• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: SoX WAV File Buffer Overflow Vulnerability

Severity: MODERATE

Description:

SoX (Sound eXchange), is a sound processing application for Linux, Sun, and other Unix-like operating systems. It supports a large multitude of sound formats and can perform various operations on them.

The WAV header handling code in SoX is reported to contain a buffer overflow vulnerability. This issue is due to a failure of the application to validate string lengths when copying user-supplied data into finite buffers in process memory.

The vulnerable code exists in the 'wav.c' file, in the 'st_wavstartread' function. The vulnerability exists in the code that parses the extended 'INFO' tags contained in WAV files.

The 'ICRD' (the creation date), and the 'ISFT' (software) tags are copied into a fixed length 'ft->comment' buffer of 256 bytes. By creating a malicious WAV file containing large 'ICRD', or 'ISFT' tags, an attacker can cause SoX to overwrite the affected buffer.

The attacker must be able to present a malicious WAV file to an unsuspecting user. The user must employ the affected application to either listen to, or process the malicious file.

Ultimately a malicious attacker may exploit this issue to execute arbitrary code on the affected computer with the privileges of the user who started the affected application.

Affected Products:

• Conectiva Linux 10.0.0
• Conectiva Linux 8.0.0
• Conectiva Linux 9.0.0
• Gentoo Linux 1.4.0
• RedHat Desktop 3.0.0
• RedHat Enterprise Linux AS 3
• RedHat Enterprise Linux ES 3
• RedHat Enterprise Linux WS 3
• RedHat Fedora Core1
• RedHat Fedora Core2
• RedHat Linux 7.3.0 i386
• RedHat Linux 9.0.0 i386
• SGI Advanced Linux Environment 3.0.0
• SoX SoX 12.17.2
• SoX SoX 12.17.3
• SoX SoX 12.17.4

References:

• Carlos Barros <barros@barrosecurity.com>: s0x_poc.c
• RedHat: Bugzilla Bug 128158
• RedHat: RHSA-2004:409-05 - Updated sox packages fix buffer overflows
• SoX: SoX Home Page

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.