Bug#480059: vorbis-tools vulnerable to CVE-2008-1686
Hi Jamie! I've noticed your USN-611-[123], which patch speex, vorbis-tools and gstreamer plugins. However, I believe fix in libspeex/speex_header.c should be sufficient to address this issue in all affected applications, as they call speex_packet_to_header(). With patch applied, it'll return NULL for malformed speex files and the mode check in speexdec / ogg123 / ... is not reached at all. Or have I missed anything? skx, vorbis-tools do not embed whole speex library, only sample client implementation code. Previous versions of speex required client to perform part of the sanity checks (and many clients did not do that properly), so the check was now moved directly to speex library. HTH -- Tomas Hoger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480059: vorbis-tools vulnerable to CVE-2008-1686
On Wed May 07, 2008 at 18:12:09 -0400, Jamie Strandboge wrote: vorbis-tools contains embedded speex code, and although vorbis-tools is linked to libspeex, it compiles the vulnerable code. Attached is a debdiff that Ubuntu is using in its 1.1.1 versions of vorbis-tools (fuzz removed). I'd rather see a patch that makes the vorbis-tools link against the system-wide library, and not compile the vulnerable code at all. Would it be possible for you to provide such a thing, or is that too hard? Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480059: vorbis-tools vulnerable to CVE-2008-1686
Package: vorbis-tools Version: 1.2.0-1.1 Severity: grave Tags: patch security Justification: user security hole User: [EMAIL PROTECTED] Usertags: origin-ubuntu hardy ubuntu-patch vorbis-tools contains embedded speex code, and although vorbis-tools is linked to libspeex, it compiles the vulnerable code. Attached is a debdiff that Ubuntu is using in its 1.1.1 versions of vorbis-tools (fuzz removed). Here is a suggested changelog entry: * SECURITY UPDATE: array index vulnerability * debian/patches/CVE-2008-1686.diff: fix for ogg123/speex_format.c to properly validate its input * References CVE-2008-1686 diff -u vorbis-tools-1.2.0/debian/changelog vorbis-tools-1.2.0/debian/changelog diff -u vorbis-tools-1.2.0/debian/patches/series vorbis-tools-1.2.0/debian/patches/series --- vorbis-tools-1.2.0/debian/patches/series +++ vorbis-tools-1.2.0/debian/patches/series @@ -5,0 +6 @@ +CVE-2008-1686.patch only in patch2: unchanged: --- vorbis-tools-1.2.0.orig/debian/patches/CVE-2008-1686.patch +++ vorbis-tools-1.2.0/debian/patches/CVE-2008-1686.patch @@ -0,0 +1,12 @@ +diff -Nur vorbis-tools-1.2.0/ogg123/speex_format.c vorbis-tools-1.2.0.new/ogg123/speex_format.c +--- vorbis-tools-1.2.0/ogg123/speex_format.c 2008-03-03 00:37:26.0 -0500 vorbis-tools-1.2.0.new/ogg123/speex_format.c 2008-05-07 17:34:31.0 -0400 +@@ -475,7 +475,7 @@ +cb-printf_error(callback_arg, ERROR, _(Cannot read header)); + return NULL; +} +- if ((*header)-mode = SPEEX_NB_MODES) { ++ if ((*header)-mode = SPEEX_NB_MODES || (*header)-mode 0) { + cb-printf_error(callback_arg, ERROR, + _(Mode number %d does not (any longer) exist in this version), + (*header)-mode);
Bug#480059: vorbis-tools vulnerable to CVE-2008-1686
For what it's worth, 1.2.1 to be released soon already has this fix, but please feel free to backport it to existing packages. -Ivo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]