-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WavPack crashes with SEGFAULT #91
Comments
Appears that CVE-2020-35738 was assigned for this issue. |
Hi, not sure if it helps but.. I couldn't reproduce this in version 4.70.0 (Debian Jessie):
However, could reproduce this in version 5.0.0 (Debian Stretch):
And can also reproduce in versions thereafter, for eg: in version 5.1.0 (Debian Buster):
By this, I am also inclined towards believing that vulnerable code wasn't present in v4.70.0. Please let me know if I am mistaken somehow :) |
@utkarsh2102 FYI: If you want to be sure you should not rely only on reproducibility with a POC but inspect the code as well (but note that in 38dba75 a code reorganization and cleanup was done). |
Aah, well. Right, let's wait for the fix and then re-analyze the situation from there. |
…itize a few more encoding parameters for clarity
Hm, so as I see it, in Debian Jessie (v4.70.0), there's no check on
I am not sure if backporting this diff is worthy enough to avoid causing buffer overruns and avoiding integer overflows. Does anybody have any opinion on this? Do you think it's still "safe and recommended" to backport this diff to v4.70.0? |
First of all, thank you @wakolzin for finding and reporting this issue! This is now fixed in the master branch. I have also carefully analyzed the issue and I believe that this is an extremely low risk from a security perspective. The buffer overflow could be exploited to corrupt the next heap entry and possibly force the next malloc to return an arbitrary address, but unfortunately that next malloc is for the compressed audio block and there’s no method for the attacker to control what gets written there. Another complicating factor is that the compressor modifies the audio data “in-place” during decorrrelation, so again there’s no way to control the final contents. I’m certainly no expert in this, but I think it would be extraordinarily difficult, if not impossible, to create an exploit for this overrun. But more problematic, even if it were possible to create an exploit, it would be nearly impossible to trigger it from a practical standpoint. The WavPack command-line program is not a default application for WAV files (or any file type) and is not supplied by default in any distro. Therefore the attacker would have to convince a user to install the command-line program, manually download the maliciously crafted file, and attempt, using the terminal, to compress it using WavPack. If you can get someone to do that, there are far simpler ways of gaining control of their system. |
@utkarsh2102 With respect to 4.70.0, I actually find it a little frightening that that 7+ year-old release is still being patched, but I’m sure there are some good reasons for this. Personally, I am of the opinion that it’s good practice to maintain backward compatibility unless absolutely unavoidable (maybe I’m just old) and I have worked very hard to make sure that the latest version is a “drop-in” replacement for older versions (see first paragraph of porting guide). In any event, assuming all the other “real” security issues fixed since 2013 have been patched, the patch you suggest is safe, and I would add the other checks too:
As for whether these are recommended, I refer you to my statements above. I really appreciate the work of volunteer maintainers, and I hate to see time and effort spent on vulnerabilities that aren’t real threats. I guess it depends on the threat level eventually assigned to this CVE (which I hope is very low). Thanks! |
@dbry Thank you for analysis and fix! |
@dbry are you going to release a new version or should we backport the changes to 5.3.0? |
@juanfra684 I will release a new version in a few days from current source (so it will include a few other updates also, mostly minor fixes but also the @wakolzin If you have any other issues like this that you know about it would be great to see them before I generate a release. Thanks! |
@dbry This issue was the only I know about. |
Note that this issue has two patches associated with it, 63f3ec7 and 89df160. Unfortunately the first one failed the Travis build (for an unrelated reason), but they are both in the commit log tagged with issue #91. It's a little tricky to verify that both were picked up everywhere, but I noticed on this page that at least Ubuntu may not have. The good news is that 89df160 is sufficient by itself to resolve the SEGFAULT because the potentially negative However, if anyone mistakenly only brings in 63f3ec7, then that would be insufficient to resolve the issue. |
WavPack 5.4.0 has been released with this fix. Thanks again! |
Hello @dbry,
That isn't true. The vulnerability isn't in the wavpack binary but in the "libwavpack" which is being used widely by a bunch of other programs and applications. For example, ffmpeg, cmus, audiotools, et al.
Haha, yes. There exists Debian LTS and ELTS, where the packages in the Debian archive are supported (only against security vulnerabilities) for extended 2 years for LTS and then another 2 years for ELTS.
Thank you so much for your help and effort in writing this patch and of course, for your hard work in best maintaining the backward compatibility! ❤️ This really helps in maintaining and backporting security patches to the older versions! \o/ |
Yes, the vulnerability is in libwavpack, and that's widely distributed and used, but it’s in the encoder portion, not the decoder. The decoder is constantly fuzzed in Google’s OSS-Fuzz because that’s where serious vulnerabilities will be located given that libwavpack is one of the only consumers of WavPack files (aside from the native FFmpeg decoder). Many of the programs that use libwavpack only do decoding (like cmus that you mention), so they’re going to be fine. The vulnerability here is when crazy values for sample rate and/or channel count are passed to libwavpack for encoding. So any program using the library for encoding regular audio is not going to be affected because the parameters are going to be fixed (like a CD ripper). The program would have to be attempting to convert one of these crafted files and the most likely scenario is that the program would immediately recognize the corruption and would never end up trying to pass it to libwavpack (or the command-line program). For example, I just tested FFmpeg, Foobar2000, and Gstreamer and they all refused to even open either of these files. So this vulnerability is best suited for the command-line WavPack program because it accepts a wide range of encoding parameters (because the Wavpack format supports a wide range of parameters). I would be very surprised if another libwavpack application could be coaxed into even triggering this crash, much less used in an actual exploit.
I'm glad to help, and I will be happy to respond to your other queries as time permits! 👍 |
Aah, okay. Thanks for the explanation! 👍🏻
Great, thank you! |
Update to wavpack 5.4.0. CVE-2020-35738. More info: dbry/WavPack#91 (comment)
Hello!
This bug was found by Crusher (fuzzer developing in ISP RAS), thanks to following colleagues:
Vitalii Akolzin, Shamil Kurmangaleev, Maxim Mishechkin, Fedor Nis'kov, Ivan Gulakov, Denis Straghkov, Andrey Fedotov, Alexey Vishnyakov, Daniil Kutz, Alexander Novikov.
Product version
Commit 940a8b7 (latest commit on master at current moment).
Environment
Ubuntu 16.04/18.04
To reproduce
crash.wav
from crash.wav.tar.gzProgram crashes with SEGFAULT.
Error message:
Valgrind output:
Analysis
In
WavPack/src/pack_utils.c
Line 561 in 940a8b7
malloc
's argument overflowssize_t
type and results in small positive number.So, only a short memory region is allocated.
Then
WavPack/src/pack_utils.c
Line 612 in 940a8b7
dptr
now points to address in previously allocated regionFinally
WavPack/src/pack_utils.c
Line 662 in 940a8b7
we write in memory by
dptr
pointer. But in one momentdptr
points to memory outside of allocated region. Segmentation fault.The text was updated successfully, but these errors were encountered: