Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libvorbis: CVE-2017-14632

Related Vulnerabilities: CVE-2017-14632   CVE-2017-14633  

Source

Debian Bug report logs - #876779
libvorbis: CVE-2017-14632

version graph

Package: src:libvorbis; Maintainer for src:libvorbis is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 25 Sep 2017 19:51:04 UTC

Severity: important

Tags: security, upstream

Found in version libvorbis/1.3.5-4

Fixed in versions libvorbis/1.3.5-4+deb9u1, libvorbis/1.3.5-4.1

Done: Guido Günther <agx@sigxcpu.org>

Bug is archived. No further changes may be made.

Forwarded to https://gitlab.xiph.org/xiph/vorbis/issues/2328

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#876779; Package src:libvorbis. (Mon, 25 Sep 2017 19:51:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>. (Mon, 25 Sep 2017 19:51:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libvorbis: CVE-2017-14632
Date: Mon, 25 Sep 2017 21:49:33 +0200
Source: libvorbis
Version: 1.3.5-4
Severity: important
Tags: security upstream
Forwarded: https://gitlab.xiph.org/xiph/vorbis/issues/2328

Hi,

the following vulnerability was published for libvorbis.

CVE-2017-14633[0]:
| In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability
| exists in the function mapping0_forward() in mapping0.c, which may lead
| to DoS when operating on a crafted audio file with vorbis_analysis().

The reproducer was not attached to the upstream issue, since looks was
not possible for the reporter to include it in the report.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-14633
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633
[1] https://gitlab.xiph.org/xiph/vorbis/issues/2328

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#876779; Package src:libvorbis. (Thu, 21 Dec 2017 13:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>. (Thu, 21 Dec 2017 13:48:04 GMT) (full text, mbox, link).

Message #10 received at 876779@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 876779@bugs.debian.org
Subject: Re: Bug#876779: libvorbis: CVE-2017-14632
Date: Thu, 21 Dec 2017 14:38:07 +0100
[Message part 1 (text/plain, inline)]
Hi,
On Mon, Sep 25, 2017 at 09:49:33PM +0200, Salvatore Bonaccorso wrote:
> Source: libvorbis
> Version: 1.3.5-4
> Severity: important
> Tags: security upstream
> Forwarded: https://gitlab.xiph.org/xiph/vorbis/issues/2328
> 
> Hi,
> 
> the following vulnerability was published for libvorbis.
> 
> CVE-2017-14633[0]:
> | In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability
> | exists in the function mapping0_forward() in mapping0.c, which may lead
> | to DoS when operating on a crafted audio file with vorbis_analysis().
> 
> The reproducer was not attached to the upstream issue, since looks was
> not possible for the reporter to include it in the report.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

I have uploaded an NMU with the attached debdiff to fix this CVE and
CVE-2017-14633 delayed/7. Please let me know if you want me to cancel
it (or go a head with a quicker upload).

Cheers,
 -- Guido

[1.3.5-4.1.diff (text/x-diff, attachment)]

Added tag(s) pending. Request was from Guido Günther <agx@sigxcpu.org> to control@bugs.debian.org. (Thu, 21 Dec 2017 14:18:03 GMT) (full text, mbox, link).

Reply sent to Guido Günther <agx@sigxcpu.org>:
You have taken responsibility. (Wed, 27 Dec 2017 17:54:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 27 Dec 2017 17:54:05 GMT) (full text, mbox, link).

Message #17 received at 876779-close@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>
To: 876779-close@bugs.debian.org
Subject: Bug#876779: fixed in libvorbis 1.3.5-4.1
Date: Wed, 27 Dec 2017 17:51:02 +0000
Source: libvorbis
Source-Version: 1.3.5-4.1

We believe that the bug you reported is fixed in the latest version of
libvorbis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 876779@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Günther <agx@sigxcpu.org> (supplier of updated libvorbis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 20 Dec 2017 17:31:19 +0100
Source: libvorbis
Binary: libvorbis0a libvorbisenc2 libvorbisfile3 libvorbis-dev libvorbis-dbg
Architecture: source
Version: 1.3.5-4.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>
Changed-By: Guido Günther <agx@sigxcpu.org>
Description:
 libvorbis-dbg - debug files for Vorbis General Audio Compression Codec
 libvorbis-dev - development files for Vorbis General Audio Compression Codec
 libvorbis0a - decoder library for Vorbis General Audio Compression Codec
 libvorbisenc2 - encoder library for Vorbis General Audio Compression Codec
 libvorbisfile3 - high-level API for Vorbis General Audio Compression Codec
Closes: 876778 876779
Changes:
 libvorbis (1.3.5-4.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Cherry-pick upstream patches for CVE-2017-14632 and CVE-2017-14633
     (Closes: #876778, 876779)
Checksums-Sha1:
 caabf97a9f1ce9850bda03ee514d3a851898363f 2391 libvorbis_1.3.5-4.1.dsc
 2748ef0b7c00b0feb4ff03ba6d0d393d4283a734 11544 libvorbis_1.3.5-4.1.debian.tar.xz
 6e4433477dd179fe79ae3daa28001980fbb3e9dd 6637 libvorbis_1.3.5-4.1_amd64.buildinfo
Checksums-Sha256:
 57098a8ad2ee2bd2e51ec6ba7c4a3510b421860d01c6de70912e18a46a70b74f 2391 libvorbis_1.3.5-4.1.dsc
 ae6b6215e6d3998dd235ace7c82804b060e1e4063efdaa4268555b29ed85a702 11544 libvorbis_1.3.5-4.1.debian.tar.xz
 32b6ec5f7b6237487e1b98ff108132a885ecd5072be6d014594270de7e056d15 6637 libvorbis_1.3.5-4.1_amd64.buildinfo
Files:
 c07d9b53753d6df5243e33e01021798f 2391 libs optional libvorbis_1.3.5-4.1.dsc
 113b77844a315da7eb2868ba6c106f9f 11544 libs optional libvorbis_1.3.5-4.1.debian.tar.xz
 70ca6a31488b1c7eb232cfad37a2f54f 6637 libs optional libvorbis_1.3.5-4.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEvHzQcjh4660F3xzZB7i3sOqYEgsFAlo6mS0ACgkQB7i3sOqY
Egvs8w/6AtLhMChlDtrNhhrPb9k535OQW+SoU/7a3GJoOd0q6MiXumJrdwcjE1vQ
FDkXI3N55T6aKyAM7kWDDU5BdhIvF8xu3NZCPNrfZifWKrKopjy7tacnTTx0JH4u
518IqRhpk4BP0Yje5ndXa/s8n44n7TqD1TX5fYJsS7yPZxgW045hKxMynUvmxEqf
8cNvNZWTwdPO6un7ZFTa8iDBkoHo7vdxIZ1tET+7B1dkz8O1DpdH6Bojnd3qlRAZ
KYf1an33wxGsT30TweJVMjBM02uT0Dtwm6RV4y57elX+B+E1HyMMMrqZhTa3Zi9D
AV8yED/GTDwap7xpmAq/MVByQv2QwCTJRXYK1kcqdwM7mTDFtN6R/SDWIqezxekM
yYzbw3vcoLvjZPDfBHG505saoowfRZ3rmJtJ6oBbfGhPhJHpbUpwCndanjYUii7a
GKtq6KXtKRa8W9Jz53iIbx/8tojLyhGl9RIBKIA0pW8vXTyfo5MxoDDULdRDF3Do
V+1aaj2x7I7J91fWYCyJtlmilx/uNXNBJl+jIv0mYxEj9fSDIqHjZQ5RwUcrbjZ7
r/mfRBe3nLeK4TXWAyfVWekTtleihj757lnH/dlqPfsstBUJLqKvG10b5hLzvRqd
LHiCqyKediRbBlR2Qiq+oFI3ZZ6jcDR2m/Ax6cMgBkgVMJOEa2k=
=3+f5
-----END PGP SIGNATURE-----

Marked as fixed in versions libvorbis/1.3.5-4+deb9u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 28 Jan 2018 08:57:05 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 18 Mar 2018 07:30:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:38:37 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started