Bug#480059: vorbis-tools vulnerable to CVE-2008-1686
Hi Jamie! I've noticed your USN-611-[123], which patch speex, vorbis-tools and gstreamer plugins. However, I believe fix in libspeex/speex_header.c should be sufficient to address this issue in all affected applications, as they call speex_packet_to_header(). With patch applied, it'll return NULL for malformed speex files and the mode check in speexdec / ogg123 / ... is not reached at all. Or have I missed anything? skx, vorbis-tools do not embed whole speex library, only sample client implementation code. Previous versions of speex required client to perform part of the sanity checks (and many clients did not do that properly), so the check was now moved directly to speex library. HTH -- Tomas Hoger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480059: vorbis-tools vulnerable to CVE-2008-1686
On Wed May 07, 2008 at 18:12:09 -0400, Jamie Strandboge wrote: vorbis-tools contains embedded speex code, and although vorbis-tools is linked to libspeex, it compiles the vulnerable code. Attached is a debdiff that Ubuntu is using in its 1.1.1 versions of vorbis-tools (fuzz removed). I'd rather see a patch that makes the vorbis-tools link against the system-wide library, and not compile the vulnerable code at all. Would it be possible for you to provide such a thing, or is that too hard? Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#480059: vorbis-tools vulnerable to CVE-2008-1686
Package: vorbis-tools
Version: 1.2.0-1.1
Severity: grave
Tags: patch security
Justification: user security hole
User: [EMAIL PROTECTED]
Usertags: origin-ubuntu hardy ubuntu-patch
vorbis-tools contains embedded speex code, and although vorbis-tools is linked
to libspeex, it compiles the vulnerable code. Attached is a debdiff that Ubuntu
is using in its 1.1.1 versions of vorbis-tools (fuzz removed).
Here is a suggested changelog entry:
* SECURITY UPDATE: array index vulnerability
* debian/patches/CVE-2008-1686.diff: fix for ogg123/speex_format.c to
properly validate its input
* References
CVE-2008-1686
diff -u vorbis-tools-1.2.0/debian/changelog vorbis-tools-1.2.0/debian/changelog
diff -u vorbis-tools-1.2.0/debian/patches/series
vorbis-tools-1.2.0/debian/patches/series
--- vorbis-tools-1.2.0/debian/patches/series
+++ vorbis-tools-1.2.0/debian/patches/series
@@ -5,0 +6 @@
+CVE-2008-1686.patch
only in patch2:
unchanged:
--- vorbis-tools-1.2.0.orig/debian/patches/CVE-2008-1686.patch
+++ vorbis-tools-1.2.0/debian/patches/CVE-2008-1686.patch
@@ -0,0 +1,12 @@
+diff -Nur vorbis-tools-1.2.0/ogg123/speex_format.c
vorbis-tools-1.2.0.new/ogg123/speex_format.c
+--- vorbis-tools-1.2.0/ogg123/speex_format.c 2008-03-03 00:37:26.0
-0500
vorbis-tools-1.2.0.new/ogg123/speex_format.c 2008-05-07
17:34:31.0 -0400
+@@ -475,7 +475,7 @@
+cb-printf_error(callback_arg, ERROR, _(Cannot read header));
+ return NULL;
+}
+- if ((*header)-mode = SPEEX_NB_MODES) {
++ if ((*header)-mode = SPEEX_NB_MODES || (*header)-mode 0) {
+ cb-printf_error(callback_arg, ERROR,
+ _(Mode number %d does not (any longer) exist in this
version),
+ (*header)-mode);
Bug#480059: vorbis-tools vulnerable to CVE-2008-1686
For what it's worth, 1.2.1 to be released soon already has this fix, but please feel free to backport it to existing packages. -Ivo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
