CVE-2019-8356

Vulnerability

A stack-based buffer overflow exists in SoX version 14.4.2 in the function bitrv2 in fft4g.c. The argument n is not validated; if its value is sufficiently large, the expression m + l can exceed 256, while the buffer ip is statically allocated to size 256. This allows write access outside the bounds of the statically declared array, as reported in [1], [2], [3]. The vulnerability is reachable when processing specially crafted MP3 files [1], [2].

Exploitation

An attacker would need to supply a maliciously crafted MP3 file to SoX. The exploit sequence involves running SoX with command-line arguments such as --single-threaded -t aiff /dev/null channels 1 rate 16k fade 3 norm [3]. No authentication or special network position is required if the attacker can deliver the file (e.g., via upload or tricking a user into processing the file).

Impact

Successful exploitation leads to a stack-based buffer overflow, which can cause a crash (denial of service) [1], [2]. The impact is primarily on availability; the advisory from Ubuntu notes that an attacker could cause SoX to crash via a specially crafted MP3 file [1], [2].

Mitigation

Ubuntu published security updates in USN-4079-1 (dated July 30, 2019) for Ubuntu 16.04 LTS, and USN-4079-2 (dated August 1, 2019) for Ubuntu 18.04 LTS and 19.04 [1], [2]. The fixed version updated the sox package. Users who compile SoX themselves should obtain patched source code from the project. No workaround other than upgrading is mentioned in the references.