When opening a crafted PAF file with channels=0 in the header, I receive a floating point exception error from libsndfile. I have verified this is different than any of the reported SIGFPEs in CVE-2009-4835, as they don't work on v21 or v25. This has been tested on two systems with four versions of libsndfile:
Ubuntu 10.04.4:
*libsndfile-1.0.20 from CVE-2009-4835 reports
*libsndfile-1.0.21-2 from /usr/lib via the 10.04 repository
*libsndfile-1.0.25 compiled on the machine from the author's source page
Ubuntu 12.04
*libsndfile-1.0.25-4 from /usr/lib/x86_64-linux-gnu via the 12.04 repository
*libsndfile-1.0.25 compiled on the machine from the author's source page
On 10.04.4 I used the test programs "lt-sndfile-info" and "lt-sndfile-to-text". On 12.04 I just used "lt-sndfile-to-text". An example:
------------
$ ./lt-sndfile-info a.paf
Version : libsndfile-1.0.25
Floating point exception
------------
I have attached a tar file with the crafted audio file, a.paf. It also includes another, b.paf, where the only change is channels=1 to demonstrate different behavior.
Though this isn't a serious problem (libsndfile isn't a service), I've tagged it as a security vulnerability since I presume it's going to be a CWE_369 (I haven't looked at the source myself).
When opening a crafted PAF file with channels=0 in the header, I receive a floating point exception error from libsndfile. I have verified this is different than any of the reported SIGFPEs in CVE-2009-4835, as they don't work on v21 or v25. This has been tested on two systems with four versions of libsndfile:
Ubuntu 10.04.4: 1.0.20 from CVE-2009-4835 reports 1.0.21- 2 from /usr/lib via the 10.04 repository 1.0.25 compiled on the machine from the author's source page
*libsndfile-
*libsndfile-
*libsndfile-
Ubuntu 12.04 1.0.25- 4 from /usr/lib/ x86_64- linux-gnu via the 12.04 repository 1.0.25 compiled on the machine from the author's source page
*libsndfile-
*libsndfile-
On 10.04.4 I used the test programs "lt-sndfile-info" and "lt-sndfile- to-text" . On 12.04 I just used "lt-sndfile- to-text" . An example:
------------
$ ./lt-sndfile-info a.paf
Version : libsndfile-1.0.25
Floating point exception
------------
I have attached a tar file with the crafted audio file, a.paf. It also includes another, b.paf, where the only change is channels=1 to demonstrate different behavior.
Though this isn't a serious problem (libsndfile isn't a service), I've tagged it as a security vulnerability since I presume it's going to be a CWE_369 (I haven't looked at the source myself).