-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: libsndfile/Winamp VOC Processing Heap Buffer Overflow Advisory ID: TKADV2009-006 Revision: 1.0 Release Date: 2009/05/16 Last Modified: 2009/05/16 Date Reported: 2009/04/19 Author: Tobias Klein (tk at trapkit.de) Affected Software: libsndfile <= version 1.0.19 Winamp <= v5.552 Remotely Exploitable: Yes Locally Exploitable: No Vendor URL: http://www.mega-nerd.com/libsndfile/ Vendor Status: Vendor has released an updated version Patch development time: 26 days ====================== Vulnerability Details: ====================== libsndfile contains a heap buffer overflow vulnerability while parsing malformed VOC (Creative Voice) media files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of an application using the libsndfile library. As libsndfile is used by Winamp (see [REF2]) this popular media player is also affected by this vulnerability. See [REF3] for a list of software projects that are using the libsndfile library. ================== Technical Details: ================== Source code file: libsndfile-1.0.19/src/voc.c [..] 156 static int 157 voc_read_header (SF_PRIVATE *psf) 158 { VOC_DATA *pvoc ; ... 201 while (1) 202 { int size ; 203 short count ; 204 205 block_type = 0 ; 206 offset += psf_binheader_readf (psf, "1", &block_type) ; 207 208 switch (block_type) 209 { case VOC_ASCII : 210 [1] offset += psf_binheader_readf (psf, "e3", &size) ; 211 212 psf_log_printf (psf, " ASCII : %d\n", size) ; 213 214 [2] offset += psf_binheader_readf (psf, "b", psf->header, size) ; 215 psf->header [size] = 0 ; 216 psf_log_printf (psf, " text : %s\n", psf->header) ; 217 continue ; [..] [1] The int variable "size" is filled with user supplied data from the media file. [2] The user controlled value of "size" is used as an argument for the "psf_binheader_readf()" function. Source code file: libsndfile-1.0.19/src/common.c [..] 906 int 907 psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) 908 { va_list argptr ; ... 1035 case 'b' : 1036 charptr = va_arg (argptr, char*) ; 1037 [3] count = va_arg (argptr, int) ; 1038 if (count > 0) 1039 [4] byte_count += header_read (psf, charptr, count) ; 1040 break ; [..] [3] The user controlled value gets stored in "count". [4] "count" is used as an argument for the "header_read()" function. Source code file: libsndfile-1.0.19/src/common.c [..] 793 static int 794 header_read (SF_PRIVATE *psf, void *ptr, int bytes) 795 { int count = 0 ; ... 805 if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header)) 806 { int most ; 807 808 most = SIGNED_SIZEOF (psf->header) - psf->headindex ; 809 psf_fread (psf->header + psf->headend, 1, most, psf) ; 810 [5] memset ((char *) ptr + most, 0, bytes - most) ; 811 812 psf_fseek (psf, bytes - most, SEEK_CUR) ; 813 return bytes ; 814 } ; [..] [5] The third argument of memset() is calculated using the user controlled value of "bytes". This leads to a heap buffer overflow. ========= Solution: ========= Upgrade to libsndfile >= version 1.0.20 (see [REF4]). ==================== Disclosure Timeline: ==================== 2009/04/19 - Initial vendor notification 2009/04/19 - Initial response from the libsndfile maintainers 2009/04/19 - Vulnerability details sent to libsndfile maintainers 2009/05/14 - Public disclosure of vulnerability details by libsndfile maintainers 2009/05/16 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [REF1] www.mega-nerd.com/libsndfile/ [REF2] www.winamp.com/ [REF3] www.mega-nerd.com/erikd/Blog/CodeHacking/libsndfile/ten_years.html [REF4] www.mega-nerd.com/erikd/Blog/CodeHacking/libsndfile/rel_20.html [REF5] www.trapkit.de/advisories/TKADV2009-006.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2009 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Charset: utf-8 wj8DBQFKDlf6kXxgcAIbhEERAnB+AKDdOjTUgxDgu4uYFz4yVCC0wiKfzACeMHz2 uaqWhaWL0vzl9DiW/uveHbI= =Uo+F -----END PGP SIGNATURE-----