[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

libvorbis request for comments

Hi,

I have taken a look at the libvorbis issues pending in wheezy (and
accidentally in jessie) and backported a few patches. The result is
here, as usual, for testing:

https://people.debian.org/~anarcat/debian/wheezy-lts/

Guido: you a lot of work on those issues with upstream, so it would be
great if you could review the (attached) debdiff. In particular, I
introduce the vi->channels<=0 check in the code, as the lack of
vi->channels=>256 check triggers *another* vulnerability. I'm worried
that adding only vi->channels=>256 would still create an out of bound
reads or another abnormal condition. Of course, introducing that check
triggers CVE-2017-14632, so I include the patch for that as well.

Otherwise, it seems the fix for CVE-2017-11333 is the same as
CVE-2017-14633, so I have marked that fixed as well.

Sounds good?

A.


diff -u libvorbis-1.3.2/debian/changelog libvorbis-1.3.2/debian/changelog
--- libvorbis-1.3.2/debian/changelog
+++ libvorbis-1.3.2/debian/changelog
@@ -1,3 +1,23 @@
+libvorbis (1.3.2-1.3+deb7u1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2017-14633: In Xiph.Org libvorbis 1.3.5, an out-of-bounds array
+    read vulnerability exists in the function mapping0_forward() in
+    mapping0.c, which may lead to DoS when operating on a crafted audio
+    file with vorbis_analysis().
+  * CVE-2017-14632: Xiph.Org libvorbis 1.3.5 allows Remote Code Execution
+    upon freeing uninitialized memory in the function
+    vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar
+    issue to Mozilla bug 550184.
+  * CVE-2017-11333: The vorbis_analysis_wrote function in lib/block.c in
+    Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of
+    service (OOM) via a crafted wav file.
+  * CVE-2018-5146: out-of-bounds memory write in the codeboook parsing
+    code of the Libvorbis multimedia library could result in the execution
+    of arbitrary code.
+
+ -- Antoine Beaupré <anarcat@debian.org>  Thu, 19 Apr 2018 11:59:46 -0400
+
 libvorbis (1.3.2-1.3) unstable; urgency=low
 
   * Non-maintainer upload to fix release goals
only in patch2:
unchanged:
--- libvorbis-1.3.2.orig/debian/patches/CVE-2017-14632.patch
+++ libvorbis-1.3.2/debian/patches/CVE-2017-14632.patch
@@ -0,0 +1,55 @@
+Description: backport fix
+ While fixing CVE-2017-14633, an extra check was added which might
+ have triggered CVE-2017-14632, normally not present in 1.3.2. The fix
+ for CVE-2017-14632 was therefore backported here.
+From c1c2831fc7306d5fbd7bc800324efd12b28d327f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Wed, 15 Nov 2017 18:22:59 +0100
+Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
+ if not initialized
+
+If the number of channels is not within the allowed range
+we call oggback_writeclear altough it's not initialized yet.
+
+This fixes
+
+    =23371== Invalid free() / delete / delete[] / realloc()
+    ==23371==    at 0x4C2CE1B: free (vg_replace_malloc.c:530)
+    ==23371==    by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
+    ==23371==    by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
+    ==23371==    by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
+    ==23371==    by 0x10D82A: process (sox.c:1753)
+    ==23371==    by 0x10D82A: main (sox.c:3012)
+    ==23371==  Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
+    ==23371==    at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
+    ==23371==    by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
+    ==23371==    by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+    ==23371==    by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+    ==23371==    by 0x10D82A: open_output_file (sox.c:1556)
+    ==23371==    by 0x10D82A: process (sox.c:1753)
+    ==23371==    by 0x10D82A: main (sox.c:3012)
+
+as seen when using the testcase from CVE-2017-11333 with
+008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
+there before.
+---
+ lib/info.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: b/lib/info.c
+===================================================================
+--- a/lib/info.c	2018-04-19 12:01:24.321102192 -0400
++++ b/lib/info.c	2018-04-19 12:01:24.317102110 -0400
+@@ -575,6 +575,7 @@ int vorbis_analysis_headerout(vorbis_dsp
+   private_state *b=v->backend_state;
+ 
+   if(!b||vi->channels<=0||vi->channels>256){
++    b = NULL;
+     ret=OV_EFAULT;
+     goto err_out;
+   }
only in patch2:
unchanged:
--- libvorbis-1.3.2.orig/debian/patches/CVE-2017-14633.patch
+++ libvorbis-1.3.2/debian/patches/CVE-2017-14633.patch
@@ -0,0 +1,35 @@
+Description: CVE-2017-14633: Don't allow for more than 256 channels
+ This is a modified version of the following upstream commit. While
+ we're here, also handle invalid channels<=0, which introduces
+ CVE-2017-14633, but we fix that in a separate patch. 
+From a79ec216cd119069c68b8f3542c6a425a74ab993 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Tue, 31 Oct 2017 18:32:46 +0100
+Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
+
+Otherwise
+
+ for(i=0;i<vi->channels;i++){
+      /* the encoder setup assumes that all the modes used by any
+         specific bitrate tweaking use the same floor */
+      int submap=info->chmuxlist[i];
+
+overreads later in mapping0_forward since chmuxlist is a fixed array of
+256 elements max.
+---
+ lib/info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: b/lib/info.c
+===================================================================
+--- a/lib/info.c	2018-04-19 12:01:12.864866736 -0400
++++ b/lib/info.c	2018-04-19 12:01:12.860866654 -0400
+@@ -574,7 +574,7 @@ int vorbis_analysis_headerout(vorbis_dsp
+   oggpack_buffer opb;
+   private_state *b=v->backend_state;
+ 
+-  if(!b){
++  if(!b||vi->channels<=0||vi->channels>256){
+     ret=OV_EFAULT;
+     goto err_out;
+   }
only in patch2:
unchanged:
--- libvorbis-1.3.2.orig/debian/patches/CVE-2018-5146.patch
+++ libvorbis-1.3.2/debian/patches/CVE-2018-5146.patch
@@ -0,0 +1,89 @@
+From: Thomas Daede <daede003@umn.edu>
+Date: Thu, 15 Mar 2018 14:15:31 -0700
+Subject: CVE-2018-5146: Prevent out-of-bounds write in codebook decoding.
+Origin: https://git.xiph.org/?p=vorbis.git;a=commit;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5146
+
+Codebooks that are not an exact divisor of the partition size are now
+truncated to fit within the partition.
+---
+ lib/codebook.c | 48 ++++++++++--------------------------------------
+ 1 file changed, 10 insertions(+), 38 deletions(-)
+
+Index: b/lib/codebook.c
+===================================================================
+--- a/lib/codebook.c	2018-04-19 12:01:33.685294652 -0400
++++ b/lib/codebook.c	2018-04-19 12:01:33.681294570 -0400
+@@ -380,7 +380,7 @@ long vorbis_book_decodevs_add(codebook *
+       t[i] = book->valuelist+entry[i]*book->dim;
+     }
+     for(i=0,o=0;i<book->dim;i++,o+=step)
+-      for (j=0;j<step;j++)
++      for (j=0;o+j<n && j<step;j++)
+         a[o+j]+=t[j][i];
+   }
+   return(0);
+@@ -391,41 +391,12 @@ long vorbis_book_decodev_add(codebook *b
+     int i,j,entry;
+     float *t;
+ 
+-    if(book->dim>8){
+-      for(i=0;i<n;){
+-        entry = decode_packed_entry_number(book,b);
+-        if(entry==-1)return(-1);
+-        t     = book->valuelist+entry*book->dim;
+-        for (j=0;j<book->dim;)
+-          a[i++]+=t[j++];
+-      }
+-    }else{
+-      for(i=0;i<n;){
+-        entry = decode_packed_entry_number(book,b);
+-        if(entry==-1)return(-1);
+-        t     = book->valuelist+entry*book->dim;
+-        j=0;
+-        switch((int)book->dim){
+-        case 8:
+-          a[i++]+=t[j++];
+-        case 7:
+-          a[i++]+=t[j++];
+-        case 6:
+-          a[i++]+=t[j++];
+-        case 5:
+-          a[i++]+=t[j++];
+-        case 4:
+-          a[i++]+=t[j++];
+-        case 3:
+-          a[i++]+=t[j++];
+-        case 2:
+-          a[i++]+=t[j++];
+-        case 1:
+-          a[i++]+=t[j++];
+-        case 0:
+-          break;
+-        }
+-      }
++    for(i=0;i<n;){
++      entry = decode_packed_entry_number(book,b);
++      if(entry==-1)return(-1);
++      t     = book->valuelist+entry*book->dim;
++      for(j=0;i<n && j<book->dim;)
++        a[i++]+=t[j++];
+     }
+   }
+   return(0);
+@@ -460,12 +431,13 @@ long vorbis_book_decodevv_add(codebook *
+   long i,j,entry;
+   int chptr=0;
+   if(book->used_entries>0){
+-    for(i=offset/ch;i<(offset+n)/ch;){
++    int m=(offset+n)/ch;
++    for(i=offset/ch;i<m;){
+       entry = decode_packed_entry_number(book,b);
+       if(entry==-1)return(-1);
+       {
+         const float *t = book->valuelist+entry*book->dim;
+-        for (j=0;j<book->dim;j++){
++        for (j=0;i<m && j<book->dim;j++){
+           a[chptr++][i]+=t[j];
+           if(chptr==ch){
+             chptr=0;
only in patch2:
unchanged:
--- libvorbis-1.3.2.orig/debian/patches/series
+++ libvorbis-1.3.2/debian/patches/series
@@ -0,0 +1,3 @@
+CVE-2017-14633.patch
+CVE-2017-14632.patch
+CVE-2018-5146.patch
Reply to: