Vigil@nce - libsndfile: integer overflow via PAF
August 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create a malicious PAF file and invite the victim
to open it, in order to create a denial of service in applications
linked to libsndfile.
Severity: 2/4
Creation date: 18/07/2011
IMPACTED PRODUCTS
– Debian Linux
– Fedora
– Mandriva Corporate
– Mandriva Enterprise Server
– Mandriva Linux
– OpenSUSE
– Red Hat Enterprise Linux
– SUSE Linux Enterprise Desktop
– SUSE Linux Enterprise Server
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
Audio files in format Ensoniq PARIS Audio Format (PAF,
Professional Audio Recording Integrated System Audio Format) have
the ".PAF" extension. These files contains several audio channels.
The paf24_init() function of the file src/paf.c of the libsndfile
library opens PAF files. This function reads the number of
channels indicated in the PAF file header, and initializes with
memset() a memory area to store information.
However, this function does not check if the number of channels is
over SF_MAX_CHANNELS (256). A memory corruption (with zeros) thus
occurs when memset() is called.
An attacker can therefore create a malicious PAF file and invite
the victim to open it, in order to create a denial of service in
applications linked to libsndfile.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libsndfile-integer-overflow-via-PAF-10843