CVE-2015-7805 libsndfile 1.0.25 Heap Overflow

I found this vulnerability during a security research session "for fun and no-profit" and i've released a PoC about that.

Affected products: All products using libsndfile (a non-exhaustive list below)


Installed by default on most linux environments with libsndfile too
(Ex.: Ubuntu, Debian)

Jack AudioConnectionKit

Available for Linux, Win, OSX
(List of applications

Adobe Audition
Asterisk-eSpeak Module

run an apt-cache rdepends libsndfile1 on ubuntu, to see other interesting dependencies
searching around i found that it's widely used on IOS and Android projects too

Vulnerability is based on the wrong management of the headindex and headend values.
While parsing a specially crafted AIFF header the attacker can manage index values in order to use memcpy(...) to overwrite memory heap.

To touch this bug with your hands take a look to aiff.c in the while(!done) { ... }, common.c and file_io.c
If someone needs more details i will spend more time to write a better post :)

22 Nov 2015 - libsndfile fix released:

  • 30 Sep 2015 Bug discovered
  • 09 Oct 2015 contacted (no response)
  • 12 Oct 2015 Disclosed to the project's maintainer
  • 10 Nov 2015 CVE-2015-7805 Mitre contacted me back with CVE ID
  • 22 Nov 2015 libsndfile fixed (Version 1.0.26 (November 22 2015) Fix for CVE-2014-9496, CVE-2014-9756 and CVE-2015-7805.)