Bug#876780: libvorbis: CVE-2017-14160
On Fri, May 11, 2018 at 10:20:42PM +0200, Salvatore Bonaccorso wrote: > Control: retitle -1 libvorbis: CVE-2017-14160 (+ CVE-2018-10392 > CVE-2018-10393) > Control: tags -1 + fixed-upstream > > Hi > > This issue (cf. https://gitlab.xiph.org/xiph/vorbis/issues/2330) was > adressed upstream by > https://gitlab.xiph.org/xiph/vorbis/commit/018ca26dece618457dd13585cad52941193c4a25 > . There are as well CVE-2018-10392 CVE-2018-10393 which are fixed by > the same fix. MITRE has assigned two additional CVEs possibly due to > different vector. Could we still get this in buster, please? Cheers, Moritz
Bug#876780: libvorbis: CVE-2017-14160
Control: retitle -1 libvorbis: CVE-2017-14160 (+ CVE-2018-10392 CVE-2018-10393) Control: tags -1 + fixed-upstream Hi This issue (cf. https://gitlab.xiph.org/xiph/vorbis/issues/2330) was adressed upstream by https://gitlab.xiph.org/xiph/vorbis/commit/018ca26dece618457dd13585cad52941193c4a25 . There are as well CVE-2018-10392 CVE-2018-10393 which are fixed by the same fix. MITRE has assigned two additional CVEs possibly due to different vector. Regards, Salvatore
Bug#876780: libvorbis: CVE-2017-14160
On Tue, Sep 26, 2017 at 12:24:14AM +0200, Petter Reinholdtsen wrote: > [Salvatore Bonaccorso] > > the following vulnerability was published for libvorbis. > > Thank you for following up on this. I hope a fix show up from upstream > for this and other security issues. :) > > I was just told on #xiph that this issue also might affect speex: > >rillian: speex may also be affected by that > bark_noise_hybridmp bug (CVE-2017-14160) since it includes that very > same function, via vorbis_psy.c. >see: > > https://git.xiph.org/?p=speex.git;a=blob;f=libspeex/vorbis_psy.c;h=cb385b7a349486a09a3db20adf225100993111c5;hb=HEAD#l189 > > I have not verified that this is the case, but thought it best to > mention it here until someone have time to check it out. I think you'll find that's only included in speex if VORBIS_PSYCHO is defined, which by default it isn't and there's no configure option to enable it, you'd need to hand hack the source. That was an experiment which never really proved its worth, but the code was still around in case someone had other ideas for it. In the case of the exported tarballs (which the current distro packages are based on) vorbis_psy.c isn't one of the exported files. So it's there in git, but it's not in the Debian source, and I'd be surprised if anyone is building binaries with it enabled anywhere. Cheers, Ron
Bug#876780: libvorbis: CVE-2017-14160
[Salvatore Bonaccorso] > the following vulnerability was published for libvorbis. Thank you for following up on this. I hope a fix show up from upstream for this and other security issues. :) I was just told on #xiph that this issue also might affect speex: rillian: speex may also be affected by that bark_noise_hybridmp bug (CVE-2017-14160) since it includes that very same function, via vorbis_psy.c. see: https://git.xiph.org/?p=speex.git;a=blob;f=libspeex/vorbis_psy.c;h=cb385b7a349486a09a3db20adf225100993111c5;hb=HEAD#l189 I have not verified that this is the case, but thought it best to mention it here until someone have time to check it out. -- Happy hacking Petter Reinholdtsen
Bug#876780: libvorbis: CVE-2017-14160
Source: libvorbis Version: 1.3.5-4 Severity: important Tags: security upstream Hi, the following vulnerability was published for libvorbis. CVE-2017-14160[0]: | The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 | allows remote attackers to cause a denial of service (out-of-bounds | access and application crash) or possibly have unspecified other impact | via a crafted mp4 file. See [1]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14160 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14160 [1] http://www.openwall.com/lists/oss-security/2017/09/21/3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore