0.2.6-7ubuntu1.8.04.1

---------------
audiofile (0.2.6-7ubuntu1.8.04.1) hardy-security; urgency=low

  * SECURITY UPDATE: Heap-based buffer overflow in msadpcm.c in libaudiofile
    in audiofile 0.2.6 allows context-dependent attackers to cause a denial
    of service (application crash) or possibly execute arbitrary code via a
    crafted WAV file. (LP: #527033)
    - debian/patches/22_CVE-2008-5824.dpatch: Fix buffer overflow when
      decompressing MS ADPCM .wav files.
    - CVE-2008-5824
 -- Stefan Lesicnik <email address hidden> Tue, 02 Mar 2010 15:59:08 +0200

Changed in audiofile (Ubuntu Hardy):
status: Confirmed → Fix Released
Changed in audiofile (Ubuntu Intrepid):
status: Confirmed → Fix Released
Changed in audiofile (Ubuntu Jaunty):
status: Confirmed → Fix Released
Changed in audiofile (Ubuntu Karmic):
status: Confirmed → Fix Released
Revision history for this message
Artur Rona (ari-tczew) wrote :

What about dapper? Stefan, could you prepare fix for dapper?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Dapper was published....the status doesn't get changed automatically for dapper packages.

Changed in audiofile (Ubuntu Dapper):
status: Confirmed → Fix Released
ozzie (toplisowen7)
Changed in audiofile (Ubuntu Jaunty):
assignee: nobody → ozzie (toplisowen7)
Marc Deslauriers (mdeslaur)
Changed in audiofile (Ubuntu Jaunty):
assignee: ozzie (toplisowen7) → nobody
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.