Sami Liedes
2009-May-28 06:26 UTC
[Secure-testing-team] Bug#530831: libsndfile1: Crafted files can trigger divide by zero
Package: libsndfile1 Version: 1.0.20-1 Severity: normal Tags: security Hi, I have discovered six different SIGFPE crashes with crafted input files in libsndfile. Triggering input files are attached. The crashes are: 1) in htk.c:198 (htk_read_header), divisor sample_period can be 0. 2) in alaw.c:72 (alaw_init), divisor psf->blockwidth can be 0. 3) in ulaw.c:62 (ulaw_init), divisor psf->blockwidth can be 0. 4) in pcm.c:274 (pcm_init), divisor psf->blockwidth can be 0. 5) in float32.c:244 (float32_init), divisor psf->blockwidth can be 0. 6) in sds.c:279 (sds_read_header), psds->bitwidth can be 0, resulting in divisor ((psds->bitwidth + 6) / 7) getting the value of 0. Run for example sndfile-info (from the sndfile-programs package) with one of these files as parameter to see the crash. I don''t know what the security impact is, but since I assume libsndfile is used by lots of applications for data obtained from untrusted sources, I thought I''d tag this security. In any case it should be at most denial of service. Untag if you think it''s not securitywise important. Sami -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, ''unstable''), (500, ''testing'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.29.3 (SMP w/4 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libsndfile1 depends on: ii libc6 2.9-13 GNU C Library: Shared libraries ii libflac8 1.2.1-1.2 Free Lossless Audio Codec - runtim ii libogg0 1.1.3-5 Ogg Bitstream Library ii libvorbis0a 1.2.0.dfsg-4 The Vorbis General Audio Compressi ii libvorbisenc2 1.2.0.dfsg-4 The Vorbis General Audio Compressi libsndfile1 recommends no packages. libsndfile1 suggests no packages. -- no debconf information -------------- next part -------------- A non-text attachment was scrubbed... Name: 1.data Type: application/octet-stream Size: 50 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090528/5e515585/attachment.obj> -------------- next part -------------- A non-text attachment was scrubbed... Name: 2.data Type: application/octet-stream Size: 50 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090528/5e515585/attachment-0001.obj> -------------- next part -------------- A non-text attachment was scrubbed... Name: 3.data Type: application/octet-stream Size: 50 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090528/5e515585/attachment-0002.obj> -------------- next part -------------- A non-text attachment was scrubbed... Name: 4.data Type: application/octet-stream Size: 50 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090528/5e515585/attachment-0003.obj> -------------- next part -------------- A non-text attachment was scrubbed... Name: 5.data Type: application/octet-stream Size: 50 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090528/5e515585/attachment-0004.obj> -------------- next part -------------- A non-text attachment was scrubbed... Name: 6.data Type: application/octet-stream Size: 50 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090528/5e515585/attachment-0005.obj> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: Digital signature URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090528/5e515585/attachment.pgp>