Ubuntu
libsndfile package

SIGFPE crash with crafted PAF file

Bug #1036831 reported by William Ella
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libsndfile (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

When opening a crafted PAF file with channels=0 in the header, I receive a floating point exception error from libsndfile. I have verified this is different than any of the reported SIGFPEs in CVE-2009-4835, as they don't work on v21 or v25. This has been tested on two systems with four versions of libsndfile:

Ubuntu 10.04.4:
  *libsndfile-1.0.20 from CVE-2009-4835 reports
  *libsndfile-1.0.21-2 from /usr/lib via the 10.04 repository
  *libsndfile-1.0.25 compiled on the machine from the author's source page

Ubuntu 12.04
  *libsndfile-1.0.25-4 from /usr/lib/x86_64-linux-gnu via the 12.04 repository
  *libsndfile-1.0.25 compiled on the machine from the author's source page

On 10.04.4 I used the test programs "lt-sndfile-info", "lt-sndfile-to-text", and "Audacity 1.3.12-beta". On 12.04 I just used "lt-sndfile-to-text". An example:

------------
$ ./lt-sndfile-info a.paf

Version : libsndfile-1.0.25

Floating point exception
------------

I have attached a tar file with the crafted audio file, a.paf. It also includes another, b.paf, where the only change is channels=1 to demonstrate different behavior.

Though this isn't a serious problem (libsndfile isn't a service), I've tagged it as a security vulnerability since I presume it's going to be a CWE_369 (I haven't looked at the source myself).

See original description
Revision history for this message
William Ella (billy-ella) wrote :
William Ella (billy-ella)
description: updated
Revision history for this message
William Ella (billy-ella) wrote :

This also affects libsndfile on Windows, as it's bundled with programs like the Windows version of Audacity. I didn't feel that was appropriate for the main text in an Ubuntu bug report though.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and reporting a bug. Since SIGFPE is not exploitable, Ubuntu is not going to treat this as a security vulnerability. As such, I will mark this bug as public. I encourage you to contact upstream directly at http://www.mega-nerd.com/libsndfile/. After which Ubuntu will get the fix through our normal development process. Thanks again.

Changed in libsndfile (Ubuntu):
status: New → Confirmed
security vulnerability: yes → no
visibility: private → public
Revision history for this message
William Ella (billy-ella) wrote :

Thanks for the advice! I've just sent the author a quick message about it.

Revision history for this message
Erik de Castro Lopo (erikd) wrote :

FIxed in the following git commit:

https://github.com/erikd/libsndfile/commit/8680d870447f470a56ece1204d0a5d3d46ff12c3

Thanks for the bug report.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libsndfile - 1.0.31-1ubuntu1

---------------
libsndfile (1.0.31-1ubuntu1) hirsute; urgency=medium

  * debian/rules: forcefully enable tests (they are disabled by default on
    riscv64 in Ubuntu) because libsndfile1-dev wants to install test binaries
    (LP: #1917650)

 -- Olivier Tilloy <email address hidden> Wed, 03 Mar 2021 17:53:18 +0100

Changed in libsndfile (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.