GNU bug report logs -
#30061
[PATCH] gnu: libvorbis: Fix CVE-2017-{14632,14633}.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Wed, 10 Jan 2018 09:09:01 UTC
Severity: normal
Tags: patch, security
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30061 in the body.
You can then email your comments to 30061 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#30061; Package
guix-patches.
(Wed, 10 Jan 2018 09:09:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Wed, 10 Jan 2018 09:09:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/libvorbis-CVE-2017-14632.patch,
gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/xiph.scm (libvorbis)[replacement]: New field.
(libvorbis/fixed): New variable.
---
gnu/local.mk | 2 +
.../patches/libvorbis-CVE-2017-14632.patch | 63 ++++++++++++++++++++++
.../patches/libvorbis-CVE-2017-14633.patch | 43 +++++++++++++++
gnu/packages/xiph.scm | 9 ++++
4 files changed, 117 insertions(+)
create mode 100644 gnu/packages/patches/libvorbis-CVE-2017-14632.patch
create mode 100644 gnu/packages/patches/libvorbis-CVE-2017-14633.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 44868d4bb..4b451c7a9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -851,6 +851,8 @@ dist_patch_DATA = \
%D%/packages/patches/libusb-0.1-disable-tests.patch \
%D%/packages/patches/libusb-for-axoloti.patch \
%D%/packages/patches/libvdpau-va-gl-unbundle.patch \
+ %D%/packages/patches/libvorbis-CVE-2017-14632.patch \
+ %D%/packages/patches/libvorbis-CVE-2017-14633.patch \
%D%/packages/patches/libvpx-CVE-2016-2818.patch \
%D%/packages/patches/libxcb-python-3.5-compat.patch \
%D%/packages/patches/libxml2-CVE-2016-4658.patch \
diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14632.patch b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch
new file mode 100644
index 000000000..99debf210
--- /dev/null
+++ b/gnu/packages/patches/libvorbis-CVE-2017-14632.patch
@@ -0,0 +1,63 @@
+Fix CVE-2017-14632:
+
+https://gitlab.xiph.org/xiph/vorbis/issues/2328
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632
+
+Patch copied from upstream source repository:
+
+https://gitlab.xiph.org/xiph/vorbis/commit/c1c2831fc7306d5fbd7bc800324efd12b28d327f
+
+From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx <at> sigxcpu.org>
+Date: Wed, 15 Nov 2017 18:22:59 +0100
+Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
+ if not initialized
+
+If the number of channels is not within the allowed range
+we call oggback_writeclear altough it's not initialized yet.
+
+This fixes
+
+ =23371== Invalid free() / delete / delete[] / realloc()
+ ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530)
+ ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
+ ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
+ ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+ ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x10D82A: open_output_file (sox.c:1556)
+ ==23371== by 0x10D82A: process (sox.c:1753)
+ ==23371== by 0x10D82A: main (sox.c:3012)
+ ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
+ ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
+ ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
+ ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+ ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x10D82A: open_output_file (sox.c:1556)
+ ==23371== by 0x10D82A: process (sox.c:1753)
+ ==23371== by 0x10D82A: main (sox.c:3012)
+
+as seen when using the testcase from CVE-2017-11333 with
+008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
+there before.
+---
+ lib/info.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/info.c b/lib/info.c
+index 7bc4ea4..8d0b2ed 100644
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -589,6 +589,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+ private_state *b=v->backend_state;
+
+ if(!b||vi->channels<=0||vi->channels>256){
++ b = NULL;
+ ret=OV_EFAULT;
+ goto err_out;
+ }
+--
+2.15.1
+
diff --git a/gnu/packages/patches/libvorbis-CVE-2017-14633.patch b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch
new file mode 100644
index 000000000..ec6bf5265
--- /dev/null
+++ b/gnu/packages/patches/libvorbis-CVE-2017-14633.patch
@@ -0,0 +1,43 @@
+Fix CVE-2017-14633:
+
+https://gitlab.xiph.org/xiph/vorbis/issues/2329
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633
+
+Patch copied from upstream source repository:
+
+https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993
+
+From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx <at> sigxcpu.org>
+Date: Tue, 31 Oct 2017 18:32:46 +0100
+Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
+
+Otherwise
+
+ for(i=0;i<vi->channels;i++){
+ /* the encoder setup assumes that all the modes used by any
+ specific bitrate tweaking use the same floor */
+ int submap=info->chmuxlist[i];
+
+overreads later in mapping0_forward since chmuxlist is a fixed array of
+256 elements max.
+---
+ lib/info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/info.c b/lib/info.c
+index fe759ed..7bc4ea4 100644
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -588,7 +588,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+ oggpack_buffer opb;
+ private_state *b=v->backend_state;
+
+- if(!b||vi->channels<=0){
++ if(!b||vi->channels<=0||vi->channels>256){
+ ret=OV_EFAULT;
+ goto err_out;
+ }
+--
+2.15.1
+
diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm
index 9277f57ad..e9ab06de4 100644
--- a/gnu/packages/xiph.scm
+++ b/gnu/packages/xiph.scm
@@ -79,6 +79,7 @@ periodic timestamps for seeking.")
(define libvorbis
(package
(name "libvorbis")
+ (replacement libvorbis/fixed)
(version "1.3.5")
(source (origin
(method url-fetch)
@@ -102,6 +103,14 @@ polyphonic) audio and music at fixed and variable bitrates from 16 to
"See COPYING in the distribution."))
(home-page "http://xiph.org/vorbis/")))
+(define libvorbis/fixed
+ (package
+ (inherit libvorbis)
+ (source (origin
+ (inherit (package-source libvorbis))
+ (patches (search-patches "libvorbis-CVE-2017-14633.patch"
+ "libvorbis-CVE-2017-14632.patch"))))))
+
(define libtheora
(package
(name "libtheora")
--
2.15.1
Added tag(s) security.
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org.
(Thu, 11 Jan 2018 21:25:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#30061; Package
guix-patches.
(Thu, 11 Jan 2018 21:26:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 30061 <at> debbugs.gnu.org (full text, mbox):
Hi,
Leo Famulari <leo <at> famulari.name> skribis:
> * gnu/packages/patches/libvorbis-CVE-2017-14632.patch,
> gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/xiph.scm (libvorbis)[replacement]: New field.
> (libvorbis/fixed): New variable.
LGTM.
On ‘core-updates’, should we perform a rebuild instead of grafting?
Thank you!
Ludo’.
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Thu, 11 Jan 2018 22:34:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Thu, 11 Jan 2018 22:34:02 GMT)
Full text and
rfc822 format available.
Message #15 received at 30061-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Thu, Jan 11, 2018 at 10:25:33PM +0100, Ludovic Courtès wrote:
> Hi,
>
> Leo Famulari <leo <at> famulari.name> skribis:
>
> > * gnu/packages/patches/libvorbis-CVE-2017-14632.patch,
> > gnu/packages/patches/libvorbis-CVE-2017-14633.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
> > * gnu/packages/xiph.scm (libvorbis)[replacement]: New field.
> > (libvorbis/fixed): New variable.
>
> LGTM.
Pushed as 138c08899ba73049de8afd2b74a8cf6845a1d9e1
> On ‘core-updates’, should we perform a rebuild instead of grafting?
Yes, I merged master into core-updates and ungrafted libvorbis in
e6ebc7b13225f0eddc404b7d8e136120b962181e
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 09 Feb 2018 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 133 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.