Debian Bug report logs -
#870341
libvorbis: CVE-2017-11333 OOM via crafted WAV file
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#870341; Package src:libvorbis.
(Tue, 01 Aug 2017 09:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Tue, 01 Aug 2017 09:06:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libvorbis
Version: 1.3.5-4
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for libvorbis, can you
double-check the report.
CVE-2017-11333[0]:
| The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis
| 1.3.5 allows remote attackers to cause a denial of service (OOM) via a
| crafted wav file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-11333
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11333
[1] http://seclists.org/fulldisclosure/2017/Jul/82
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#870341; Package src:libvorbis.
(Tue, 01 Aug 2017 18:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Tue, 01 Aug 2017 18:06:03 GMT) (full text, mbox, link).
Message #10 received at 870341@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 libvorbis: CVE-2017-11333 OOM via crafted WAV file
I've tried to figure out of the recently reported security problems are
reported upstream, but the upstream bug tracker is being moved from
trac.xiph.org to https://gitlab.xiph.org/xiph and the migration is
not done yet, so it seem to be impossible to register it with upstream
so far.
Thus I have no idea if there are any patches for this issue yet. Anyone
know?
--
Happy hacking
Petter Reinholdtsen
Changed Bug title to 'libvorbis: CVE-2017-11333 OOM via crafted WAV file' from 'libvorbis: CVE-2017-11333'.
Request was from Petter Reinholdtsen <pere@hungry.com>
to 870341-submit@bugs.debian.org.
(Tue, 01 Aug 2017 18:06:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#870341; Package src:libvorbis.
(Mon, 20 Nov 2017 15:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Mon, 20 Nov 2017 15:42:03 GMT) (full text, mbox, link).
Message #19 received at 870341@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Petter,
On Tue, Aug 01, 2017 at 08:02:47PM +0200, Petter Reinholdtsen wrote:
> Control: retitle -1 libvorbis: CVE-2017-11333 OOM via crafted WAV file
>
> I've tried to figure out of the recently reported security problems are
> reported upstream, but the upstream bug tracker is being moved from
> trac.xiph.org to https://gitlab.xiph.org/xiph and the migration is
> not done yet, so it seem to be impossible to register it with upstream
> so far.
The issue is at https://gitlab.xiph.org/xiph/vorbis/issues/2332
>
> Thus I have no idea if there are any patches for this issue yet. Anyone
> know?
The wav file also seems to suffer from too many channels. When I apply
the patch from #876778 and then the attached patch sox aborts
correctly. I did not check if there are other issues in the wav file
besides too many channels.
(Attaching the patch here since the upstream sox list doesn't seem to
list my submission).
Cheers,
-- Guido
>
> --
> Happy hacking
> Petter Reinholdtsen
[0001-Handle-vorbis_analysis_headerout-errors.patch (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#870341; Package src:libvorbis.
(Mon, 20 Nov 2017 16:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Mon, 20 Nov 2017 16:06:04 GMT) (full text, mbox, link).
Message #24 received at 870341@bugs.debian.org (full text, mbox, reply):
control: clone -1 -2
control: retitle -2 missing error checking when encoding vorbis
control: tags -2 +patch
Hi sox mantainers,
On Mon, Nov 20, 2017 at 04:39:51PM +0100, Guido Günther wrote:
> Hi Petter,
> On Tue, Aug 01, 2017 at 08:02:47PM +0200, Petter Reinholdtsen wrote:
> > Control: retitle -1 libvorbis: CVE-2017-11333 OOM via crafted WAV file
> >
> > I've tried to figure out of the recently reported security problems are
> > reported upstream, but the upstream bug tracker is being moved from
> > trac.xiph.org to https://gitlab.xiph.org/xiph and the migration is
> > not done yet, so it seem to be impossible to register it with upstream
> > so far.
>
> The issue is at https://gitlab.xiph.org/xiph/vorbis/issues/2332
>
> >
> > Thus I have no idea if there are any patches for this issue yet. Anyone
> > know?
>
> The wav file also seems to suffer from too many channels. When I apply
> the patch from #876778 and then the attached patch sox aborts
> correctly. I did not check if there are other issues in the wav file
> besides too many channels.
>
> (Attaching the patch here since the upstream sox list doesn't seem to
> list my submission).
There seems to be missing error checking in sox
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870341#19
which might cause trouble if libvorbis indicates an error. I've submited
this patch upstream too but it doesn't seem to make it to the
sourceforge list.
Cheers,
-- Guido
Bug 870341 cloned as bug 882236
Request was from Guido Günther <agx@sigxcpu.org>
to 870341-submit@bugs.debian.org.
(Mon, 20 Nov 2017 16:06:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#870341; Package src:libvorbis.
(Sat, 17 Mar 2018 19:39:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Sat, 17 Mar 2018 19:39:15 GMT) (full text, mbox, link).
Message #31 received at 870341@bugs.debian.org (full text, mbox, reply):
According to the upstream developer TD-Linux on #xiph, the
CVE-2017-11333 issue is fixed upstream. I have not checked
the details but suspect it was fixed in version 1.3.6
released yesterday.
--
Happy hacking
Petter Reinholdtsen
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#870341; Package src:libvorbis.
(Thu, 22 Mar 2018 07:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Thu, 22 Mar 2018 07:15:03 GMT) (full text, mbox, link).
Message #36 received at 870341@bugs.debian.org (full text, mbox, reply):
Control: fixed -1 1.3.5-4+deb9u1 1.3.5-4.1
I've tried to figure out the details, as as far sa I can tell,
the patch fixing #876778 (CVE-2017-14633), also fixes this issue,
by limiting the number of channels allowed. At least that is what
I can read from the upstream bug tracker, where the issues
for the two CVEs are closed with the same commit.
--
Happy hacking
Petter Reinholdtsen
Marked as fixed in versions libvorbis/1.3.5-4+deb9u1.
Request was from Petter Reinholdtsen <pere@hungry.com>
to control@bugs.debian.org.
(Thu, 22 Mar 2018 08:33:03 GMT) (full text, mbox, link).
Marked as fixed in versions libvorbis/1.3.5-4.1.
Request was from Petter Reinholdtsen <pere@hungry.com>
to control@bugs.debian.org.
(Thu, 22 Mar 2018 08:33:03 GMT) (full text, mbox, link).
Reply sent
to Petter Reinholdtsen <pere@debian.org>:
You have taken responsibility.
(Thu, 22 Mar 2018 08:57:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 22 Mar 2018 08:57:07 GMT) (full text, mbox, link).
Message #45 received at 870341-close@bugs.debian.org (full text, mbox, reply):
Source: libvorbis
Source-Version: 1.3.6-1
We believe that the bug you reported is fixed in the latest version of
libvorbis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 870341@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Petter Reinholdtsen <pere@debian.org> (supplier of updated libvorbis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 22 Mar 2018 08:22:56 +0100
Source: libvorbis
Binary: libvorbis0a libvorbisenc2 libvorbisfile3 libvorbis-dev
Architecture: source
Version: 1.3.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>
Changed-By: Petter Reinholdtsen <pere@debian.org>
Description:
libvorbis-dev - development files for Vorbis General Audio Compression Codec
libvorbis0a - decoder library for Vorbis General Audio Compression Codec
libvorbisenc2 - encoder library for Vorbis General Audio Compression Codec
libvorbisfile3 - high-level API for Vorbis General Audio Compression Codec
Closes: 870341
Changes:
libvorbis (1.3.6-1) unstable; urgency=medium
.
* Add more used CPE strings to d/upstream/metadata.
* Fix typo in patch description. Thanks lintian.
* Updated Standards-Version from 3.9.8 to 4.1.3.
* Changed debhelper compat level from 9 to 10.
* Remove no longer needed Testsuite header from d/control.
* Drop binary package libvorbis-dbg. Use automatically generated dbgsym
package instead.
* New upstream version 1.3.6.
- Fixes CVE-2018-5146 - out-of-bounds write on codebook decoding.
- Fixes CVE-2017-14632 - free() on uninitialized data
- Fixes CVE-2017-14633/CVE-2017-14633 - out-of-bounds read (Closes: 870341)
- Removed obsolete patches
CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch,
CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch and
CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch.
Checksums-Sha1:
90428057f024c9f6ffe107185537b742d1dfca80 2329 libvorbis_1.3.6-1.dsc
91f140c220d1fe3376d637dc5f3d046263784b1f 1634357 libvorbis_1.3.6.orig.tar.gz
cedc150c18f4cf8f7b30daa3d166b9ea3ac78398 10908 libvorbis_1.3.6-1.debian.tar.xz
a07095869b222e5169df39a84963687cffad198b 6398 libvorbis_1.3.6-1_source.buildinfo
Checksums-Sha256:
b79f5142a86459692e7aaa640f502e0498f0a800c9eb4034474b5ed555d22479 2329 libvorbis_1.3.6-1.dsc
6ed40e0241089a42c48604dc00e362beee00036af2d8b3f46338031c9e0351cb 1634357 libvorbis_1.3.6.orig.tar.gz
07b50db2f54af6e05977ae07e553d2315ba1208b59e3b6a9880b7a802aa74538 10908 libvorbis_1.3.6-1.debian.tar.xz
0ce8dc330ea5c115f885b9beb9dbae1baacb3372e39bec45d42af9dfc9230a52 6398 libvorbis_1.3.6-1_source.buildinfo
Files:
5aa42961f060be5ecf28e525e09d138b 2329 libs optional libvorbis_1.3.6-1.dsc
d3190649b26572d44cd1e4f553943b31 1634357 libs optional libvorbis_1.3.6.orig.tar.gz
717537b0865e5f7cdffaacf42fa9d4b8 10908 libs optional libvorbis_1.3.6-1.debian.tar.xz
990d25f3aad1126ffd329055c1deb41e 6398 libs optional libvorbis_1.3.6-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEERqLf4owIeylOb9kkgSgKoIe6+w4FAlqzWxIACgkQgSgKoIe6
+w7JbQ//XT1104gu0P59VvwkgVAJnr10I+tJN/pBj8qKaiz6e1sRO1i5s0DkYmuu
SzLxyYW7ZRVM6IpNr6IBcNfSfLycAInK53dZ+hmbLDNkGpLIKV4yUOKiltfpPUGf
YK97tMIOQX6VDl2ImNsGk+uXuc1Ms1rjrEjBFVMpVFvCVcIxivHDIG8Hiuyd51SG
rFiUBImWngC95mDsOfRlylSU8OFNVeBqnHDGHqcKrCmkVfbaS1b1bq+agSdlyMJG
nd561wimGyLXl+3AMbUBC8Vge5zuVII80zw+pawRUaSUOsm8q2fxhyPcRsFNarui
0T5KNNjb58mmmM4BDE6Qce4pwBweY92I01Kp5uVy6ajMjlWzaz0BsV6ZapqK216f
M01Z75ddueWeuSlDPYitXBn27ZJOSIznSrHLuslCEYrR1xrXkKmsy1kL9I0zdtz5
dpiKuNjfeEVPv7U5G25FG1kCuAPcu1k/J5gJdPupM8Lg/tepZ8fwW6VKseLssBJ9
HkRQqi1a+CBLWZVjjGLr2i1gAlGXtmQCuXzMzg9VIRP8F0SRE8Yo3MMZ5JmIx5v1
rThAxWNic1ZhcSLiEY5U3G9lbCKghYrywDMBJ0qA9UytR+CczSLZGKZtILKilTJk
/JSkugL0kEp5Olg02tIDVWU4HbHuw+VlGFDACdlernYoh7aT0oY=
=xntX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 24 Apr 2018 07:30:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:18:37 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon