Bug#876779: libvorbis: CVE-2017-14632

2017-12-21 Thread Guido Günther 
Hi,
On Mon, Sep 25, 2017 at 09:49:33PM +0200, Salvatore Bonaccorso wrote:
> Source: libvorbis
> Version: 1.3.5-4
> Severity: important
> Tags: security upstream
> Forwarded: https://gitlab.xiph.org/xiph/vorbis/issues/2328
> 
> Hi,
> 
> the following vulnerability was published for libvorbis.
> 
> CVE-2017-14633[0]:
> | In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability
> | exists in the function mapping0_forward() in mapping0.c, which may lead
> | to DoS when operating on a crafted audio file with vorbis_analysis().
> 
> The reproducer was not attached to the upstream issue, since looks was
> not possible for the reporter to include it in the report.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

I have uploaded an NMU with the attached debdiff to fix this CVE and
CVE-2017-14633 delayed/7. Please let me know if you want me to cancel
it (or go a head with a quicker upload).

Cheers,
 -- Guido
diff --git a/debian/changelog b/debian/changelog
index 9c8056e2..1b972b4f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libvorbis (1.3.5-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Cherry-pick upstream patches for CVE-2017-14632 and CVE-2017-14633
+(Closes: #876778, 876779)
+
+ -- Guido Günther   Wed, 20 Dec 2017 17:31:19 +0100
+
 libvorbis (1.3.5-4) unstable; urgency=low
 
   * Changed Standards-Version from 3.9.6 to 3.9.8.
diff --git a/debian/patches/CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch b/debian/patches/CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch
new file mode 100644
index ..440ad734
--- /dev/null
+++ b/debian/patches/CVE-2017-14632-vorbis_analysis_header_out-Don-t-clear-opb.patch
@@ -0,0 +1,52 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= 
+Date: Wed, 15 Nov 2017 18:22:59 +0100
+Subject: CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb if not
+ initialized
+
+If the number of channels is not within the allowed range
+we call oggback_writeclear altough it's not initialized yet.
+
+This fixes
+
+=23371== Invalid free() / delete / delete[] / realloc()
+==23371==at 0x4C2CE1B: free (vg_replace_malloc.c:530)
+==23371==by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
+==23371==by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
+==23371==by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+==23371==by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+==23371==by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+==23371==by 0x10D82A: open_output_file (sox.c:1556)
+==23371==by 0x10D82A: process (sox.c:1753)
+==23371==by 0x10D82A: main (sox.c:3012)
+==23371==  Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
+==23371==at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
+==23371==by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
+==23371==by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+==23371==by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+==23371==by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+==23371==by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+==23371==by 0x10D82A: open_output_file (sox.c:1556)
+==23371==by 0x10D82A: process (sox.c:1753)
+==23371==by 0x10D82A: main (sox.c:3012)
+
+as seen when using the testcase from CVE-2017-11333 with
+008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
+there before.
+
+Closes: #876779
+---
+ lib/info.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/info.c b/lib/info.c
+index dbb99fc..234cf1e 100644
+--- a/lib/info.c
 b/lib/info.c
+@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+   private_state *b=v->backend_state;
+ 
+   if(!b||vi->channels<=0||vi->channels>256){
++b = NULL;
+ ret=OV_EFAULT;
+ goto err_out;
+   }
diff --git a/debian/patches/CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch b/debian/patches/CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch
new file mode 100644
index ..f6abe492
--- /dev/null
+++ b/debian/patches/CVE-2017-14633-Don-t-allow-for-more-than-256-channels.patch
@@ -0,0 +1,32 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= 
+Date: Tue, 31 Oct 2017 18:32:46 +0100
+Subject: CVE-2017-14633: Don't allow for more than 256 channels
+
+Otherwise
+
+ for(i=0;ichannels;i++){
+  /* the encoder setup assumes that all the modes used by any
+ specific bitrate tweaking use the same floor */
+  int submap=info->chmuxlist[i];
+
+overreads later in mapping0_forward since chmuxlist is a fixed array of
+256 elements max.
+
+Closes: #876778
+---

Bug#876779: libvorbis: CVE-2017-14632

2017-09-25 Thread Salvatore Bonaccorso 
Source: libvorbis
Version: 1.3.5-4
Severity: important
Tags: security upstream
Forwarded: https://gitlab.xiph.org/xiph/vorbis/issues/2328

Hi,

the following vulnerability was published for libvorbis.

CVE-2017-14633[0]:
| In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability
| exists in the function mapping0_forward() in mapping0.c, which may lead
| to DoS when operating on a crafted audio file with vorbis_analysis().

The reproducer was not attached to the upstream issue, since looks was
not possible for the reporter to include it in the report.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-14633
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633
[1] https://gitlab.xiph.org/xiph/vorbis/issues/2328

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore