Bug#889559: wavpack: heap buffer overflow while running wavpack

Sebastian Ramacher sramacher at debian.org
Sun Feb 4 19:59:27 UTC 2018 

Hi

On 2018-02-04 23:35:47, Joonun Jang wrote:
> Package: wavpack
> Version: 5.1.0-2
> Severity: important
> Tags: security
> 
> heap buffer overflow running wavpack with "-y poc.wav" option

Thanks for filing this. It's probably easier to file those directly upstream at
https://github.com/dbry/WavPack. I have forwarded the other two bug reports
there.

Cheers

> 
> Running 'wavpack -y poc.wav' with the attached file raises heap buffer overflow
> which may allow a remote attacker to cause unspecified impact including denial-of-service attack
> I expected the program to terminate without segfault, but the program crashes as follow
> 
> june at june:~/temp/report/wavpack/00009776$ ../../binary/wavpack-5.1.0/cli/.libs/wavpack -y poc.wav
> 
>  WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
>  Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.
> 
> creating poc.wv,=================================================================
> ==3834==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef91 at pc 0x7ffff6e8105b bp 0x7fffffffb2e0 sp 0x7fffffffaa90
> READ of size 2 at 0x60200000ef91 thread T0
>     #0 0x7ffff6e8105a  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x4305a)
>     #1 0x55555557ad85 in ParseDsdiffHeaderConfig /home/june/temp/report/binary/wavpack-5.1.0/cli/dsdiff.c:171
>     #2 0x555555567c3a in pack_file /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1774
>     #3 0x555555565e5e in main /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1270
>     #4 0x7ffff65902b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
>     #5 0x5555555609a9 in _start (/home/june/temp/report/binary/wavpack-5.1.0/cli/.libs/wavpack+0xc9a9)
> 
> 0x60200000ef91 is located 0 bytes to the right of 1-byte region [0x60200000ef90,0x60200000ef91)
> allocated by thread T0 here:
>     #0 0x7ffff6effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
>     #1 0x55555557ac4a in ParseDsdiffHeaderConfig /home/june/temp/report/binary/wavpack-5.1.0/cli/dsdiff.c:156
>     #2 0x555555567c3a in pack_file /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1774
>     #3 0x555555565e5e in main /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1270
>     #4 0x7ffff65902b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x4305a)
> Shadow bytes around the buggy address:
>   0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c047fff9df0: fa fa[01]fa fa fa fd fd fa fa 03 fa fa fa 00 fa
>   0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==3834==ABORTING
> 
> This bug was found with a fuzzer developed by 'SoftSec' group at KAIST
> 
> -- System Information:
> Debian Release: 9.3
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages wavpack depends on:
> ii  libc6        2.24-11+deb9u1
> ii  libwavpack1  5.1.0-2
> 
> wavpack recommends no packages.
> 
> wavpack suggests no packages.
> 
> -- no debconf information


> _______________________________________________
> pkg-multimedia-maintainers mailing list
> pkg-multimedia-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers


-- 
Sebastian Ramacher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20180204/0bed1268/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list