CVE-2014-9638 CVE-2014-9639

Debian Bug report logs - #776086
CVE-2014-9638 CVE-2014-9639

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: vorbis-tools: CVE-2014-9638 CVE-2014-9639 CVE-2014-9640

Date: Fri, 23 Jan 2015 19:25:57 +0100

Source: vorbis-tools
Version: 1.4.0-1
Severity: important
Tags: security upstream

Hi,

the following vulnerabilities were published for vorbis-tools.

CVE-2014-9638[0]:
Oggenc division by zero issue

CVE-2014-9639[1]:
Oggenc channel integer overflow

CVE-2014-9640[2]:
segfault when trying to encode trivial raw input

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-9638
    https://trac.xiph.org/ticket/2137
[1] https://security-tracker.debian.org/tracker/CVE-2014-9639
    https://trac.xiph.org/ticket/2136
[2] https://security-tracker.debian.org/tracker/CVE-2014-9640
    https://trac.xiph.org/ticket/2009

Regards,
Salvatore

Message #10 received at 776086@bugs.debian.org (full text, mbox, reply):

From: Martin Steghöfer <martin@steghoefer.eu>

To: Salvatore Bonaccorso <carnil@debian.org>, 776086@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#776086: vorbis-tools: CVE-2014-9638 CVE-2014-9639 CVE-2014-9640

Date: Sun, 25 Jan 2015 18:35:14 +0100

retitle 776086 CVE-2014-9638 CVE-2014-9639
thanks


Dear Salvatore,

thank you for reporting this!


Salvatore Bonaccorso wrote:
> CVE-2014-9638[0]:
> Oggenc division by zero issue

Confirmed with 1.4.0-6 as well as with the current git head. There 
doesn't seem to be a fix yet, so I am going to look into it.

> CVE-2014-9639[1]:
> Oggenc channel integer overflow

Confirmed with 1.4.0-6 as well as with the current git head. There 
doesn't seem to be a fix yet, so I am going to look into it.

>
> CVE-2014-9640[2]:
> segfault when trying to encode trivial raw input

This one is a duplicate of Debian bug #771363, which we fixed in 
December in version 1.4.0-6 (which made it into Jessie). No idea why the 
Debian security tracker lists 1.4.0-6 as vulnerable. This should be 
changed, but I don't know how.

Since it's classified as a security issue now, we should probably 
backport the fix to stable, shouldn't we?

> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

Will do, at least for the remaining 2 issues. For CVE-2014-9640 there 
was no CVE identifier when we fixed it.

Cheers,
Martin

Message #17 received at 776086@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Martin Steghöfer <martin@steghoefer.eu>, 776086@bugs.debian.org

Subject: Re: Bug#776086: vorbis-tools: CVE-2014-9638 CVE-2014-9639 CVE-2014-9640

Date: Sun, 25 Jan 2015 20:31:59 +0100

Hi Martin,

On Sun, Jan 25, 2015 at 06:35:14PM +0100, Martin Steghöfer wrote:
> retitle 776086 CVE-2014-9638 CVE-2014-9639
> thanks
> 
> 
> Dear Salvatore,
> 
> thank you for reporting this!
> 
> 
> Salvatore Bonaccorso wrote:
> >CVE-2014-9638[0]:
> >Oggenc division by zero issue
> 
> Confirmed with 1.4.0-6 as well as with the current git head. There doesn't
> seem to be a fix yet, so I am going to look into it.
> 
> >CVE-2014-9639[1]:
> >Oggenc channel integer overflow
> 
> Confirmed with 1.4.0-6 as well as with the current git head. There doesn't
> seem to be a fix yet, so I am going to look into it.
> 
> >
> >CVE-2014-9640[2]:
> >segfault when trying to encode trivial raw input
> 
> This one is a duplicate of Debian bug #771363, which we fixed in December in
> version 1.4.0-6 (which made it into Jessie). No idea why the Debian security
> tracker lists 1.4.0-6 as vulnerable. This should be changed, but I don't
> know how.

Wooops, apologies I missed this! Btw, the tracker does not update the
information automatically, but is verified by team members and
updated. I just have adjusted the entry for CVE-2014-9640.

> Since it's classified as a security issue now, we should probably backport
> the fix to stable, shouldn't we?

My gut feeling is that the impact is low for these three issues
(unless I missed something). So no DSA on it's own is needed, but
actually would be great to see it fixed in stable as well through a
stable-proposed-update (maybe once fixes are also available for the
other two issues to include them). Do you agree on this conclusion,
and if yes, could you contact the release team for a fix through the
next stable point release?

https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

> >If you fix the vulnerabilities please also make sure to include the
> >CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> Will do, at least for the remaining 2 issues. For CVE-2014-9640 there was no
> CVE identifier when we fixed it.

Yes that is fine (you can also adjust the entry for #771363 adding the
CVE retrospectively; but it is not strictly required).

Regards,
Salvatore

Message #22 received at 776086@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Martin Steghöfer <martin@steghoefer.eu>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 776086@bugs.debian.org

Subject: Re: Bug#776086: vorbis-tools: CVE-2014-9638 CVE-2014-9639 CVE-2014-9640

Date: Thu, 12 Feb 2015 16:41:52 +0100

On Sun, Jan 25, 2015 at 06:35:14PM +0100, Martin Steghöfer wrote:
> retitle 776086 CVE-2014-9638 CVE-2014-9639
> thanks
> 
> 
> Dear Salvatore,
> 
> thank you for reporting this!
> 
> 
> Salvatore Bonaccorso wrote:
> >CVE-2014-9638[0]:
> >Oggenc division by zero issue
> 
> Confirmed with 1.4.0-6 as well as with the current git head. There
> doesn't seem to be a fix yet, so I am going to look into it.
> 
> >CVE-2014-9639[1]:
> >Oggenc channel integer overflow
> 
> Confirmed with 1.4.0-6 as well as with the current git head. There
> doesn't seem to be a fix yet, so I am going to look into it.

Did you contact upstream, are fixes available for these?

Cheers,
        Moritz

Message #27 received at 776086@bugs.debian.org (full text, mbox, reply):

From: Martin Steghöfer <martin@steghoefer.eu>

To: 776086@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#776086: vorbis-tools: CVE-2014-9638 CVE-2014-9639 CVE-2014-9640

Date: Thu, 12 Feb 2015 18:12:39 +0100

Moritz Muehlenhoff wrote:
> Did you contact upstream, are fixes available for these? 

There are bug tracker items available for the two remaining issues [1] 
[2], but there has been no movement so far.

I've looked into it and the security aspect is fairly easy to fix by 
just adding an additional sanity check that allows only positive numbers 
of channels (rule out 0 to avoid CVE-2014-9638 and negative values to 
avoid CVE-2014-9639).

For the case CVE-2014-9638, I even consider this the proper and complete 
fix.

In CVE-2014-9639, however, the deeper reason for the appearance of a 
negative number of channels is an overflow because of several unsuitable 
data types used in the reading of the wav headers. The proper fix would 
be to change those data types - which has to be done with great care, in 
order to avoid shifting the overflow from its current place to a place 
that might be even less guarded. I haven't gotten around to reviewing 
the code and fixing this.

But maybe for now we can just stick with the sanity check? It fixes the 
security aspect and doesn't break any case that wasn't broken already - 
it however doesn't fix the problem that oggenc refuses to process some 
theoretically valid (although very uncommon, if existent at all) WAV 
files with very extreme parameters.

Cheers,
Martin

[1] https://trac.xiph.org/ticket/2137
[2] https://trac.xiph.org/ticket/2136

Message #32 received at 776086@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Martin Steghöfer <martin@steghoefer.eu>, 776086@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#776086: vorbis-tools: CVE-2014-9638 CVE-2014-9639 CVE-2014-9640

Date: Sat, 28 Feb 2015 15:41:05 +0100

Hi Martin, hi Moritz,

On Thu, Feb 12, 2015 at 06:12:39PM +0100, Martin Steghöfer wrote:
> Moritz Muehlenhoff wrote:
> >Did you contact upstream, are fixes available for these?
> 
> There are bug tracker items available for the two remaining issues [1] [2],
> but there has been no movement so far.

I have not looked into this in detail, but on the vorbis-dev list
there was a proposed patch from Kamil Dudka from Red Hat:

http://lists.xiph.org/pipermail/vorbis-dev/2015-February/020423.html

see as well https://bugzilla.redhat.com/show_bug.cgi?id=1184449#c6

Regards,
Salvatore

Message #37 received at 776086-close@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@debian.org>

To: 776086-close@bugs.debian.org

Subject: Bug#776086: fixed in vorbis-tools 1.4.0-7

Date: Wed, 23 Sep 2015 16:11:29 +0000

Source: vorbis-tools
Source-Version: 1.4.0-7

We believe that the bug you reported is fixed in the latest version of
vorbis-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 776086@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Petter Reinholdtsen <pere@debian.org> (supplier of updated vorbis-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 23 Sep 2015 12:15:44 +0000
Source: vorbis-tools
Binary: vorbis-tools vorbis-tools-dbg
Architecture: source
Version: 1.4.0-7
Distribution: unstable
Urgency: low
Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>
Changed-By: Petter Reinholdtsen <pere@debian.org>
Description:
 vorbis-tools - several Ogg Vorbis tools
 vorbis-tools-dbg - several Ogg Vorbis tools (debug files)
Closes: 239073 312185 728062 771448 772391 772766 772976 772978 776086 797461
Changes:
 vorbis-tools (1.4.0-7) unstable; urgency=low
 .
   [ Martin Steghöfer ]
   * Format patches for gbp-pq, correct tagging and add missing
     information to tagging.
   * Add sampling rate sanity check to avoid crash (in case of unpatched
     libvorbis version) or to improve error message (with patched libvorbis).
   * Fix vorbistagedit: Reading of file list from stdin was broken.
     (Closes: #771448)
   * Documentation of vorbistagedit: Improve wording of error message.
   * Fix bashism in /usr/bin/vorbistagedit (negative status code).
     (Closes: #772391)
   * Truncate long status lines on small terminals (Closes: #239073)
   * Fix ogg123 speex stereo playback: Initialize stereo information
     data structure (Closes: #312185)
   * Fix ogg123 speex playback: Initialize channel matrix (Closes: #772766)
   * Add low-priority mailcap entry for "ogginfo" on action "cat".
     (Closes: #728062)
   * Fix oggdec crash/hang: Don't ignore stream errors (Closes: #772978)
   * Use translations in oggdec (Closes: #772976)
 .
   [ Petter Reinholdtsen ]
   * Add debian/gbp.conf to enforce the user of pristine-tar.
   * oggenc: Fix large alloca on bad AIFF input to oggenc
     (CVE-2015-6749). (Closes: #797461)
   * oggenc: Validate count of channels in the header
     (CVE-2014-9638, CVE-2014-9639). (Closes: #776086)
Checksums-Sha1:
 d66bf4c51506b3265eb650ad4d95acfce7615c22 2380 vorbis-tools_1.4.0-7.dsc
 c55fa8ba764e47c73b0451a268a976924420d341 21040 vorbis-tools_1.4.0-7.debian.tar.xz
Checksums-Sha256:
 52359ff2669f482e1afa28c2728ee02bd099e9049c738620185b38df093143bf 2380 vorbis-tools_1.4.0-7.dsc
 03d11b1a3d708d46c857211885034af4d9eea4ed103eccbcdcbcbc1c5fe6067f 21040 vorbis-tools_1.4.0-7.debian.tar.xz
Files:
 e1d497e619c703fdcc773c7503ca4ece 2380 sound optional vorbis-tools_1.4.0-7.dsc
 1100d666f68549f3476b8dbb6e460b20 21040 sound optional vorbis-tools_1.4.0-7.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Comment: Debian powered!

iQJ8BAEBCgBmBQJWAq48XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGM0REMDlGOERBODdEMURGNTA0NkM5OUIw
NjEyRjQ5NDRFQ0RDRDVBAAoJEAYS9JROzc1aiHwP/jgHOPc2ArPyAbwV52iRfLGv
a+H10hA8f5OTof1hubfysZ6vfvY6XPjQN3wFFFqIhEi1AKVRMLTArpOptLdTUOwa
Bl/E1ZQ0L64+FVvq5FPhx0nmCK8VCrIy3VX9IZFtzYSGoMUbUGCh7HGT75P8JQTS
y6aDRjjufeoqU7dafqvrZsZF+3IOJ/+LFnEdxyDitpAjzm20YbLrXIJD6V6sUEBA
S0D5TNHbD0Rv+jTszaNcb5EpWKdsNPd4MNcH63c0RBrU2UOQ+GsT0ehMzsxa33tz
Q5TmipBJU5S6P70RnYc4gjLO/R2HiVgyhwyxccJZqED8LYWXw03sjhfB/ushX11y
HXg/eY3cproxisu+sTNgOToGXRkIV2W+hxemvPU4+EwMQIRVOvnsIDdmY6NY/aUG
CK9M+9ajg0ta0TCjSCtuKzmmAtJIggIQrD1Td0yRjLH+UKmjeBHzXa0/fSj5cwXM
iIEiyG2saLC4mUvRkhe/eWNN0z3o1Pk6qV7bapa6CLX8t41OXzJMm5btpNJWHvYT
rBWJGe5NiOwaS0y5Jic7Ye1ZZ7sY+zX7/LbwBCcJpdnDOG9KVR/87K5rKHBUe95n
JikrhQtEW/ZBPVan4ZmRSEV+FawWzgTNwz7kXvxOENE9ux7J7ls9YcGMCbGJ9gmi
XqMYujFuK0yLmVQO4+QK
=/6uU
-----END PGP SIGNATURE-----

Message #42 received at 776086-close@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <sunweaver@debian.org>

To: 776086-close@bugs.debian.org

Subject: Bug#776086: fixed in vorbis-tools 1.4.0-1+deb6u1

Date: Tue, 29 Sep 2015 09:44:05 +0000

Source: vorbis-tools
Source-Version: 1.4.0-1+deb6u1

We believe that the bug you reported is fixed in the latest version of
vorbis-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 776086@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated vorbis-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 29 Sep 2015 10:30:16 +0200
Source: vorbis-tools
Binary: vorbis-tools vorbis-tools-dbg
Architecture: source amd64
Version: 1.4.0-1+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description: 
 vorbis-tools - several Ogg Vorbis tools
 vorbis-tools-dbg - several Ogg Vorbis tools (debug files)
Closes: 771363 776086 797461
Changes: 
 vorbis-tools (1.4.0-1+deb6u1) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS Team.
   * debian/patches:
     + Add 0009-Fix-oggenc-crash-on-closing-raw-input-files.patch. Fix
       crash on closing raw input. (CVE-2014-9640). (Closes: #771363).
     + Add 0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch. Fix
       buffer overflow on bad AIFF input (CVE-2015-6749). (Closes: #797461).
     + Add 0016-Validate-channel-count-in-audio-header.patch. Prevent
       out-of-bounds memory access (CVE-2014-9638, CVE-2014-9639).
       (Closes: #776086).
     + Update no_debian_subdir.diff to avoid patch fuzziness.
Checksums-Sha1: 
 7cb404aeedfe1b16c6d58ffffb4f21e6446367ad 2071 vorbis-tools_1.4.0-1+deb6u1.dsc
 b012c9e2807e9078be4e4686baefd202672e9475 8486 vorbis-tools_1.4.0-1+deb6u1.diff.gz
 caacea79542df425afcc1d226eec0cf91687173b 291050 vorbis-tools_1.4.0-1+deb6u1_amd64.deb
 2e7c516293aba0d5510ad2930673914747e1f1e1 189468 vorbis-tools-dbg_1.4.0-1+deb6u1_amd64.deb
Checksums-Sha256: 
 9167034e9ba8d9383962e23f460761039eeba8559373af876d975f7f15a87b26 2071 vorbis-tools_1.4.0-1+deb6u1.dsc
 e9a739b20f400b794d6f4c017975ffb926eb8b058de770827616c610cb70a406 8486 vorbis-tools_1.4.0-1+deb6u1.diff.gz
 ee9b096e6df4be59dfba318964809c26fd83689a2048c551f5508d7927e712fe 291050 vorbis-tools_1.4.0-1+deb6u1_amd64.deb
 2685b31884f681d54e3a2eb6a9bd13d86ed6c6f4a3e5f600c000cb59bc785625 189468 vorbis-tools-dbg_1.4.0-1+deb6u1_amd64.deb
Files: 
 af5c613487ac9174be65d081605119ea 2071 sound optional vorbis-tools_1.4.0-1+deb6u1.dsc
 ca9db9ff3763732cf74ece50d503b659 8486 sound optional vorbis-tools_1.4.0-1+deb6u1.diff.gz
 35ac2bcece570cd6cf101a86b8621973 291050 sound optional vorbis-tools_1.4.0-1+deb6u1_amd64.deb
 5357007da15fdd60cb93d66627baaba1 189468 debug extra vorbis-tools-dbg_1.4.0-1+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWClEnAAoJEJr0azAldxsxaJAP/2cGgnoey6QRi/fZLeDd3c+z
U8l1xTmK/ZnI4UnHY2hnv4oKR/Em2Kl8CLcS+25+FlEp51TMXyXVMslVlF97aCt+
VwGhTvjGAD6s0RvcP0WRvaqPLqUuwK0ijdgsFMSq4piHrHkcgY9fHmZlFEPsmkNW
eO9Pc/rUsIFCO+Q7FNHfL8wARGrlgSSF/JLr2WeVsvlyjK72HZxxaVY1ilt2BAQT
nEWbd6MXZRODMSh8ULy2y2hVd3/MUf+fB+KtuUAiHanScn3N/mQW3UG6J/1as5LL
mFLJ/9XTsNecFGziZfBOIiaOscjUTWJHhj2p4Om6osLWviBY1q0iSrRm9oY/I4iR
I1DX3LNvAyG26BKCSS9RVC2J0Ea5es1QkZ1Tu5Mp/lncCKmJMwIRPMga1JxW7DbR
x38MrUNq/5tzsfI+2BZTSF3Xv0143A7UMP2KgF4oFyL9Oxiaf4SY/zeNtn+3e9/f
cCfJ0zsbX9MwA+6ZbB+QQm6TTINkjGMHuMOBb+0Uz6SKwDLLJa3BvMhoS0KJ299D
Gi6KPLGBzyZjWOLDDXhIswM5ZSOom2XWAiAUPB2TxA5e0VusW53G/Yu9HpojOCoG
79XSJcfJFRsqZT7Ispd8sOxPtgBIbQMS1ouCux/8q5J4WXIUEUwMiXkuH00kyoEn
nlbT6hPGmDf6/Kbu4IF4
=3QrS
-----END PGP SIGNATURE-----

Message #51 received at 776086-done@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@hungry.com>

To: <797461-done@bugs.debian.org>, <776086-done@bugs.debian.org>, <818037-done@bugs.debian.org>

Subject: Bug fixed in Jessie

Date: Sat, 24 Sep 2016 07:55:14 +0200

Version: 1.4.0-6+deb8u1

This issue was fixed in Jessue with this upload:

 vorbis-tools (1.4.0-6+deb8u1) jessie; urgency=low
 .
   [ Petter Reinholdtsen ]
   * Add gbp.conf file documenting git branch to use for updates to Jessie.
   * oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749).
     (Closes: 797461)
   * oggenc: Validate count of channels in the header (CVE-2014-9638,
CVE-2014-9639).
     (Closes: 776086)
 .
   [ Martin Steghöfer ]
   * Fix segmentation fault in vcut (Closes: #818037)

No idea why the BTS have not noticed yet, but I close the bugs manually
to have the fact properly recorded.

-- 
Happy hacking
Petter Reinholdtsen

Send a report that this bug log contains spam.