Package: libvorbis0a Version: 1.2.0.dfsg-3.1 Severity: grave Tags: security, patch Justification: user security hole
Hi The following CVEs(0,1,2) have been issued against libvorbis. CVE-2008-1423: Integer overflow in a certain quantvals and quantlist calculation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file with a large virtual space for its codebook, which triggers a heap overflow. CVE-2008-1420: Integer overflow in residue partition value (aka partvals) evaluation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute arbitrary code via a crafted OGG file, which triggers a heap overflow. CVE-2008-1419: Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero value for codebook.dim, which allows remote attackers to cause a denial of service (crash or infinite loop) or trigger an integer overflow. Possible patches are attached. Since the misc.c file does not exist, it should be enough to just patch the misc.h file, but please feel free to review. Please also mention the CVE ids in your changelog, when you fix these issues. Cheers Steffen (0): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1423 (1): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1420 (2): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1419
--- ../old/libvorbis-1.2.0.dfsg/lib/misc.h 2007-07-24 00:09:47.000000000 +0000 +++ libvorbis-1.2.0.dfsg/lib/misc.h 2008-05-23 08:29:23.000000000 +0000 @@ -29,8 +29,9 @@ #ifdef DEBUG_MALLOC #define _VDBG_GRAPHFILE "malloc.m" -extern void *_VDBG_malloc(void *ptr,long bytes,char *file,long line); -extern void _VDBG_free(void *ptr,char *file,long line); +#undef _VDBG_GRAPHFILE +void *_VDBG_malloc(void *ptr,long bytes,char *file,long line); +void _VDBG_free(void *ptr,char *file,long line); #ifndef MISC_C #undef _ogg_malloc --- ../old/libvorbis-1.2.0.dfsg/lib/res0.c 2007-07-24 00:09:47.000000000 +0000 +++ libvorbis-1.2.0.dfsg/lib/res0.c 2008-05-23 08:22:57.000000000 +0000 @@ -223,6 +223,20 @@ for(j=0;j<acc;j++) if(info->booklist[j]>=ci->books)goto errout; + /* verify the phrasebook is not specifying an impossible or + inconsistent partitioning scheme. */ + { + int entries = ci->book_param[info->groupbook]->entries; + int dim = ci->book_param[info->groupbook]->dim; + int partvals = 1; + while(dim>0){ + partvals *= info->partitions; + if(partvals > entries) goto errout; + dim--; + } + if(partvals != entries) goto errout; + } + return(info); errout: res0_free_info(info); @@ -263,7 +277,7 @@ } } - look->partvals=rint(pow((float)look->parts,(float)dim)); + look->partvals=look->phrasebook->entries; look->stages=maxstage; look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap)); for(j=0;j<look->partvals;j++){
--- ../old/libvorbis-1.2.0.dfsg/lib/codebook.c 2007-07-24 00:09:47.000000000 +0000 +++ libvorbis-1.2.0.dfsg/lib/codebook.c 2008-05-23 08:18:46.000000000 +0000 @@ -158,6 +158,8 @@ s->dim=oggpack_read(opb,16); s->entries=oggpack_read(opb,24); if(s->entries==-1)goto _eofout; + + if(_ilog(s->dim)+_ilog(s->entries)>24)goto _eofout; /* codeword ordering.... length ordered or unordered? */ switch((int)oggpack_read(opb,1)){ @@ -225,7 +227,7 @@ int quantvals=0; switch(s->maptype){ case 1: - quantvals=_book_maptype1_quantvals(s); + quantvals=(s->dim==0?0:_book_maptype1_quantvals(s)); break; case 2: quantvals=s->entries*s->dim;