Ubuntu
libsndfile package

SIGFPE crash with crafted PAF file

Bug #1036831 reported by William Ella on 2012-08-14

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

libsndfile (Ubuntu)

Confirmed

Undecided

Unassigned

You need to log in to change this bug's status.

Affecting:	libsndfile (Ubuntu)
Filed here by:	William Ella
When:	2012-08-14
Confirmed:	2012-08-17

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance
	Undecided

Assigned to

	Nobody
	Me

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

When opening a crafted PAF file with channels=0 in the header, I receive a floating point exception error from libsndfile. I have verified this is different than any of the reported SIGFPEs in CVE-2009-4835, as they don't work on v21 or v25. This has been tested on two systems with four versions of libsndfile:

Ubuntu 10.04.4:
  *libsndfile-1.0.20 from CVE-2009-4835 reports
  *libsndfile-1.0.21-2 from /usr/lib via the 10.04 repository
  *libsndfile-1.0.25 compiled on the machine from the author's source page

Ubuntu 12.04
*libsndfile-1.0.25-4 from /usr/lib/x86_64-linux-gnu via the 12.04 repository
*libsndfile-1.0.25 compiled on the machine from the author's source page

On 10.04.4 I used the test programs "lt-sndfile-info", "lt-sndfile-to-text", and "Audacity 1.3.12-beta". On 12.04 I just used "lt-sndfile-to-text". An example:

------------
$ ./lt-sndfile-info a.paf

Version : libsndfile-1.0.25

Floating point exception
------------

I have attached a tar file with the crafted audio file, a.paf. It also includes another, b.paf, where the only change is channels=1 to demonstrate different behavior.

Though this isn't a serious problem (libsndfile isn't a service), I've tagged it as a security vulnerability since I presume it's going to be a CWE_369 (I haven't looked at the source myself).

See original description

Add tags Tag help

William Ella (billy-ella) wrote on 2012-08-14:

Crafted PAF files with channels=0 and channels=1 Edit (570.0 KiB, application/x-tar)

William Ella (billy-ella) on 2012-08-14

description:

updated

William Ella (billy-ella) wrote on 2012-08-14:

This also affects libsndfile on Windows, as it's bundled with programs like the Windows version of Audacity. I didn't feel that was appropriate for the main text in an Ubuntu bug report though.

Jamie Strandboge (jdstrand) wrote on 2012-08-17:

Thank you for using Ubuntu and reporting a bug. Since SIGFPE is not exploitable, Ubuntu is not going to treat this as a security vulnerability. As such, I will mark this bug as public. I encourage you to contact upstream directly at http://www.mega-nerd.com/libsndfile/. After which Ubuntu will get the fix through our normal development process. Thanks again.