[arch-security] [ASA-201708-9] audiofile: multiple issues

Remi Gacogne rgacogne at archlinux.org
Tue Aug 15 09:22:01 UTC 2017


Arch Linux Security Advisory ASA-201708-9
=========================================

Severity: High
Date    : 2017-08-14
CVE-ID  : CVE-2017-6827 CVE-2017-6828 CVE-2017-6829 CVE-2017-6830
          CVE-2017-6831 CVE-2017-6832 CVE-2017-6833 CVE-2017-6834
          CVE-2017-6835 CVE-2017-6836 CVE-2017-6837 CVE-2017-6838
          CVE-2017-6839
Package : audiofile
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-205

Summary
=======

The package audiofile before version 0.3.6-4 is vulnerable to multiple
issues including arbitrary code execution, arbitrary command execution
and denial of service.

Resolution
==========

Upgrade to 0.3.6-4.

# pacman -Syu "audiofile>=0.3.6-4"

The problems have been fixed upstream but no release is available yet.

Workaround
==========

None.

Description
===========

- CVE-2017-6827 (arbitrary code execution)

Heap-based buffer overflow in msdapcmInitializeCoefficients
(msadcpcm.cpp) could lead to arbitrary code execution.

- CVE-2017-6828 (arbitrary code execution)

Heap-based buffer overflow in readValue (filehandle.cpp) could lead to
arbitrary code execution.

- CVE-2017-6829 (arbitrary code execution)

Global buffer overflow in decodesample (ima.cpp) that could lead to
arbitrary code execution

- CVE-2017-6830 (arbitrary code execution)

Heap-based buffer overflow in alaw2linear_buf that could lead to
arbitrary code execution.

- CVE-2017-6831 (arbitrary code execution)

Heap-based buffer overflow in IMA::decodeBlockWAVE (IMA.cpp) that could
lead to arbitrary code execution.

- CVE-2017-6832 (arbitrary code execution)

Heap-based buffer overflow in MSADPCM::decodeBlock (MSADPCM.cpp) that
could lead to arbitrary code execution.

- CVE-2017-6833 (denial of service)

Divide-by-zero triggers a crash  in BlockCodec::runPull
(BlockCodec.cpp)

- CVE-2017-6834 (arbitrary code execution)

Heap-based buffer overflow in ulaw2linear_buf (G711.cpp)

- CVE-2017-6835 (denial of service)

Divide-by-zero triggers crash in BlockCodec::reset1 (BlockCodec.cpp)

- CVE-2017-6836 (arbitrary command execution)

audiofile: heap-based buffer overflow in Expand3To4Module::run
(SimpleModule.h)

- CVE-2017-6837 (denial of service)

Integer overflow triggering an assertion on the WAVE module using
sfconvert.

- CVE-2017-6838 (denial of service)

Integer overflow with the sfconvert command.

- CVE-2017-6839 (denial of service)

Integer overflow in sfconvert with the MSADPCM module.

Impact
======

An attacker can cause a denial of service, or execute arbitrary code or
command on the affected host via a crafted audio file.

References
==========

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp/
https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-readvalue-filehandle-cpp/
https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp/
https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-alaw2linear_buf-g711-cpp/
https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp/
https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcmdecodeblock-msadpcm-cpp/
https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecrunpull-blockcodec-cpp/
https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-ulaw2linear_buf-g711-cpp/
https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecreset1-blockcodec-cpp/
https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h/
https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/
https://security.archlinux.org/CVE-2017-6827
https://security.archlinux.org/CVE-2017-6828
https://security.archlinux.org/CVE-2017-6829
https://security.archlinux.org/CVE-2017-6830
https://security.archlinux.org/CVE-2017-6831
https://security.archlinux.org/CVE-2017-6832
https://security.archlinux.org/CVE-2017-6833
https://security.archlinux.org/CVE-2017-6834
https://security.archlinux.org/CVE-2017-6835
https://security.archlinux.org/CVE-2017-6836
https://security.archlinux.org/CVE-2017-6837
https://security.archlinux.org/CVE-2017-6838
https://security.archlinux.org/CVE-2017-6839

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170815/1ad1f16d/attachment-0001.asc>


More information about the arch-security mailing list