CLD-313 Details

Other IDs this deficiency may be known by:

Basic Information:

Version Specific Information:

Details:

=================================== Overview ===================================

The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4
does not ensure a nonzero channel value, which allows attackers to cause a
denial of service (divide-by-zero error and application crash) via a crafted
wav format audio file. 

================================ Initial Report ================================

From https://bugs.python.org/issue32056:

I found a bug in wave.py because there is no check for self._channel in
_read_fmt_chunk function.  When I try to open a wav file which channel is zero,
it will crash bacause of divided by zero in initfp function.

================================= Our Analysis =================================

----- Affected Products -----
Python3 up to and including Python 3.6.4 that has not had the patch from
https://github.com/python/cpython/commit/0b68584514d98d955c849d44b88ccbd4476b0858.patch
applied is vulnerable to this. At the time of this writing, 3.6.4 is the latest
version of Python3; future versions may or may not be affected.

----- Scope and Impact of this Vulnerability -----
Allows for an attacker to cause a denial of service (application crash) in any
application using the standard Python wave library on an arbitrary file.

----- Fix for this Vulnerability -----
This vulnerability has been fixed by
https://github.com/python/cpython/commit/0b68584514d98d955c849d44b88ccbd4476b0858.patch. 

================================= Our Solution =================================

We have applied a modified version of the aforementioned patch and rebuilt. Our
modified patch can be found at:
http://mirror.cucumberlinux.com/cucumber/cucumber-1.1/source/lang-base/python3/patches/00010_CVE-2017-18207_0b68584514d98d955c849d44b88ccbd4476b0858.patch