Hi,
On Mon, Sep 25, 2017 at 09:49:33PM +0200, Salvatore Bonaccorso wrote:
> Source: libvorbis
> Version: 1.3.5-4
> Severity: important
> Tags: security upstream
> Forwarded: https://gitlab.xiph.org/xiph/vorbis/issues/2328
>
> Hi,
>
> the following vulnerability was published for libvorbis.
>
> CVE-2017-14633[0]:
> | In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability
> | exists in the function mapping0_forward() in mapping0.c, which may lead
> | to DoS when operating on a crafted audio file with vorbis_analysis().
>
> The reproducer was not attached to the upstream issue, since looks was
> not possible for the reporter to include it in the report.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I have uploaded an NMU with the attached debdiff to fix this CVE and
CVE-2017-14633 delayed/7. Please let me know if you want me to cancel
it (or go a head with a quicker upload).
Cheers,
-- Guido
diff --git a/debian/changelog b/debian/changelog
index 9c8056e2..1b972b4f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libvorbis (1.3.5-4.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Cherry-pick upstream patches for CVE-2017-14632 and CVE-2017-14633
+(Closes: #876778, 876779)
+
+ -- Guido Günther Wed, 20 Dec 2017 17:31:19 +0100
+
libvorbis (1.3.5-4) unstable; urgency=low
* Changed Standards-Version from 3.9.6 to 3.9.8.
diff --git a/debian/patches/CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch b/debian/patches/CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch
new file mode 100644
index ..440ad734
--- /dev/null
+++ b/debian/patches/CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch
@@ -0,0 +1,52 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?=
+Date: Wed, 15 Nov 2017 18:22:59 +0100
+Subject: CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb if not
+ initialized
+
+If the number of channels is not within the allowed range
+we call oggback_writeclear altough it's not initialized yet.
+
+This fixes
+
+=23371== Invalid free() / delete / delete[] / realloc()
+==23371==at 0x4C2CE1B: free (vg_replace_malloc.c:530)
+==23371==by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
+==23371==by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
+==23371==by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+==23371==by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+==23371==by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+==23371==by 0x10D82A: open_output_file (sox.c:1556)
+==23371==by 0x10D82A: process (sox.c:1753)
+==23371==by 0x10D82A: main (sox.c:3012)
+==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
+==23371==at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
+==23371==by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
+==23371==by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+==23371==by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+==23371==by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+==23371==by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+==23371==by 0x10D82A: open_output_file (sox.c:1556)
+==23371==by 0x10D82A: process (sox.c:1753)
+==23371==by 0x10D82A: main (sox.c:3012)
+
+as seen when using the testcase from CVE-2017-11333 with
+008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
+there before.
+
+Closes: #876779
+---
+ lib/info.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/info.c b/lib/info.c
+index dbb99fc..234cf1e 100644
+--- a/lib/info.c
b/lib/info.c
+@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+ private_state *b=v->backend_state;
+
+ if(!b||vi->channels<=0||vi->channels>256){
++b = NULL;
+ ret=OV_EFAULT;
+ goto err_out;
+ }
diff --git a/debian/patches/CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch b/debian/patches/CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch
new file mode 100644
index ..f6abe492
--- /dev/null
+++ b/debian/patches/CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch
@@ -0,0 +1,32 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?=
+Date: Tue, 31 Oct 2017 18:32:46 +0100
+Subject: CVE-2017-14633: Don't allow for more than 256 channels
+
+Otherwise
+
+ for(i=0;ichannels;i++){
+ /* the encoder setup assumes that all the modes used by any
+ specific bitrate tweaking use the same floor */
+ int submap=info->chmuxlist[i];
+
+overreads later in mapping0_forward since chmuxlist is a fixed array of
+256 elements max.
+
+Closes: #876778
+---