[Bug 1036967] New: VUL-1: libmad: heap-based buffer overflow in mad_bit_skip (bit.c)
http://bugzilla.opensuse.org/show_bug.cgi?id=1036967 Bug ID: 1036967 Summary: VUL-1: libmad: heap-based buffer overflow in mad_bit_skip (bit.c) Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 723244 --> http://bugzilla.opensuse.org/attachment.cgi?id=723244&action=edit 00211-libmad-heapoverflow-mad_bit_skip_reproducer Ref: https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-in... =========================================================== Description: libmad stays for “M”peg “A”udio “D”ecoder library. There is an heap overflow discovered through madplay. The complete ASan output: # madplay -v -i -o raw:out $FILE ==12603==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000c09f at pc 0x7f72d6aa05c0 bp 0x7fff03e32040 sp 0x7fff03e32038 READ of size 1 at 0x61200000c09f thread T0 #0 0x7f72d6aa05bf in mad_bit_skip /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/bit.c:130:21 #1 0x7f72d6b032ad in III_huffdecode /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:953:3 #2 0x7f72d6b032ad in III_decode /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:2403 #3 0x7f72d6af1a8e in mad_layer_III /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:2648:13 #4 0x7f72d6ab584d in mad_frame_decode /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/frame.c:453:7 #5 0x7f72d6ada4e4 in run_sync /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/decoder.c:404:11 #6 0x7f72d6ad8c59 in mad_decoder_run /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/decoder.c:557:12 #7 0x5277a1 in decode /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:1862:12 #8 0x5277a1 in play_one /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:1951 #9 0x5277a1 in play_all /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:2041 #10 0x5215a2 in player_run /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:2768:14 #11 0x50c46c in main /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/madplay.c:816:7 #12 0x7f72d599d78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #13 0x41aa78 in _init (/usr/bin/madplay+0x41aa78) Affected version: 0.15.1b Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00211-libmad-heapoverflow-mad_bi... Timeline: 2017-01-01: bug discovered and reported to upstream 2017-04-30: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: libmad: heap-based buffer overflow in mad_bit_skip (bit.c) =========================================================== (open-)SUSE: https://software.opensuse.org/package/libmad 0.15.1b (TW, 42.{1,2}, multimedia:libs repo) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1036967 http://bugzilla.opensuse.org/show_bug.cgi?id=1036967#c1 Mikhail Kasimov <mikhail.kasimov@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|VUL-1: libmad: heap-based |VUL-1: CVE-2017-8374: |buffer overflow in |libmad: heap-based buffer |mad_bit_skip (bit.c) |overflow in mad_bit_skip | |(bit.c) Alias| |CVE-2017-8374 --- Comment #1 from Mikhail Kasimov <mikhail.kasimov@gmail.com> --- CVE-2017-8374: https://nvd.nist.gov/vuln/detail/CVE-2017-8374 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1036967 http://bugzilla.opensuse.org/show_bug.cgi?id=1036967#c2 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |astieger@suse.com, | |crrodriguez@opensuse.org, | |davejplater@gmail.com, | |idonmez@suse.com, | |jengelh@inai.de, | |jjolly@suse.com, | |mseben@gmail.com, | |ohering@suse.com, | |pascal.bleser@opensuse.org, | |plinnell@opensuse.org, | |prusnak@opensuse.org, | |pth@suse.com, | |sbrabec@suse.com, | |seife@novell.slipkontur.de, | |sreeves@suse.com, | |tchvatal@suse.com, | |tiwai@suse.com, | |wstephenson@suse.com Component|Security |Security Version|Leap 42.2 |Current Assignee|security-team@suse.de |idonmez@suse.com Product|openSUSE Distribution |openSUSE Tumbleweed Target Milestone|--- |Current QA Contact|qa-bugs@suse.de |security-team@suse.de --- Comment #2 from Andreas Stieger <astieger@suse.com> --- libmad is not in the distribution, but submitted to Factory: https://build.opensuse.org/request/show/491354 multimedia:libs/libmad has no maintainer set. Security team requests that project maintainers please set one. Assigning to last involved project maintainer. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1036967 Jan Engelhardt <jengelh@inai.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|jengelh@inai.de | -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com