Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

speexenc stack buffer overflow #14

Closed
Aurorainfinity opened this issue Jul 14, 2020 · 5 comments
Closed

speexenc stack buffer overflow #14

Aurorainfinity opened this issue Jul 14, 2020 · 5 comments

Comments

@Aurorainfinity
Copy link

I have found a stack buffer overflow vulnerability in speexenc,this may cause a rce by open a crafted wav file
sample2.zip
the vulnerability function:
speexenc.c:122
} else {
nb_read = fread(in,1,to_read,fin);
@alexmurray
Copy link

alexmurray commented Nov 11, 2021
edited
Loading

Looks like this may also affect CELT as it has a very similarly named read_samples function that I suspect may be derived from this one in speex.

@kirotawa
Copy link

kirotawa commented Nov 11, 2021
edited
Loading

It was assigned as CVE-2020-23904

@tmatth
Copy link
Member

tmatth commented Nov 11, 2021

I have found a stack buffer overflow vulnerability in speexenc,this may cause a rce by open a crafted wav file sample2.zip the vulnerability function: speexenc.c:122 } else { nb_read = fread(in,1,to_read,fin);

How exactly are you running the command-line? This sample gets rejected for me with:

cat sample2.wav | ./src/speexenc - out.spx
Only mono and (intensity) stereo supported

@00xc
Copy link

00xc commented Jan 12, 2022

Any news on this issue? It was assigned a CVE number 2 months ago and it seems nobody has been able to reproduce it. Would it make sense to dispute it?

@tmatth
Copy link
Member

tmatth commented Jan 13, 2022

I'm going to close this since as mentioned in #14 (comment) I cannot reproduce it.
It's worth noting that speexenc is a demo program and read_samples is not part of libspeex itself.

@tmatth tmatth closed this as completed Jan 13, 2022
@jlaine jlaine mentioned this issue Mar 25, 2022
Closed
6 tasks
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Aug 6, 2024
@alarixnia
pkg-vulnerabilities: two fixed in speex
be1eefc 
CVE-2020-23903 was fixed in
speex-1.2.1
870ff845b32f314aec0036641ffe18aba4916887

CVE-2020-23904 is invalid per
xiph/speex#14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alexmurray @tmatth @kirotawa @00xc @Aurorainfinity