CVE-2015-7805
published 2015-11-17CVE-2015-7805: Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file.
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
13.40%
95.9th percentile
Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libsndfile | < libsndfile 1.0.25-10 (bookworm) | libsndfile 1.0.25-10 (bookworm) |
| libsndfile_project | libsndfile | >= 0 < 1.0.25-10 | 1.0.25-10 |
| libsndfile_project | libsndfile | >= 0 < 1.0.25-10 | 1.0.25-10 |
| libsndfile_project | libsndfile | >= 0 < 1.0.25-10 | 1.0.25-10 |
| libsndfile_project | libsndfile | >= 0 < 1.0.25-10 | 1.0.25-10 |
| libsndfile_project | libsndfile | >= 0 < 1.0.25-7ubuntu2.1 | 1.0.25-7ubuntu2.1 |
| mega-nerd | libsndfile | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
46 4F 52 4D 00 00 D0 7C 41 49 46 43 42 56 45 52 00 00 00 04 A2 80 51 40 43 4F 4D 4D 00 00 00 11 00 01 00 00 00 00 00 10 F3 0C FA 00 00 00 00 00 00 4E 4F 4E 45 0E 6E 6F 74 20 63 63 6D 92 72 65 73 53 65 64 00
- →The exploit triggers a heap overflow via a specially crafted AIFF file with manipulated headindex/headend values in the AIFF header, causing memcpy to overwrite heap memory. Look for AIFF files with anomalous COMT chunk item counts (e.g. 0x2503 or 0x36B0 items) or malformed/duplicate SSND chunks. ↗
- →Attack surface includes email attachments, TCP socket audio streams, and file uploads to server-side audio processing services. Any application calling libsndfile to open an AIFF file is a potential vector. ↗
- →The crafted AIFF payload contains the string 'MOMIMANHACKERNOW' repeated as padding. This string can be used as a memory/file content signature to detect exploit attempts. ↗
- ·The exploit PoC was written for libsndfile 1.0.25 specifically. The Debian fixed version is 1.0.25-10; systems running unpatched 1.0.25 packages on RHEL 6/7 are marked 'Will not fix' by Red Hat. ↗
- ·The exploit author notes the pulseaudio attack path (paplay) was tested, but the SWF/Audio browser path was not tested. Detection coverage should prioritize command-line and server-side audio processing vectors. ↗
- ·Adobe Audition triggers the bug passively during directory scanning, not just on explicit file open — detection should account for directory-level file scanning by audio applications. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
vendor_ubuntu2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-55v7-29g7-7rj7: Heap-based buffer overflow in libsndfile 1
ghsa_unreviewed·2022-05-14
CVE-2015-7805 [HIGH] CWE-119 GHSA-55v7-29g7-7rj7: Heap-based buffer overflow in libsndfile 1
Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file.
OSV
libsndfile vulnerabilities
osv·2015-12-07·CVSS 2.1
CVE-2014-9496 [LOW] libsndfile vulnerabilities
libsndfile vulnerabilities
It was discovered that libsndfile incorrectly handled memory when parsing
malformed files. A remote attacker could use this issue to cause
libsndfile to crash, resulting in a denial of service. This issue only
applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-9496)
Joshua Rogers discovered that libsndfile incorrectly handled division when
parsing malformed files. A remote attacker could use this issue to cause
libsndfile to crash, resulting in a denial of service. (CVE-2014-9756)
Marco Romano discovered that libsndfile incorrectly handled certain
malformed AIFF files. A remote attacker could use this issue to cause
libsndfile to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2015-7805)
OSV
CVE-2015-7805: Heap-based buffer overflow in libsndfile 1
osv·2015-11-17·CVSS 9.3
CVE-2015-7805 [CRITICAL] CVE-2015-7805: Heap-based buffer overflow in libsndfile 1
Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file.
Ubuntu
libsndfile vulnerabilities
vendor_ubuntu·2015-12-07·CVSS 2.1
CVE-2014-9496 [LOW] libsndfile vulnerabilities
Title: libsndfile vulnerabilities
Summary: libsndfile could be made to crash or run programs as your login if it
opened a specially crafted file.
It was discovered that libsndfile incorrectly handled memory when parsing
malformed files. A remote attacker could use this issue to cause
libsndfile to crash, resulting in a denial of service. This issue only
applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-9496)
Joshua Rogers discovered that libsndfile incorrectly handled division when
parsing malformed files. A remote attacker could use this issue to cause
libsndfile to crash, resulting in a denial of service. (CVE-2014-9756)
Marco Romano discovered that libsndfile incorrectly handled certain
malformed AIFF files. A remote attacker could use this issue to cause
libsndfile to cra
Red Hat
libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header
vendor_redhat·2015-10-12·CVSS 9.3
CVE-2015-7805 [CRITICAL] CWE-122 libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header
libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header
Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file.
Package: libsndfile (Red Hat Enterprise Linux 6) - Will not fix
Package: pulseaudio (Red Hat Enterprise Linux 6) - Not affected
Package: libsndfile (Red Hat Enterprise Linux 7) - Will not fix
Package: pulseaudio (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2015-7805: libsndfile - Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have ...
vendor_debian·2015·CVSS 9.3
CVE-2015-7805 [CRITICAL] CVE-2015-7805: libsndfile - Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have ...
Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file.
Scope: local
bookworm: resolved (fixed in 1.0.25-10)
bullseye: resolved (fixed in 1.0.25-10)
forky: resolved (fixed in 1.0.25-10)
sid: resolved (fixed in 1.0.25-10)
trixie: resolved (fixed in 1.0.25-10)
No detection rules found.
Bugzilla
CVE-2015-7805 audacity: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [epel-all]
bugzilla·2015-11-04·CVSS 9.3
CVE-2015-7805 [CRITICAL] CVE-2015-7805 audacity: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [epel-all]
CVE-2015-7805 audacity: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this
Bugzilla
CVE-2015-7805 jack-audio-connection-kit: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [epel-all]
bugzilla·2015-11-04·CVSS 9.3
CVE-2015-7805 [CRITICAL] CVE-2015-7805 jack-audio-connection-kit: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [epel-all]
CVE-2015-7805 jack-audio-connection-kit: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit mess
Bugzilla
CVE-2015-7805 libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [epel-5]
bugzilla·2015-11-04·CVSS 9.3
CVE-2015-7805 [CRITICAL] CVE-2015-7805 libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [epel-5]
CVE-2015-7805 libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-5 tracking bug for
Bugzilla
CVE-2015-7805 audacity: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [fedora-all]
bugzilla·2015-11-04·CVSS 9.3
CVE-2015-7805 [CRITICAL] CVE-2015-7805 audacity: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [fedora-all]
CVE-2015-7805 audacity: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this iss
Bugzilla
CVE-2015-7805 jack-audio-connection-kit: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [fedora-all]
bugzilla·2015-11-04·CVSS 9.3
CVE-2015-7805 [CRITICAL] CVE-2015-7805 jack-audio-connection-kit: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [fedora-all]
CVE-2015-7805 jack-audio-connection-kit: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message
Bugzilla
CVE-2015-7805 libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header
bugzilla·2015-11-04·CVSS 9.3
CVE-2015-7805 [CRITICAL] CVE-2015-7805 libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header
CVE-2015-7805 libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header
A heap-based buffer overflow vulnerability was found in libsndfile. Vulnerability is based on the wrong management of the headindex and headend values. While parsing a specially crafted AIFF header, the attacker can manage index values in order to use memcpy(...) to overwrite memory heap. Affected versions are > if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header))
>> 806 { int most ;
>> 807
>> 808 most = SIGNED_SIZEOF (psf->header) - psf->headindex ;
>> 809 psf_fread (psf->header + psf->headend, 1, most, psf) ;
>> 810 memset ((char *) ptr + most, 0, bytes - most) ;
>> 811
>> 812 psf_fseek (psf, bytes - most, SEEK_CUR) ;
>> 813 return bytes ;
>> 814 } ;
line 808 is trying to calculate the
Bugzilla
CVE-2015-7805 pulseaudio: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [fedora-all]
bugzilla·2015-11-04·CVSS 9.3
CVE-2015-7805 [CRITICAL] CVE-2015-7805 pulseaudio: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [fedora-all]
CVE-2015-7805 pulseaudio: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this i
Bugzilla
CVE-2015-7805 libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [fedora-all]
bugzilla·2015-11-04·CVSS 9.3
CVE-2015-7805 [CRITICAL] CVE-2015-7805 libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [fedora-all]
CVE-2015-7805 libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2015-7805 pulseaudio: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [epel-5]
bugzilla·2015-11-04·CVSS 9.3
CVE-2015-7805 [CRITICAL] CVE-2015-7805 pulseaudio: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [epel-5]
CVE-2015-7805 pulseaudio: libsndfile: Heap overflow vulnerability when parsing specially crafted AIFF header [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-5 trac
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171466.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-November/172593.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-November/172607.htmlhttp://lists.opensuse.org/opensuse-updates/2015-11/msg00077.htmlhttp://lists.opensuse.org/opensuse-updates/2015-11/msg00145.htmlhttp://packetstormsecurity.com/files/133926/libsndfile-1.0.25-Heap-Overflow.htmlhttp://www.nemux.org/2015/10/13/libsndfile-1-0-25-heap-overflow/http://www.openwall.com/lists/oss-security/2015/11/03/3http://www.openwall.com/lists/oss-security/2015/11/03/7http://www.securityfocus.com/bid/77427http://www.ubuntu.com/usn/USN-2832-1https://security.gentoo.org/glsa/201612-03https://www.exploit-db.com/exploits/38447/http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171466.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-November/172593.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-November/172607.htmlhttp://lists.opensuse.org/opensuse-updates/2015-11/msg00077.htmlhttp://lists.opensuse.org/opensuse-updates/2015-11/msg00145.htmlhttp://packetstormsecurity.com/files/133926/libsndfile-1.0.25-Heap-Overflow.htmlhttp://www.nemux.org/2015/10/13/libsndfile-1-0-25-heap-overflow/http://www.openwall.com/lists/oss-security/2015/11/03/3http://www.openwall.com/lists/oss-security/2015/11/03/7http://www.securityfocus.com/bid/77427http://www.ubuntu.com/usn/USN-2832-1https://security.gentoo.org/glsa/201612-03https://www.exploit-db.com/exploits/38447/
2015-11-17
Published