Debian Bug report logs -
#876780
libvorbis: CVE-2017-14160 (+ CVE-2018-10392 CVE-2018-10393)
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#876780; Package src:libvorbis.
(Mon, 25 Sep 2017 20:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Mon, 25 Sep 2017 20:15:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libvorbis
Version: 1.3.5-4
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for libvorbis.
CVE-2017-14160[0]:
| The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5
| allows remote attackers to cause a denial of service (out-of-bounds
| access and application crash) or possibly have unspecified other impact
| via a crafted mp4 file.
See [1].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14160
[1] http://www.openwall.com/lists/oss-security/2017/09/21/3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#876780; Package src:libvorbis.
(Mon, 25 Sep 2017 22:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Mon, 25 Sep 2017 22:27:03 GMT) (full text, mbox, link).
Message #10 received at 876780@bugs.debian.org (full text, mbox, reply):
[Salvatore Bonaccorso]
> the following vulnerability was published for libvorbis.
Thank you for following up on this. I hope a fix show up from upstream
for this and other security issues. :)
I was just told on #xiph that this issue also might affect speex:
<daddesio> rillian: speex may also be affected by that
bark_noise_hybridmp bug (CVE-2017-14160) since it includes that very
same function, via vorbis_psy.c.
<daddesio> see:
https://git.xiph.org/?p=speex.git;a=blob;f=libspeex/vorbis_psy.c;h=cb385b7a349486a09a3db20adf225100993111c5;hb=HEAD#l189
I have not verified that this is the case, but thought it best to
mention it here until someone have time to check it out.
--
Happy hacking
Petter Reinholdtsen
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#876780; Package src:libvorbis.
(Tue, 26 Sep 2017 03:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ron <ron@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Tue, 26 Sep 2017 03:45:03 GMT) (full text, mbox, link).
Message #15 received at 876780@bugs.debian.org (full text, mbox, reply):
On Tue, Sep 26, 2017 at 12:24:14AM +0200, Petter Reinholdtsen wrote:
> [Salvatore Bonaccorso]
> > the following vulnerability was published for libvorbis.
>
> Thank you for following up on this. I hope a fix show up from upstream
> for this and other security issues. :)
>
> I was just told on #xiph that this issue also might affect speex:
>
> <daddesio> rillian: speex may also be affected by that
> bark_noise_hybridmp bug (CVE-2017-14160) since it includes that very
> same function, via vorbis_psy.c.
> <daddesio> see:
> https://git.xiph.org/?p=speex.git;a=blob;f=libspeex/vorbis_psy.c;h=cb385b7a349486a09a3db20adf225100993111c5;hb=HEAD#l189
>
> I have not verified that this is the case, but thought it best to
> mention it here until someone have time to check it out.
I think you'll find that's only included in speex if VORBIS_PSYCHO
is defined, which by default it isn't and there's no configure option
to enable it, you'd need to hand hack the source.
That was an experiment which never really proved its worth, but the
code was still around in case someone had other ideas for it.
In the case of the exported tarballs (which the current distro packages
are based on) vorbis_psy.c isn't one of the exported files. So it's
there in git, but it's not in the Debian source, and I'd be surprised
if anyone is building binaries with it enabled anywhere.
Cheers,
Ron
Added tag(s) fixed-upstream.
Request was from Henri S. <henri@nerv.fi>
to control@bugs.debian.org.
(Tue, 09 Jan 2018 11:39:04 GMT) (full text, mbox, link).
Removed tag(s) fixed-upstream.
Request was from Henri S. <henri@nerv.fi>
to control@bugs.debian.org.
(Sat, 17 Mar 2018 09:39:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#876780; Package src:libvorbis.
(Fri, 11 May 2018 20:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Fri, 11 May 2018 20:24:02 GMT) (full text, mbox, link).
Message #26 received at 876780@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 libvorbis: CVE-2017-14160 (+ CVE-2018-10392 CVE-2018-10393)
Control: tags -1 + fixed-upstream
Hi
This issue (cf. https://gitlab.xiph.org/xiph/vorbis/issues/2330) was
adressed upstream by
https://gitlab.xiph.org/xiph/vorbis/commit/018ca26dece618457dd13585cad52941193c4a25
. There are as well CVE-2018-10392 CVE-2018-10393 which are fixed by
the same fix. MITRE has assigned two additional CVEs possibly due to
different vector.
Regards,
Salvatore
Changed Bug title to 'libvorbis: CVE-2017-14160 (+ CVE-2018-10392 CVE-2018-10393)' from 'libvorbis: CVE-2017-14160'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 876780-submit@bugs.debian.org.
(Fri, 11 May 2018 20:24:02 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 876780-submit@bugs.debian.org.
(Fri, 11 May 2018 20:24:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#876780; Package src:libvorbis.
(Wed, 20 Feb 2019 22:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Wed, 20 Feb 2019 22:30:03 GMT) (full text, mbox, link).
Message #35 received at 876780@bugs.debian.org (full text, mbox, reply):
On Fri, May 11, 2018 at 10:20:42PM +0200, Salvatore Bonaccorso wrote:
> Control: retitle -1 libvorbis: CVE-2017-14160 (+ CVE-2018-10392 CVE-2018-10393)
> Control: tags -1 + fixed-upstream
>
> Hi
>
> This issue (cf. https://gitlab.xiph.org/xiph/vorbis/issues/2330) was
> adressed upstream by
> https://gitlab.xiph.org/xiph/vorbis/commit/018ca26dece618457dd13585cad52941193c4a25
> . There are as well CVE-2018-10392 CVE-2018-10393 which are fixed by
> the same fix. MITRE has assigned two additional CVEs possibly due to
> different vector.
Could we still get this in buster, please?
Cheers,
Moritz
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#876780.
(Mon, 25 Feb 2019 21:39:10 GMT) (full text, mbox, link).
Message #38 received at 876780-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #876780 in libvorbis reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/multimedia-team/libvorbis/commit/95cea79612d4014ad88ac5924efe921adcad1eed
------------------------------------------------------------------------
Cherry-pick two patches from upstream git: 0003-CVE-2017-14160-fix-bounds-check-on-very-low-sample-r.patch (also CVE-2018-10393) and 0004-Sanity-check-number-of-channels-in-setup.patch (CVE-2018-10392) closes: #876780
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/876780
Added tag(s) pending.
Request was from Florian Schlichting <noreply@salsa.debian.org>
to 876780-submitter@bugs.debian.org.
(Mon, 25 Feb 2019 21:39:10 GMT) (full text, mbox, link).
Reply sent
to Florian Schlichting <fsfs@debian.org>:
You have taken responsibility.
(Mon, 25 Feb 2019 21:57:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 25 Feb 2019 21:57:12 GMT) (full text, mbox, link).
Message #45 received at 876780-close@bugs.debian.org (full text, mbox, reply):
Source: libvorbis
Source-Version: 1.3.6-2
We believe that the bug you reported is fixed in the latest version of
libvorbis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 876780@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Schlichting <fsfs@debian.org> (supplier of updated libvorbis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 25 Feb 2019 22:02:32 +0100
Source: libvorbis
Architecture: source
Version: 1.3.6-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Florian Schlichting <fsfs@debian.org>
Closes: 772877 876780 899590
Changes:
libvorbis (1.3.6-2) unstable; urgency=medium
.
* Team upload
.
[ Ondřej Nový ]
* d/tests: Use AUTOPKGTEST_TMP instead of ADTTMP
* d/changelog: Remove trailing whitespaces
* d/control: Remove trailing whitespaces
* d/control: Set Vcs-* to salsa.debian.org
.
[ Florian Schlichting ]
* Set Maintainer address to Debian Multimedia Maintainers (closes: #899590)
* Cherry-pick two patches from upstream git (closes: #876780):
+ 0003-CVE-2017-14160-fix-bounds-check-on-very-low-sample-r.patch
(this is also CVE-2018-10393)
+ 0004-Sanity-check-number-of-channels-in-setup.patch (CVE-2018-10392)
* Use secure URIs for xiph.org
* Update d/copyright to copyright-format 1.0
* Bump dh compat to level 12
* Enable all hardening build flags
* Add Build-Depends-Package field to symbols files
* Declare compliance with Debian Policy 4.3.0
* Drop debian/source.lintian-overrides, it is apparently unused
* Make lintian happy: "I" is a number here
* Update debian/tests/test-examples, the examples are no longer gzipped at
this compat level
* Add 0005-vorbisenc-detect-if-new-template-is-null.patch from upstream git
to fix the autopkgtest (closes: #772877)
Checksums-Sha1:
3329b76f2eab5c7a17c50c1ab72b3cf28b535718 2310 libvorbis_1.3.6-2.dsc
6a72cc2f8bea038cc5ea8226ab31df3f3402f118 12084 libvorbis_1.3.6-2.debian.tar.xz
e197e5fe11605cefea8b4831b30a0b22ba7dd9fa 7195 libvorbis_1.3.6-2_amd64.buildinfo
Checksums-Sha256:
bf04834eef80f0ea2369c6aaa3b399a9356275815b0a87659f208d79fdae1ef4 2310 libvorbis_1.3.6-2.dsc
5ce95b27205c2ce5e39f263da5acaa4063846377aec905ede2f64f933f3cfbf6 12084 libvorbis_1.3.6-2.debian.tar.xz
895be4f83568e191be35820f048314d336710bbfb8b346d8f49b4cae5006bad5 7195 libvorbis_1.3.6-2_amd64.buildinfo
Files:
1dc38465b7cb5715a82d6720178ab15e 2310 libs optional libvorbis_1.3.6-2.dsc
8423d3966fa028e2c243c89023ef1de8 12084 libs optional libvorbis_1.3.6-2.debian.tar.xz
b7c403a81ccf11c6c69fe266dde8e140 7195 libs optional libvorbis_1.3.6-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAlx0X24ACgkQEpc7bnLc
B7UTgw//VUUqlcUCH6EbGIC5Z5L2Sv/zPbL230uBsY8InJrCn1x0u83yOOfOJouo
nxJNaAK5LsshuJZKme6mKoTnxFhDKN/gFuUTvwyGiXJ5JwMzW5psj81gY6RMgjqI
akDzsJkvACokZlEpvec/bQIH91ikog744baFTYt1PuNfmcMMjpnSJM7LH/AzqIlI
cT6w1J3fm8qdU9Cnvi8l1n6V1MFNXr/FeP5yAIYzbV0qhaoSgHlyqNylFUZl5c84
zUwUZ1qqqaey2yiuyuj3j7mhOpyHXE8EpAhBK2powDlIOCnsQsf2G4b7KrhuenhI
Cq1k061ocZ4tshCqrSDPqUy6Jj2AP8n1cNE/fNKEzO1ZXzmcYzc2XpX0W+tRsqP5
89SvS94tqrqbU0aGV/q28p/zfDPjx4xPBnyZ/UPT6ZpwKLO1TxmQnZtQCv4sGx5E
0gbrB7ECOsqF80Jkhzdcqp6VsFiwu1t4mvFK5jkZ+FTEz3hZtWc7QN1TIuJHneLB
/axQ8VUom4I/ayP0oLq2z+bl7OT5KkTr9uaxH+sDDHNhjaZM+fiQJ+nGsMyYaOop
Rz3O592aNtHHNb2nZpb8SB7lPk9uwsBm9QKf/pYH2s71i143vCk2RcqdqXN4rUUw
cE25aJ5ung+Au3ktQ4Vb/+/WjVjIkqryO2XEDxJZB7a8E2B6jb8=
=0U2M
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 05 Apr 2019 07:31:59 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:52:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon