[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Open libvorbis CVEs



Dear xiph maintainers,

As part of fixing the open CVEs of vorbis in LTS I looked at:

* CVE-2017-14633
  https://gitlab.xiph.org/xiph/vorbis/issues/2329
  As far as I understadn things the maximum number of channels is
  hardcoded in vorbis:

    https://github.com/xiph/vorbis/blob/master/lib/backends.h#L132 

  so guard for this:
  
    https://github.com/xiph/vorbis/pull/34

  Theora doesn't check the result of that function so account for that
  as well:

    https://github.com/xiph/theora/pull/6

  Does this make sense?

* CVE-2017-14632 

  That's basically the second fix of the above PR
  https://github.com/xiph/vorbis/pull/34/commits/d5dbde2686b3e68c858d1a7033852b45d74bbd52

* CVE-2017-11333
  https://gitlab.xiph.org/xiph/vorbis/issues/2332
  
  The invocation there also hits the above chmuxlist limit. With the fix
  for CVE-2017-14633 applied sox needs to handle errors returned by the
  function as well:
  
    https://sourceforge.net/p/sox/mailman/message/36130427/

  (which Debian's sox maintainer picked up very quickly and forwarded
  it, thanks Måns).

So the above issues could be fixed by uploading vorbis, theora and
sox. However we have many more programs invoking the above function but
not handling errors returned by it (among them firefox and
gstreamer). It's unlikely that we break things for decoders reading
vorbis since the limit can only happen on encoding not decoding but I
might be overlooking something.

* CVE-2017-14160
  https://gitlab.xiph.org/xiph/vorbis/issues/2330

  I've not been able to find the root cause for this yet. I've posted
  a patch that makes the code more robust by also checking the loop
  variable but I'm yet lost about the real reason. Any ideas would be
  welcome.

Cheers,
 -- Guido


Reply to: