Vigil@nce: libsndfile, overflow via VOC
May 2009 by Vigil@nce
An attacker can create a malicious VOC file and invite the victim
to open it, in order to execute code in applications linked to
libsndfile.
Severity: 2/4
Consequences: user access/rights, denial of service of client
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 15/05/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The VOC format is used to store audio data, and contains several
blocks:
– type 1 and 2: sound
– type 5: description text
– type 6: repeat information
– etc.
The libsndfile library supports this file type.
The voc_read_header() function of the src/voc.c file of libsndfile
analyzes headers of a VOC file and logs the description text (type
5). However, if the size indicated for the description text is
larger than the header size, the voc_read_header() function
corrupts the memory.
An attacker can therefore create a malicious VOC file and invite
the victim to open it, in order to execute code in applications
linked to libsndfile.
CHARACTERISTICS
Identifiers: BID-34978, TKADV2009-006, VIGILANCE-VUL-8716
http://vigilance.fr/vulnerability/libsndfile-overflow-via-VOC-8716