Hi, On Mon, Sep 25, 2017 at 09:49:33PM +0200, Salvatore Bonaccorso wrote: > Source: libvorbis > Version: 1.3.5-4 > Severity: important > Tags: security upstream > Forwarded: https://gitlab.xiph.org/xiph/vorbis/issues/2328 > > Hi, > > the following vulnerability was published for libvorbis. > > CVE-2017-14633[0]: > | In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability > | exists in the function mapping0_forward() in mapping0.c, which may lead > | to DoS when operating on a crafted audio file with vorbis_analysis(). > > The reproducer was not attached to the upstream issue, since looks was > not possible for the reporter to include it in the report. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I have uploaded an NMU with the attached debdiff to fix this CVE and CVE-2017-14633 delayed/7. Please let me know if you want me to cancel it (or go a head with a quicker upload). Cheers, -- Guido
diff --git a/debian/changelog b/debian/changelog index 9c8056e2..1b972b4f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +libvorbis (1.3.5-4.1) unstable; urgency=medium + + * Non-maintainer upload. + * Cherry-pick upstream patches for CVE-2017-14632 and CVE-2017-14633 + (Closes: #876778, 876779) + + -- Guido Günther <[email protected]> Wed, 20 Dec 2017 17:31:19 +0100 + libvorbis (1.3.5-4) unstable; urgency=low * Changed Standards-Version from 3.9.6 to 3.9.8. diff --git a/debian/patches/CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch b/debian/patches/CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch new file mode 100644 index 00000000..440ad734 --- /dev/null +++ b/debian/patches/CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch @@ -0,0 +1,52 @@ +From: =?utf-8?q?Guido_G=C3=BCnther?= <[email protected]> +Date: Wed, 15 Nov 2017 18:22:59 +0100 +Subject: CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb if not + initialized + +If the number of channels is not within the allowed range +we call oggback_writeclear altough it's not initialized yet. + +This fixes + + =23371== Invalid free() / delete / delete[] / realloc() + ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530) + ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2) + ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652) + ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) + ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x10D82A: open_output_file (sox.c:1556) + ==23371== by 0x10D82A: process (sox.c:1753) + ==23371== by 0x10D82A: main (sox.c:3012) + ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd + ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298) + ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785) + ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) + ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x10D82A: open_output_file (sox.c:1556) + ==23371== by 0x10D82A: process (sox.c:1753) + ==23371== by 0x10D82A: main (sox.c:3012) + +as seen when using the testcase from CVE-2017-11333 with +008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was +there before. + +Closes: #876779 +--- + lib/info.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/info.c b/lib/info.c +index dbb99fc..234cf1e 100644 +--- a/lib/info.c ++++ b/lib/info.c +@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v, + private_state *b=v->backend_state; + + if(!b||vi->channels<=0||vi->channels>256){ ++ b = NULL; + ret=OV_EFAULT; + goto err_out; + } diff --git a/debian/patches/CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch b/debian/patches/CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch new file mode 100644 index 00000000..f6abe492 --- /dev/null +++ b/debian/patches/CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch @@ -0,0 +1,32 @@ +From: =?utf-8?q?Guido_G=C3=BCnther?= <[email protected]> +Date: Tue, 31 Oct 2017 18:32:46 +0100 +Subject: CVE-2017-14633: Don't allow for more than 256 channels + +Otherwise + + for(i=0;i<vi->channels;i++){ + /* the encoder setup assumes that all the modes used by any + specific bitrate tweaking use the same floor */ + int submap=info->chmuxlist[i]; + +overreads later in mapping0_forward since chmuxlist is a fixed array of +256 elements max. + +Closes: #876778 +--- + lib/info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/info.c b/lib/info.c +index 8a2a001..dbb99fc 100644 +--- a/lib/info.c ++++ b/lib/info.c +@@ -583,7 +583,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v, + oggpack_buffer opb; + private_state *b=v->backend_state; + +- if(!b||vi->channels<=0){ ++ if(!b||vi->channels<=0||vi->channels>256){ + ret=OV_EFAULT; + goto err_out; + } diff --git a/debian/patches/series b/debian/patches/series index da9fe073..411ff155 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,4 @@ 0001-Fix-build-failure-with-DSO-link-changes.patch 0002-Avoid-SIGFPE-when-bytespersample-is-zero.patch +CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch +CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch
