Package: libvorbis0a
Version: 1.2.0.dfsg-3.1
Severity: grave
Tags: security, patch
Justification: user security hole
Hi
The following CVEs(0,1,2) have been issued against libvorbis.
CVE-2008-1423:
Integer overflow in a certain quantvals and quantlist calculation in
Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a
denial of service (crash) or execute arbitrary code via a crafted OGG
file with a large virtual space for its codebook, which triggers a heap
overflow.
CVE-2008-1420:
Integer overflow in residue partition value (aka partvals) evaluation in
Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute
arbitrary code via a crafted OGG file, which triggers a heap overflow.
CVE-2008-1419:
Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero
value for codebook.dim, which allows remote attackers to cause a denial
of service (crash or infinite loop) or trigger an integer overflow.
Possible patches are attached. Since the misc.c file does not exist, it
should be enough to just patch the misc.h file, but please feel free to
review.
Please also mention the CVE ids in your changelog, when you fix these issues.
Cheers
Steffen
(0): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1423
(1): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1420
(2): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1419
--- ../old/libvorbis-1.2.0.dfsg/lib/misc.h 2007-07-24 00:09:47.000000000 +0000
+++ libvorbis-1.2.0.dfsg/lib/misc.h 2008-05-23 08:29:23.000000000 +0000
@@ -29,8 +29,9 @@
#ifdef DEBUG_MALLOC
#define _VDBG_GRAPHFILE "malloc.m"
-extern void *_VDBG_malloc(void *ptr,long bytes,char *file,long line);
-extern void _VDBG_free(void *ptr,char *file,long line);
+#undef _VDBG_GRAPHFILE
+void *_VDBG_malloc(void *ptr,long bytes,char *file,long line);
+void _VDBG_free(void *ptr,char *file,long line);
#ifndef MISC_C
#undef _ogg_malloc
--- ../old/libvorbis-1.2.0.dfsg/lib/res0.c 2007-07-24 00:09:47.000000000 +0000
+++ libvorbis-1.2.0.dfsg/lib/res0.c 2008-05-23 08:22:57.000000000 +0000
@@ -223,6 +223,20 @@
for(j=0;j<acc;j++)
if(info->booklist[j]>=ci->books)goto errout;
+ /* verify the phrasebook is not specifying an impossible or
+ inconsistent partitioning scheme. */
+ {
+ int entries = ci->book_param[info->groupbook]->entries;
+ int dim = ci->book_param[info->groupbook]->dim;
+ int partvals = 1;
+ while(dim>0){
+ partvals *= info->partitions;
+ if(partvals > entries) goto errout;
+ dim--;
+ }
+ if(partvals != entries) goto errout;
+ }
+
return(info);
errout:
res0_free_info(info);
@@ -263,7 +277,7 @@
}
}
- look->partvals=rint(pow((float)look->parts,(float)dim));
+ look->partvals=look->phrasebook->entries;
look->stages=maxstage;
look->decodemap=_ogg_malloc(look->partvals*sizeof(*look->decodemap));
for(j=0;j<look->partvals;j++){
--- ../old/libvorbis-1.2.0.dfsg/lib/codebook.c 2007-07-24 00:09:47.000000000 +0000
+++ libvorbis-1.2.0.dfsg/lib/codebook.c 2008-05-23 08:18:46.000000000 +0000
@@ -158,6 +158,8 @@
s->dim=oggpack_read(opb,16);
s->entries=oggpack_read(opb,24);
if(s->entries==-1)goto _eofout;
+
+ if(_ilog(s->dim)+_ilog(s->entries)>24)goto _eofout;
/* codeword ordering.... length ordered or unordered? */
switch((int)oggpack_read(opb,1)){
@@ -225,7 +227,7 @@
int quantvals=0;
switch(s->maptype){
case 1:
- quantvals=_book_maptype1_quantvals(s);
+ quantvals=(s->dim==0?0:_book_maptype1_quantvals(s));
break;
case 2:
quantvals=s->entries*s->dim;
