Vigil@nce: libsndfile, integer overflow via CAF
March 2009 by Vigil@nce
An attacker can create a malicious CAF file in order to execute
code in applications linked to libsndfile.
– Gravity: 2/4
– Consequences: user access/rights, denial of service of client
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 04/03/2009
IMPACTED PRODUCTS
– Mandriva Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The CAF (Core Audio File) format is used to store audio data.
The caf_read_header() function of the libsndfile library does not
check the channels_per_frame field. A CAF file can thus contain a
negative channels_per_frame field in order to corrupt the memory.
An attacker can therefore create a malicious CAF file in order to
execute code in applications linked to libsndfile.
CHARACTERISTICS
– Identifiers: BID-33963, CVE-2009-0186, MDVSA-2009:067,
VIGILANCE-VUL-8507
– Url: http://vigilance.fr/vulnerability/libsndfile-integer-overflow-via-CAF-8507