CLD-313 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-18207 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) python3
Deficiency Type SECURITY
Date Created 2018-03-01 10:39:19
Date Last Modified 2018-03-01 12:54:16

Version Specific Information:

Cucumber 1.0 i686 fixed in python3-3.6.4-i686-2
Cucumber 1.0 x86_64 fixed in python3-3.6.4-x86_64-2

Cucumber 1.1 i686 fixed in python3-3.6.4-i686-2
Cucumber 1.1 x86_64 fixed in python3-3.6.4-x86_64-2

Details:

=================================== Overview ===================================

The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4
does not ensure a nonzero channel value, which allows attackers to cause a
denial of service (divide-by-zero error and application crash) via a crafted
wav format audio file. 

================================ Initial Report ================================

From https://bugs.python.org/issue32056:

I found a bug in wave.py because there is no check for self._channel in
_read_fmt_chunk function.  When I try to open a wav file which channel is zero,
it will crash bacause of divided by zero in initfp function.

================================= Our Analysis =================================

----- Affected Products -----
Python3 up to and including Python 3.6.4 that has not had the patch from
https://github.com/python/cpython/commit/0b68584514d98d955c849d44b88ccbd4476b0858.patch
applied is vulnerable to this. At the time of this writing, 3.6.4 is the latest
version of Python3; future versions may or may not be affected.

----- Scope and Impact of this Vulnerability -----
Allows for an attacker to cause a denial of service (application crash) in any
application using the standard Python wave library on an arbitrary file.

----- Fix for this Vulnerability -----
This vulnerability has been fixed by
https://github.com/python/cpython/commit/0b68584514d98d955c849d44b88ccbd4476b0858.patch. 

================================= Our Solution =================================

We have applied a modified version of the aforementioned patch and rebuilt. Our
modified patch can be found at:
http://mirror.cucumberlinux.com/cucumber/cucumber-1.1/source/lang-base/python3/patches/00010_CVE-2017-18207_0b68584514d98d955c849d44b88ccbd4476b0858.patch