Bug#530831: marked as done (libsndfile1: Crafted files can trigger divide by zero)

Tue, 03 Aug 2010 01:09:24 -0700 

Your message dated Tue, 3 Aug 2010 18:05:34 +1000
with message-id <[email protected]>
and subject line libsndfile1: Crafted files can trigger divide by zero
has caused the Debian Bug report #530831,
regarding libsndfile1: Crafted files can trigger divide by zero
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
530831: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530831
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libsndfile1
Version: 1.0.20-1
Severity: normal
Tags: security

Hi,

I have discovered six different SIGFPE crashes with crafted input
files in libsndfile. Triggering input files are attached.

The crashes are:

1) in htk.c:198 (htk_read_header), divisor sample_period can be 0.

2) in alaw.c:72 (alaw_init), divisor psf->blockwidth can be 0.

3) in ulaw.c:62 (ulaw_init), divisor psf->blockwidth can be 0.

4) in pcm.c:274 (pcm_init), divisor psf->blockwidth can be 0.

5) in float32.c:244 (float32_init), divisor psf->blockwidth can be 0.

6) in sds.c:279 (sds_read_header), psds->bitwidth can be 0, resulting
   in divisor ((psds->bitwidth + 6) / 7) getting the value of 0.

Run for example sndfile-info (from the sndfile-programs package) with
one of these files as parameter to see the crash.

I don't know what the security impact is, but since I assume
libsndfile is used by lots of applications for data obtained from
untrusted sources, I thought I'd tag this security. In any case it
should be at most denial of service. Untag if you think it's not
securitywise important.

        Sami


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29.3 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libsndfile1 depends on:
ii  libc6                       2.9-13       GNU C Library: Shared libraries
ii  libflac8                    1.2.1-1.2    Free Lossless Audio Codec - runtim
ii  libogg0                     1.1.3-5      Ogg Bitstream Library
ii  libvorbis0a                 1.2.0.dfsg-4 The Vorbis General Audio Compressi
ii  libvorbisenc2               1.2.0.dfsg-4 The Vorbis General Audio Compressi

libsndfile1 recommends no packages.

libsndfile1 suggests no packages.

-- no debconf information

Attachment: 1.data
Description: Binary data

Attachment: 2.data
Description: Binary data

Attachment: 3.data
Description: Binary data

Attachment: 4.data
Description: Binary data

Attachment: 5.data
Description: Binary data

Attachment: 6.data
Description: Binary data

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 

This bug seems to have been fixed for some time. No divide by zero
on any of these file with libsndfile-1.0.21-3.

Cheers,
Erik
-- 
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/

--- End Message ---

Reply via email to