Headline
CVE-2022-31651: SoX - Sound eXchange / Bugs
In SoX 14.4.2, there is an assertion failure in rate_init in rate.c in libsox.a.
summary
Hello, I was testing my new fuzzer and found two bugs: a reachable assertion in rate_init, rate.c:303 and a float point exception in lsx_aiffstartwrite.
environment
sox latest commit 42b3557e13e0fe01a83465b672d89faddbe65f49,
clang 12.0.1,
Ubuntu 21.10
step to reproduce
compile sox with CC=clang, CFLAGS="-fsanitize=address -g"
run command ./sox --single-threaded @@ -t aiff /dev/null
BUG1
sox:rate.c:303:voidrate_init(rate_t,rate_shared_t,double,double,double,double,double,rolloff_t,sox_bool,sox_bool,int,int,sox_bool):Assertion`factor>0’failed. Aborted
BUG2
AddressSanitizer:DEADLYSIGNAL
==3050061==ERROR:AddressSanitizer:FPEonunknownaddress0x000000591211(pc0x000000591211bp0x7ffd7929b6b0sp0x7ffd7929b660T0) #00x591211inlsx_aiffstartwrite(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x591211) #10x83e26finopen_write(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x83e26f) #20x83b303insox_open_write(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x83b303) #30x8a4ae8inopen_output_file(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x8a4ae8) #40x8952e1inprocess(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x8952e1) #50x887e23inmain(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x887e23) #60x7fac08e4afcfin__libc_start_call_main…/sysdeps/nptl/libc_start_call_main.h:58 #70x7fac08e4b07cin__libc_start_main_impl…/csu/libc-start.c:409 #80x408864in_start(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x408864)
AddressSanitizercannotprovideadditionalinfo. SUMMARY:AddressSanitizer:FPE(/home/kdsj/workspace/fuzz/sox-aiff/sox+0x591211)inlsx_aiffstartwrite ==3050061==ABORTING
POC
as shown in attachment poc.zip
Credit
NCNIPC of China
Hexhive
Related news
Ubuntu Security Notice 5904-2 - USN-5904-1 fixed vulnerabilities in SoX. It was discovered that the fix for CVE-2021-33844 was incomplete. This update fixes the problem. Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS.
Ubuntu Security Notice 5904-1 - Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. Helmut Grohne discovered that SoX incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
Debian Linux Security Advisory 5356-1 - Multiple security issues were discovered in Sox, the Swiss Army knife of sound processing programs, which could result in denial of service or potentially the execution of arbitrary code if a malformed audio file is processed.