Hi, I have taken a look at the libvorbis issues pending in wheezy (and accidentally in jessie) and backported a few patches. The result is here, as usual, for testing:
https://people.debian.org/~anarcat/debian/wheezy-lts/ Guido: you a lot of work on those issues with upstream, so it would be great if you could review the (attached) debdiff. In particular, I introduce the vi->channels<=0 check in the code, as the lack of vi->channels=>256 check triggers *another* vulnerability. I'm worried that adding only vi->channels=>256 would still create an out of bound reads or another abnormal condition. Of course, introducing that check triggers CVE-2017-14632, so I include the patch for that as well. Otherwise, it seems the fix for CVE-2017-11333 is the same as CVE-2017-14633, so I have marked that fixed as well. Sounds good? A.
diff -u libvorbis-1.3.2/debian/changelog libvorbis-1.3.2/debian/changelog --- libvorbis-1.3.2/debian/changelog +++ libvorbis-1.3.2/debian/changelog @@ -1,3 +1,23 @@ +libvorbis (1.3.2-1.3+deb7u1) UNRELEASED; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * CVE-2017-14633: In Xiph.Org libvorbis 1.3.5, an out-of-bounds array + read vulnerability exists in the function mapping0_forward() in + mapping0.c, which may lead to DoS when operating on a crafted audio + file with vorbis_analysis(). + * CVE-2017-14632: Xiph.Org libvorbis 1.3.5 allows Remote Code Execution + upon freeing uninitialized memory in the function + vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar + issue to Mozilla bug 550184. + * CVE-2017-11333: The vorbis_analysis_wrote function in lib/block.c in + Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of + service (OOM) via a crafted wav file. + * CVE-2018-5146: out-of-bounds memory write in the codeboook parsing + code of the Libvorbis multimedia library could result in the execution + of arbitrary code. + + -- Antoine Beaupré <anar...@debian.org> Thu, 19 Apr 2018 11:59:46 -0400 + libvorbis (1.3.2-1.3) unstable; urgency=low * Non-maintainer upload to fix release goals only in patch2: unchanged: --- libvorbis-1.3.2.orig/debian/patches/CVE-2017-14632.patch +++ libvorbis-1.3.2/debian/patches/CVE-2017-14632.patch @@ -0,0 +1,55 @@ +Description: backport fix + While fixing CVE-2017-14633, an extra check was added which might + have triggered CVE-2017-14632, normally not present in 1.3.2. The fix + for CVE-2017-14632 was therefore backported here. +From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <a...@sigxcpu.org> +Date: Wed, 15 Nov 2017 18:22:59 +0100 +Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb + if not initialized + +If the number of channels is not within the allowed range +we call oggback_writeclear altough it's not initialized yet. + +This fixes + + =23371== Invalid free() / delete / delete[] / realloc() + ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530) + ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2) + ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652) + ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) + ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x10D82A: open_output_file (sox.c:1556) + ==23371== by 0x10D82A: process (sox.c:1753) + ==23371== by 0x10D82A: main (sox.c:3012) + ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd + ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298) + ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785) + ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so) + ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1) + ==23371== by 0x10D82A: open_output_file (sox.c:1556) + ==23371== by 0x10D82A: process (sox.c:1753) + ==23371== by 0x10D82A: main (sox.c:3012) + +as seen when using the testcase from CVE-2017-11333 with +008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was +there before. +--- + lib/info.c | 1 + + 1 file changed, 1 insertion(+) + +Index: b/lib/info.c +=================================================================== +--- a/lib/info.c 2018-04-19 12:01:24.321102192 -0400 ++++ b/lib/info.c 2018-04-19 12:01:24.317102110 -0400 +@@ -575,6 +575,7 @@ int vorbis_analysis_headerout(vorbis_dsp + private_state *b=v->backend_state; + + if(!b||vi->channels<=0||vi->channels>256){ ++ b = NULL; + ret=OV_EFAULT; + goto err_out; + } only in patch2: unchanged: --- libvorbis-1.3.2.orig/debian/patches/CVE-2017-14633.patch +++ libvorbis-1.3.2/debian/patches/CVE-2017-14633.patch @@ -0,0 +1,35 @@ +Description: CVE-2017-14633: Don't allow for more than 256 channels + This is a modified version of the following upstream commit. While + we're here, also handle invalid channels<=0, which introduces + CVE-2017-14633, but we fix that in a separate patch. +From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <a...@sigxcpu.org> +Date: Tue, 31 Oct 2017 18:32:46 +0100 +Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels + +Otherwise + + for(i=0;i<vi->channels;i++){ + /* the encoder setup assumes that all the modes used by any + specific bitrate tweaking use the same floor */ + int submap=info->chmuxlist[i]; + +overreads later in mapping0_forward since chmuxlist is a fixed array of +256 elements max. +--- + lib/info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: b/lib/info.c +=================================================================== +--- a/lib/info.c 2018-04-19 12:01:12.864866736 -0400 ++++ b/lib/info.c 2018-04-19 12:01:12.860866654 -0400 +@@ -574,7 +574,7 @@ int vorbis_analysis_headerout(vorbis_dsp + oggpack_buffer opb; + private_state *b=v->backend_state; + +- if(!b){ ++ if(!b||vi->channels<=0||vi->channels>256){ + ret=OV_EFAULT; + goto err_out; + } only in patch2: unchanged: --- libvorbis-1.3.2.orig/debian/patches/CVE-2018-5146.patch +++ libvorbis-1.3.2/debian/patches/CVE-2018-5146.patch @@ -0,0 +1,89 @@ +From: Thomas Daede <daede...@umn.edu> +Date: Thu, 15 Mar 2018 14:15:31 -0700 +Subject: CVE-2018-5146: Prevent out-of-bounds write in codebook decoding. +Origin: https://git.xiph.org/?p=vorbis.git;a=commit;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5146 + +Codebooks that are not an exact divisor of the partition size are now +truncated to fit within the partition. +--- + lib/codebook.c | 48 ++++++++++-------------------------------------- + 1 file changed, 10 insertions(+), 38 deletions(-) + +Index: b/lib/codebook.c +=================================================================== +--- a/lib/codebook.c 2018-04-19 12:01:33.685294652 -0400 ++++ b/lib/codebook.c 2018-04-19 12:01:33.681294570 -0400 +@@ -380,7 +380,7 @@ long vorbis_book_decodevs_add(codebook * + t[i] = book->valuelist+entry[i]*book->dim; + } + for(i=0,o=0;i<book->dim;i++,o+=step) +- for (j=0;j<step;j++) ++ for (j=0;o+j<n && j<step;j++) + a[o+j]+=t[j][i]; + } + return(0); +@@ -391,41 +391,12 @@ long vorbis_book_decodev_add(codebook *b + int i,j,entry; + float *t; + +- if(book->dim>8){ +- for(i=0;i<n;){ +- entry = decode_packed_entry_number(book,b); +- if(entry==-1)return(-1); +- t = book->valuelist+entry*book->dim; +- for (j=0;j<book->dim;) +- a[i++]+=t[j++]; +- } +- }else{ +- for(i=0;i<n;){ +- entry = decode_packed_entry_number(book,b); +- if(entry==-1)return(-1); +- t = book->valuelist+entry*book->dim; +- j=0; +- switch((int)book->dim){ +- case 8: +- a[i++]+=t[j++]; +- case 7: +- a[i++]+=t[j++]; +- case 6: +- a[i++]+=t[j++]; +- case 5: +- a[i++]+=t[j++]; +- case 4: +- a[i++]+=t[j++]; +- case 3: +- a[i++]+=t[j++]; +- case 2: +- a[i++]+=t[j++]; +- case 1: +- a[i++]+=t[j++]; +- case 0: +- break; +- } +- } ++ for(i=0;i<n;){ ++ entry = decode_packed_entry_number(book,b); ++ if(entry==-1)return(-1); ++ t = book->valuelist+entry*book->dim; ++ for(j=0;i<n && j<book->dim;) ++ a[i++]+=t[j++]; + } + } + return(0); +@@ -460,12 +431,13 @@ long vorbis_book_decodevv_add(codebook * + long i,j,entry; + int chptr=0; + if(book->used_entries>0){ +- for(i=offset/ch;i<(offset+n)/ch;){ ++ int m=(offset+n)/ch; ++ for(i=offset/ch;i<m;){ + entry = decode_packed_entry_number(book,b); + if(entry==-1)return(-1); + { + const float *t = book->valuelist+entry*book->dim; +- for (j=0;j<book->dim;j++){ ++ for (j=0;i<m && j<book->dim;j++){ + a[chptr++][i]+=t[j]; + if(chptr==ch){ + chptr=0; only in patch2: unchanged: --- libvorbis-1.3.2.orig/debian/patches/series +++ libvorbis-1.3.2/debian/patches/series @@ -0,0 +1,3 @@ +CVE-2017-14633.patch +CVE-2017-14632.patch +CVE-2018-5146.patch