vorbis-tools: CVE-2015-6749 invalid AIFF file cause alloca() buffer overflow

Debian Bug report logs - #797461
vorbis-tools: CVE-2015-6749 invalid AIFF file cause alloca() buffer overflow

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@hungry.com>

To: submit@bugs.debian.org

Subject: vorbis-tools: CVE-2015-6749 invalid AIFF file cause alloca() buffer overflow

Date: Sun, 30 Aug 2015 21:55:39 +0200

Package: vorbis-tools
Version: 1.4.0-1
Severity: important
Tags: patch security

There is a problem with oggenc and invalid AIFF files.  I discovered it
in <URL: https://security-tracker.debian.org/tracker/TEMP-0000000-08B637 >,
and see it has been assigned the CVE-2015-6749 identifier.  A fix is
available from upstream in <URL: https://trac.xiph.org/ticket/2212 >
(which also have an example triggering the bug), looking like this:

From 04815d3e1bfae3a6cdfb2c25358a5a72b61299f7 Mon Sep 17 00:00:00 2001
From: Mark Harris <mark.hsj@gmail.com>
Date: Sun, 30 Aug 2015 05:54:46 -0700
Subject: [PATCH] oggenc: Fix large alloca on bad AIFF input

Fixes #2212
---
 oggenc/audio.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/oggenc/audio.c b/oggenc/audio.c
index 477da8c..4921fb9 100644
--- a/oggenc/audio.c
+++ b/oggenc/audio.c
@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] =
 int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
 {
     int aifc; /* AIFC or AIFF? */
-    unsigned int len;
-    unsigned char *buffer;
+    unsigned int len, readlen;
+    unsigned char buffer[22];
     unsigned char buf2[8];
     aiff_fmt format;
     aifffile *aiff = malloc(sizeof(aifffile));
@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
         return 0; /* Weird common chunk */
     }
 
-    buffer = alloca(len);
-
-    if(fread(buffer,1,len,in) < len)
+    readlen = len < sizeof(buffer) ? len : sizeof(buffer);
+    if(fread(buffer,1,readlen,in) < readlen ||
+       (len > readlen && !seek_forward(in, len-readlen)))
     {
         fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
         return 0;
-- 
2.5.0

-- 
Happy hacking
Petter Reinholdtsen

Message #12 received at 797461-close@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@debian.org>

To: 797461-close@bugs.debian.org

Subject: Bug#797461: fixed in vorbis-tools 1.4.0-7

Date: Wed, 23 Sep 2015 16:11:29 +0000

Source: vorbis-tools
Source-Version: 1.4.0-7

We believe that the bug you reported is fixed in the latest version of
vorbis-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797461@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Petter Reinholdtsen <pere@debian.org> (supplier of updated vorbis-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 23 Sep 2015 12:15:44 +0000
Source: vorbis-tools
Binary: vorbis-tools vorbis-tools-dbg
Architecture: source
Version: 1.4.0-7
Distribution: unstable
Urgency: low
Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>
Changed-By: Petter Reinholdtsen <pere@debian.org>
Description:
 vorbis-tools - several Ogg Vorbis tools
 vorbis-tools-dbg - several Ogg Vorbis tools (debug files)
Closes: 239073 312185 728062 771448 772391 772766 772976 772978 776086 797461
Changes:
 vorbis-tools (1.4.0-7) unstable; urgency=low
 .
   [ Martin Steghöfer ]
   * Format patches for gbp-pq, correct tagging and add missing
     information to tagging.
   * Add sampling rate sanity check to avoid crash (in case of unpatched
     libvorbis version) or to improve error message (with patched libvorbis).
   * Fix vorbistagedit: Reading of file list from stdin was broken.
     (Closes: #771448)
   * Documentation of vorbistagedit: Improve wording of error message.
   * Fix bashism in /usr/bin/vorbistagedit (negative status code).
     (Closes: #772391)
   * Truncate long status lines on small terminals (Closes: #239073)
   * Fix ogg123 speex stereo playback: Initialize stereo information
     data structure (Closes: #312185)
   * Fix ogg123 speex playback: Initialize channel matrix (Closes: #772766)
   * Add low-priority mailcap entry for "ogginfo" on action "cat".
     (Closes: #728062)
   * Fix oggdec crash/hang: Don't ignore stream errors (Closes: #772978)
   * Use translations in oggdec (Closes: #772976)
 .
   [ Petter Reinholdtsen ]
   * Add debian/gbp.conf to enforce the user of pristine-tar.
   * oggenc: Fix large alloca on bad AIFF input to oggenc
     (CVE-2015-6749). (Closes: #797461)
   * oggenc: Validate count of channels in the header
     (CVE-2014-9638, CVE-2014-9639). (Closes: #776086)
Checksums-Sha1:
 d66bf4c51506b3265eb650ad4d95acfce7615c22 2380 vorbis-tools_1.4.0-7.dsc
 c55fa8ba764e47c73b0451a268a976924420d341 21040 vorbis-tools_1.4.0-7.debian.tar.xz
Checksums-Sha256:
 52359ff2669f482e1afa28c2728ee02bd099e9049c738620185b38df093143bf 2380 vorbis-tools_1.4.0-7.dsc
 03d11b1a3d708d46c857211885034af4d9eea4ed103eccbcdcbcbc1c5fe6067f 21040 vorbis-tools_1.4.0-7.debian.tar.xz
Files:
 e1d497e619c703fdcc773c7503ca4ece 2380 sound optional vorbis-tools_1.4.0-7.dsc
 1100d666f68549f3476b8dbb6e460b20 21040 sound optional vorbis-tools_1.4.0-7.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Comment: Debian powered!

iQJ8BAEBCgBmBQJWAq48XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGM0REMDlGOERBODdEMURGNTA0NkM5OUIw
NjEyRjQ5NDRFQ0RDRDVBAAoJEAYS9JROzc1aiHwP/jgHOPc2ArPyAbwV52iRfLGv
a+H10hA8f5OTof1hubfysZ6vfvY6XPjQN3wFFFqIhEi1AKVRMLTArpOptLdTUOwa
Bl/E1ZQ0L64+FVvq5FPhx0nmCK8VCrIy3VX9IZFtzYSGoMUbUGCh7HGT75P8JQTS
y6aDRjjufeoqU7dafqvrZsZF+3IOJ/+LFnEdxyDitpAjzm20YbLrXIJD6V6sUEBA
S0D5TNHbD0Rv+jTszaNcb5EpWKdsNPd4MNcH63c0RBrU2UOQ+GsT0ehMzsxa33tz
Q5TmipBJU5S6P70RnYc4gjLO/R2HiVgyhwyxccJZqED8LYWXw03sjhfB/ushX11y
HXg/eY3cproxisu+sTNgOToGXRkIV2W+hxemvPU4+EwMQIRVOvnsIDdmY6NY/aUG
CK9M+9ajg0ta0TCjSCtuKzmmAtJIggIQrD1Td0yRjLH+UKmjeBHzXa0/fSj5cwXM
iIEiyG2saLC4mUvRkhe/eWNN0z3o1Pk6qV7bapa6CLX8t41OXzJMm5btpNJWHvYT
rBWJGe5NiOwaS0y5Jic7Ye1ZZ7sY+zX7/LbwBCcJpdnDOG9KVR/87K5rKHBUe95n
JikrhQtEW/ZBPVan4ZmRSEV+FawWzgTNwz7kXvxOENE9ux7J7ls9YcGMCbGJ9gmi
XqMYujFuK0yLmVQO4+QK
=/6uU
-----END PGP SIGNATURE-----

Message #17 received at 797461-close@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <sunweaver@debian.org>

To: 797461-close@bugs.debian.org

Subject: Bug#797461: fixed in vorbis-tools 1.4.0-1+deb6u1

Date: Tue, 29 Sep 2015 09:44:05 +0000

Source: vorbis-tools
Source-Version: 1.4.0-1+deb6u1

We believe that the bug you reported is fixed in the latest version of
vorbis-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797461@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated vorbis-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 29 Sep 2015 10:30:16 +0200
Source: vorbis-tools
Binary: vorbis-tools vorbis-tools-dbg
Architecture: source amd64
Version: 1.4.0-1+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description: 
 vorbis-tools - several Ogg Vorbis tools
 vorbis-tools-dbg - several Ogg Vorbis tools (debug files)
Closes: 771363 776086 797461
Changes: 
 vorbis-tools (1.4.0-1+deb6u1) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS Team.
   * debian/patches:
     + Add 0009-Fix-oggenc-crash-on-closing-raw-input-files.patch. Fix
       crash on closing raw input. (CVE-2014-9640). (Closes: #771363).
     + Add 0015-Fix-Large-alloca-on-bad-AIFF-input-CVE-2015-6749.patch. Fix
       buffer overflow on bad AIFF input (CVE-2015-6749). (Closes: #797461).
     + Add 0016-Validate-channel-count-in-audio-header.patch. Prevent
       out-of-bounds memory access (CVE-2014-9638, CVE-2014-9639).
       (Closes: #776086).
     + Update no_debian_subdir.diff to avoid patch fuzziness.
Checksums-Sha1: 
 7cb404aeedfe1b16c6d58ffffb4f21e6446367ad 2071 vorbis-tools_1.4.0-1+deb6u1.dsc
 b012c9e2807e9078be4e4686baefd202672e9475 8486 vorbis-tools_1.4.0-1+deb6u1.diff.gz
 caacea79542df425afcc1d226eec0cf91687173b 291050 vorbis-tools_1.4.0-1+deb6u1_amd64.deb
 2e7c516293aba0d5510ad2930673914747e1f1e1 189468 vorbis-tools-dbg_1.4.0-1+deb6u1_amd64.deb
Checksums-Sha256: 
 9167034e9ba8d9383962e23f460761039eeba8559373af876d975f7f15a87b26 2071 vorbis-tools_1.4.0-1+deb6u1.dsc
 e9a739b20f400b794d6f4c017975ffb926eb8b058de770827616c610cb70a406 8486 vorbis-tools_1.4.0-1+deb6u1.diff.gz
 ee9b096e6df4be59dfba318964809c26fd83689a2048c551f5508d7927e712fe 291050 vorbis-tools_1.4.0-1+deb6u1_amd64.deb
 2685b31884f681d54e3a2eb6a9bd13d86ed6c6f4a3e5f600c000cb59bc785625 189468 vorbis-tools-dbg_1.4.0-1+deb6u1_amd64.deb
Files: 
 af5c613487ac9174be65d081605119ea 2071 sound optional vorbis-tools_1.4.0-1+deb6u1.dsc
 ca9db9ff3763732cf74ece50d503b659 8486 sound optional vorbis-tools_1.4.0-1+deb6u1.diff.gz
 35ac2bcece570cd6cf101a86b8621973 291050 sound optional vorbis-tools_1.4.0-1+deb6u1_amd64.deb
 5357007da15fdd60cb93d66627baaba1 189468 debug extra vorbis-tools-dbg_1.4.0-1+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWClEnAAoJEJr0azAldxsxaJAP/2cGgnoey6QRi/fZLeDd3c+z
U8l1xTmK/ZnI4UnHY2hnv4oKR/Em2Kl8CLcS+25+FlEp51TMXyXVMslVlF97aCt+
VwGhTvjGAD6s0RvcP0WRvaqPLqUuwK0ijdgsFMSq4piHrHkcgY9fHmZlFEPsmkNW
eO9Pc/rUsIFCO+Q7FNHfL8wARGrlgSSF/JLr2WeVsvlyjK72HZxxaVY1ilt2BAQT
nEWbd6MXZRODMSh8ULy2y2hVd3/MUf+fB+KtuUAiHanScn3N/mQW3UG6J/1as5LL
mFLJ/9XTsNecFGziZfBOIiaOscjUTWJHhj2p4Om6osLWviBY1q0iSrRm9oY/I4iR
I1DX3LNvAyG26BKCSS9RVC2J0Ea5es1QkZ1Tu5Mp/lncCKmJMwIRPMga1JxW7DbR
x38MrUNq/5tzsfI+2BZTSF3Xv0143A7UMP2KgF4oFyL9Oxiaf4SY/zeNtn+3e9/f
cCfJ0zsbX9MwA+6ZbB+QQm6TTINkjGMHuMOBb+0Uz6SKwDLLJa3BvMhoS0KJ299D
Gi6KPLGBzyZjWOLDDXhIswM5ZSOom2XWAiAUPB2TxA5e0VusW53G/Yu9HpojOCoG
79XSJcfJFRsqZT7Ispd8sOxPtgBIbQMS1ouCux/8q5J4WXIUEUwMiXkuH00kyoEn
nlbT6hPGmDf6/Kbu4IF4
=3QrS
-----END PGP SIGNATURE-----

Message #26 received at 797461-done@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@hungry.com>

To: <797461-done@bugs.debian.org>, <776086-done@bugs.debian.org>, <818037-done@bugs.debian.org>

Subject: Bug fixed in Jessie

Date: Sat, 24 Sep 2016 07:55:14 +0200

Version: 1.4.0-6+deb8u1

This issue was fixed in Jessue with this upload:

 vorbis-tools (1.4.0-6+deb8u1) jessie; urgency=low
 .
   [ Petter Reinholdtsen ]
   * Add gbp.conf file documenting git branch to use for updates to Jessie.
   * oggenc: Fix large alloca on bad AIFF input to oggenc (CVE-2015-6749).
     (Closes: 797461)
   * oggenc: Validate count of channels in the header (CVE-2014-9638,
CVE-2014-9639).
     (Closes: 776086)
 .
   [ Martin Steghöfer ]
   * Fix segmentation fault in vcut (Closes: #818037)

No idea why the BTS have not noticed yet, but I close the bugs manually
to have the fact properly recorded.

-- 
Happy hacking
Petter Reinholdtsen

Send a report that this bug log contains spam.