Hi On 2018-02-04 23:35:47, Joonun Jang wrote: > Package: wavpack > Version: 5.1.0-2 > Severity: important > Tags: security > > heap buffer overflow running wavpack with "-y poc.wav" option
Thanks for filing this. It's probably easier to file those directly upstream at https://github.com/dbry/WavPack. I have forwarded the other two bug reports there. Cheers > > Running 'wavpack -y poc.wav' with the attached file raises heap buffer > overflow > which may allow a remote attacker to cause unspecified impact including > denial-of-service attack > I expected the program to terminate without segfault, but the program crashes > as follow > > june@june:~/temp/report/wavpack/00009776$ > ../../binary/wavpack-5.1.0/cli/.libs/wavpack -y poc.wav > > WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.1.0 > Copyright (c) 1998 - 2017 David Bryant. All Rights Reserved. > > creating > poc.wv,================================================================= > ==3834==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x60200000ef91 at pc 0x7ffff6e8105b bp 0x7fffffffb2e0 sp 0x7fffffffaa90 > READ of size 2 at 0x60200000ef91 thread T0 > #0 0x7ffff6e8105a (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x4305a) > #1 0x55555557ad85 in ParseDsdiffHeaderConfig > /home/june/temp/report/binary/wavpack-5.1.0/cli/dsdiff.c:171 > #2 0x555555567c3a in pack_file > /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1774 > #3 0x555555565e5e in main > /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1270 > #4 0x7ffff65902b0 in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) > #5 0x5555555609a9 in _start > (/home/june/temp/report/binary/wavpack-5.1.0/cli/.libs/wavpack+0xc9a9) > > 0x60200000ef91 is located 0 bytes to the right of 1-byte region > [0x60200000ef90,0x60200000ef91) > allocated by thread T0 here: > #0 0x7ffff6effd28 in malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) > #1 0x55555557ac4a in ParseDsdiffHeaderConfig > /home/june/temp/report/binary/wavpack-5.1.0/cli/dsdiff.c:156 > #2 0x555555567c3a in pack_file > /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1774 > #3 0x555555565e5e in main > /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1270 > #4 0x7ffff65902b0 in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) > > SUMMARY: AddressSanitizer: heap-buffer-overflow > (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x4305a) > Shadow bytes around the buggy address: > 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > =>0x0c047fff9df0: fa fa[01]fa fa fa fd fd fa fa 03 fa fa fa 00 fa > 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==3834==ABORTING > > This bug was found with a fuzzer developed by 'SoftSec' group at KAIST > > -- System Information: > Debian Release: 9.3 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), > (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages wavpack depends on: > ii libc6 2.24-11+deb9u1 > ii libwavpack1 5.1.0-2 > > wavpack recommends no packages. > > wavpack suggests no packages. > > -- no debconf information > _______________________________________________ > pkg-multimedia-maintainers mailing list > pkg-multimedia-maintain...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers -- Sebastian Ramacher
signature.asc
Description: PGP signature