Any solutions for the libsndfile vulnerability?

[teo]

Hello over here!

For some time now, this file has been giving the system problems and is suddenly aborted, the problems occur when playing an audio file and the sound is choppy until it becomes hoarse and unreadable.


# pkg audit -F

vulnxml file up-to-date
libsndfile-1.0.28_1 is vulnerable:
libsndfile -- out-of-bounds reads
CVE: CVE-2017-17457
CVE: CVE-2017-17456
CVE: CVE-2017-14246
CVE: CVE-2017-14245
WWW: https://vuxml.FreeBSD.org/freebsd/30704aba-1da4-11e8-b6aa-4ccc6adda413.html

sqlite3-3.22.0 is vulnerable:
SQLite -- Corrupt DB can cause a NULL pointer dereference
CVE: CVE-2018-8740
WWW: https://vuxml.FreeBSD.org/freebsd/6d52bda1-2e54-11e8-a68f-485b3931c969.html

firefox-59.0.1,1 is vulnerable:
mozilla -- use-after-free in compositor
CVE: CVE-2018-5148
WWW: https://vuxml.FreeBSD.org/freebsd/23f59689-0152-42d3-9ade-1658d6380567.html

thunderbird-52.6.0_2 is vulnerable:
mozilla -- use-after-free in compositor
CVE: CVE-2018-5148
WWW: https://vuxml.FreeBSD.org/freebsd/23f59689-0152-42d3-9ade-1658d6380567.html

thunderbird-52.6.0_2 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2018-5147
CVE: CVE-2018-5146
WWW: https://vuxml.FreeBSD.org/freebsd/7943794f-707f-4e31-9fea-3bbf1ddcedc1.html

thunderbird-52.6.0_2 is vulnerable:
mozilla -- multiple vulnerabilities
CVE: CVE-2018-5143
CVE: CVE-2018-5142
CVE: CVE-2018-5141
CVE: CVE-2018-5140
CVE: CVE-2018-5138
CVE: CVE-2018-5137
CVE: CVE-2018-5136
CVE: CVE-2018-5135
CVE: CVE-2018-5134
CVE: CVE-2018-5133
CVE: CVE-2018-5132
CVE: CVE-2018-5131
CVE: CVE-2018-5130
CVE: CVE-2018-5129
CVE: CVE-2018-5128
CVE: CVE-2018-5127
CVE: CVE-2018-5126
CVE: CVE-2018-5125
WWW: https://vuxml.FreeBSD.org/freebsd/c71cdc95-3c18-45b7-866a-af28b59aabb5.html

4 problem(s) in the installed packages found.
#

Navigating through that link, here are some lines of words from what they mention in that link:

CVE-2017-14245 (Medium): An out of bounds read in the function    d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote    DoS attack or information disclosure, related to mishandling of    the NAN and INFINITY floating-point values.

CVE-2017-14246 (Medium): An out of bounds read in the function    d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote    DoS attack or information disclosure, related to mishandling of the    NAN and INFINITY floating-point values.

https://vuxml.FreeBSD.org/freebsd/30704aba-1da4-11e8-b6aa-4ccc6adda413.ht

 

[Deleted member 30996]

For some time now, this file has been giving the system problems and is suddenly aborted, the problems occur when playing an audio file and the sound is choppy until it becomes hoarse and unreadable.

I'm rebuilding one of my boxen right now from ports and it stopped at multimedia/vlc with that vulnerability warning. (I show it on my other boxen.)

However, it did build multimedia/xmms successfully without it being a dependency and I've been using it to listen to music since before the vulnerability came out with no degradation of sound quality.

Some things, such as graphics/OpenEXR, are pulled in as a dependency and can be removed after the build when a vulnerability develops without it breaking the host program, in this case graphics/gimp. I don't want to chance breaking multimedia/vlc on the machine I'm on now, but am continuing to build it with the disable vulnerabilities flag on the other one and will remove it later to see just how vital it is to sound. Not very by the looks of it.

From the freshports page on audio/libsndfile:

Libsndfile is a C library for reading and writing files containing sampled sound (such as MS Windows WAV and the Apple/SGI AIFF format) through one standard library interface.

 

[Deleted member 30996]

I initially tried # pkg delete libsndfile but it wanted to take multimedia/vlc and audio/pulseaudio with it, so I used
# cd /usr/ports/audio/libsndfile && make deinstall clean
instead and that worked out well.

I still have sound from multimedia/vlc, multimedia/xmms, sound from a youtube video using www/firefox-esr, the normal keyboard beeps and no vulnerabilities from # pkg audit -F.



So in my case, removing it had no ill effects I can tell.

Your mileage may vary depending on what programs you have installed, but you can always reinstall it if removing it causes problems.

 

[ShelLuser]

I initially tried # pkg delete libsndfile but it wanted to take multimedia/vlc and audio/pulseaudio with it, so I used
# cd /usr/ports/audio/libsndfile && make deinstall clean
instead and that worked out well.

That's comparable to # pkg delete -fx sndfile, and as one could expect is prone to break something. If not immediately then likely over time. So you might want to document this action just in case

 

[Deleted member 30996]

So you might want to document this action just in case

I already did. Here, in this thread.

I haven't removed it from the box I'm on now and they are all basically set up the same as far as the limited number of programs I install on a regular basis. Running the # pkg delete libsndfile command shows it actually wants to deinstall 5 other files along with it:

root@relentless:/ # pkg delete libsndfile
Updating database digests format: 100%
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 6 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
        libsndfile-1.0.28
        libsamplerate-0.1.9
        twolame-0.3.13_4
        pulseaudio-11.0_1
        jackit-0.125.0_3
        vlc-2.2.6_5,4

Number of packages to be removed: 6

The operation will free 61 MiB.

Proceed with deinstalling packages? [y/N]:

audio/twolame is a MPEG Audio Layer 2 encoder and might be problematic at some point for some people. I haven't got a .mpeg file handy to try it out but I have played .mp4 and .avi files on that machine and got sound out of both.

audio/libsamplerate doesn't look like something I'll ever use.

freshports doesn't even return anything on a search for jackit-0 for me, however it is listed in the FreeBSD ports section as a low latency audio server.

www/palemoon plays a youtube video on that machine, and I did see where audio/speex was installed with something, but those mentioned are the only audio oriented programs I have installed unless one slips my mind ATM. I get sound from internal speakers and headphones.

I suppose any of those programs listed could develop problems by removing said file, and by the same token could be an attack vector for said vulnerabilities. Correct me if I'm mistaken.

I listen to more music files than watch movies on my laptops and it isn't a dependency for multimedia/xmms. Everyone will have to weight the potential pros and cons for themselves till a patch is issued. graphics/OpenEXR was vulnerable for a long time before a fix was issued for that.