* [PATCH 1/3] libvorbis: CVE-2017-14633
2018-03-20 8:50 [PATCH 0/3] libvorbis security fixes Tanu Kaskinen
@ 2018-03-20 8:50 ` Tanu Kaskinen
2018-03-20 8:50 ` [PATCH 2/3] libvorbis: CVE-2017-14632 Tanu Kaskinen
2018-03-20 8:50 ` [PATCH 3/3] libvorbis: CVE-2018-5146 Tanu Kaskinen
2 siblings, 0 replies; 4+ messages in thread
From: Tanu Kaskinen @ 2018-03-20 8:50 UTC (permalink / raw)
To: openembedded-core
In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability
exists in the function mapping0_forward() in mapping0.c, which may lead
to DoS when operating on a crafted audio file with vorbis_analysis().
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633
Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
---
.../libvorbis/libvorbis/CVE-2017-14633.patch | 42 ++++++++++++++++++++++
.../libvorbis/libvorbis_1.3.5.bb | 1 +
2 files changed, 43 insertions(+)
create mode 100644 meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14633.patch
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14633.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14633.patch
new file mode 100644
index 0000000000..9c9e688d43
--- /dev/null
+++ b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14633.patch
@@ -0,0 +1,42 @@
+From 07eda55f336e5c44dfc0e4a1e21628faed7255fa Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Tue, 31 Oct 2017 18:32:46 +0100
+Subject: [PATCH] CVE-2017-14633: Don't allow for more than 256 channels
+
+Otherwise
+
+ for(i=0;i<vi->channels;i++){
+ /* the encoder setup assumes that all the modes used by any
+ specific bitrate tweaking use the same floor */
+ int submap=info->chmuxlist[i];
+
+overreads later in mapping0_forward since chmuxlist is a fixed array of
+256 elements max.
+
+Upstream-Status: Backport
+CVE: CVE-2017-14633
+
+Reference to upstream patch:
+https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
+
+Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
+---
+ lib/info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/info.c b/lib/info.c
+index e447a0c..81b7557 100644
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -583,7 +583,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+ oggpack_buffer opb;
+ private_state *b=v->backend_state;
+
+- if(!b||vi->channels<=0){
++ if(!b||vi->channels<=0||vi->channels>256){
+ ret=OV_EFAULT;
+ goto err_out;
+ }
+--
+2.16.2
+
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
index 56c5b0a9cb..73f9d1af2c 100644
--- a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
+++ b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
@@ -12,6 +12,7 @@ DEPENDS = "libogg"
SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \
file://0001-configure-Check-for-clang.patch \
+ file://CVE-2017-14633.patch \
"
SRC_URI[md5sum] = "28cb28097c07a735d6af56e598e1c90f"
SRC_URI[sha256sum] = "54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1"
--
2.16.2
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 2/3] libvorbis: CVE-2017-14632
2018-03-20 8:50 [PATCH 0/3] libvorbis security fixes Tanu Kaskinen
2018-03-20 8:50 ` [PATCH 1/3] libvorbis: CVE-2017-14633 Tanu Kaskinen
@ 2018-03-20 8:50 ` Tanu Kaskinen
2018-03-20 8:50 ` [PATCH 3/3] libvorbis: CVE-2018-5146 Tanu Kaskinen
2 siblings, 0 replies; 4+ messages in thread
From: Tanu Kaskinen @ 2018-03-20 8:50 UTC (permalink / raw)
To: openembedded-core
Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing
uninitialized memory in the function vorbis_analysis_headerout() in
info.c when vi->channels<=0, a similar issue to Mozilla bug 550184.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632
Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
---
.../libvorbis/libvorbis/CVE-2017-14632.patch | 62 ++++++++++++++++++++++
.../libvorbis/libvorbis_1.3.5.bb | 1 +
2 files changed, 63 insertions(+)
create mode 100644 meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch
new file mode 100644
index 0000000000..4036b966fe
--- /dev/null
+++ b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14632.patch
@@ -0,0 +1,62 @@
+From 39704ce16835e5c019bb03f6a94dc1f0677406c5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Wed, 15 Nov 2017 18:22:59 +0100
+Subject: [PATCH] CVE-2017-14632: vorbis_analysis_header_out: Don't clear opb
+ if not initialized
+
+If the number of channels is not within the allowed range
+we call oggback_writeclear altough it's not initialized yet.
+
+This fixes
+
+ =23371== Invalid free() / delete / delete[] / realloc()
+ ==23371== at 0x4C2CE1B: free (vg_replace_malloc.c:530)
+ ==23371== by 0x829CA31: oggpack_writeclear (in /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2)
+ ==23371== by 0x84B96EE: vorbis_analysis_headerout (info.c:652)
+ ==23371== by 0x9FBCBCC: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+ ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x10D82A: open_output_file (sox.c:1556)
+ ==23371== by 0x10D82A: process (sox.c:1753)
+ ==23371== by 0x10D82A: main (sox.c:3012)
+ ==23371== Address 0x68768c8 is 488 bytes inside a block of size 880 alloc'd
+ ==23371== at 0x4C2BB1F: malloc (vg_replace_malloc.c:298)
+ ==23371== by 0x4C2DE9F: realloc (vg_replace_malloc.c:785)
+ ==23371== by 0x4E545C2: lsx_realloc (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x9FBC9A0: ??? (in /usr/lib/x86_64-linux-gnu/sox/libsox_fmt_vorbis.so)
+ ==23371== by 0x4E524F1: ??? (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x4E52CCA: sox_open_write (in /usr/lib/x86_64-linux-gnu/libsox.so.2.0.1)
+ ==23371== by 0x10D82A: open_output_file (sox.c:1556)
+ ==23371== by 0x10D82A: process (sox.c:1753)
+ ==23371== by 0x10D82A: main (sox.c:3012)
+
+as seen when using the testcase from CVE-2017-11333 with
+008d23b782be09c8d75ba8190b1794abd66c7121 applied. However the error was
+there before.
+
+Upstream-Status: Backport
+CVE: CVE-2017-14632
+
+Reference to upstream patch:
+https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=c1c2831fc7306d5fbd7bc800324efd12b28d327f
+
+Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
+---
+ lib/info.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/info.c b/lib/info.c
+index 81b7557..4d82568 100644
+--- a/lib/info.c
++++ b/lib/info.c
+@@ -584,6 +584,7 @@ int vorbis_analysis_headerout(vorbis_dsp_state *v,
+ private_state *b=v->backend_state;
+
+ if(!b||vi->channels<=0||vi->channels>256){
++ b = NULL;
+ ret=OV_EFAULT;
+ goto err_out;
+ }
+--
+2.16.2
+
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
index 73f9d1af2c..32e92f009a 100644
--- a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
+++ b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
@@ -13,6 +13,7 @@ DEPENDS = "libogg"
SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \
file://0001-configure-Check-for-clang.patch \
file://CVE-2017-14633.patch \
+ file://CVE-2017-14632.patch \
"
SRC_URI[md5sum] = "28cb28097c07a735d6af56e598e1c90f"
SRC_URI[sha256sum] = "54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1"
--
2.16.2
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 3/3] libvorbis: CVE-2018-5146
2018-03-20 8:50 [PATCH 0/3] libvorbis security fixes Tanu Kaskinen
2018-03-20 8:50 ` [PATCH 1/3] libvorbis: CVE-2017-14633 Tanu Kaskinen
2018-03-20 8:50 ` [PATCH 2/3] libvorbis: CVE-2017-14632 Tanu Kaskinen
@ 2018-03-20 8:50 ` Tanu Kaskinen
2 siblings, 0 replies; 4+ messages in thread
From: Tanu Kaskinen @ 2018-03-20 8:50 UTC (permalink / raw)
To: openembedded-core
Prevent out-of-bounds write in codebook decoding. The bug could allow
code execution from a specially crafted Ogg Vorbis file.
References:
https://www.debian.org/security/2018/dsa-4140
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146
Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
---
.../libvorbis/libvorbis/CVE-2018-5146.patch | 100 +++++++++++++++++++++
.../libvorbis/libvorbis_1.3.5.bb | 1 +
2 files changed, 101 insertions(+)
create mode 100644 meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch
new file mode 100644
index 0000000000..6d4052a872
--- /dev/null
+++ b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2018-5146.patch
@@ -0,0 +1,100 @@
+From 3a017f591457bf6e80231b563bf83ee583fdbca8 Mon Sep 17 00:00:00 2001
+From: Thomas Daede <daede003@umn.edu>
+Date: Thu, 15 Mar 2018 14:15:31 -0700
+Subject: [PATCH] CVE-2018-5146: Prevent out-of-bounds write in codebook
+ decoding.
+
+Codebooks that are not an exact divisor of the partition size are now
+truncated to fit within the partition.
+
+Upstream-Status: Backport
+CVE: CVE-2018-5146
+
+Reference to upstream patch:
+https://git.xiph.org/?p=vorbis.git;a=commitdiff;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
+
+Signed-off-by: Tanu Kaskinen <tanuk@iki.fi>
+---
+ lib/codebook.c | 48 ++++++++++--------------------------------------
+ 1 file changed, 10 insertions(+), 38 deletions(-)
+
+diff --git a/lib/codebook.c b/lib/codebook.c
+index 8b766e8..7022fd2 100644
+--- a/lib/codebook.c
++++ b/lib/codebook.c
+@@ -387,7 +387,7 @@ long vorbis_book_decodevs_add(codebook *book,float *a,oggpack_buffer *b,int n){
+ t[i] = book->valuelist+entry[i]*book->dim;
+ }
+ for(i=0,o=0;i<book->dim;i++,o+=step)
+- for (j=0;j<step;j++)
++ for (j=0;o+j<n && j<step;j++)
+ a[o+j]+=t[j][i];
+ }
+ return(0);
+@@ -399,41 +399,12 @@ long vorbis_book_decodev_add(codebook *book,float *a,oggpack_buffer *b,int n){
+ int i,j,entry;
+ float *t;
+
+- if(book->dim>8){
+- for(i=0;i<n;){
+- entry = decode_packed_entry_number(book,b);
+- if(entry==-1)return(-1);
+- t = book->valuelist+entry*book->dim;
+- for (j=0;j<book->dim;)
+- a[i++]+=t[j++];
+- }
+- }else{
+- for(i=0;i<n;){
+- entry = decode_packed_entry_number(book,b);
+- if(entry==-1)return(-1);
+- t = book->valuelist+entry*book->dim;
+- j=0;
+- switch((int)book->dim){
+- case 8:
+- a[i++]+=t[j++];
+- case 7:
+- a[i++]+=t[j++];
+- case 6:
+- a[i++]+=t[j++];
+- case 5:
+- a[i++]+=t[j++];
+- case 4:
+- a[i++]+=t[j++];
+- case 3:
+- a[i++]+=t[j++];
+- case 2:
+- a[i++]+=t[j++];
+- case 1:
+- a[i++]+=t[j++];
+- case 0:
+- break;
+- }
+- }
++ for(i=0;i<n;){
++ entry = decode_packed_entry_number(book,b);
++ if(entry==-1)return(-1);
++ t = book->valuelist+entry*book->dim;
++ for(j=0;i<n && j<book->dim;)
++ a[i++]+=t[j++];
+ }
+ }
+ return(0);
+@@ -471,12 +442,13 @@ long vorbis_book_decodevv_add(codebook *book,float **a,long offset,int ch,
+ long i,j,entry;
+ int chptr=0;
+ if(book->used_entries>0){
+- for(i=offset/ch;i<(offset+n)/ch;){
++ int m=(offset+n)/ch;
++ for(i=offset/ch;i<m;){
+ entry = decode_packed_entry_number(book,b);
+ if(entry==-1)return(-1);
+ {
+ const float *t = book->valuelist+entry*book->dim;
+- for (j=0;j<book->dim;j++){
++ for (j=0;i<m && j<book->dim;j++){
+ a[chptr++][i]+=t[j];
+ if(chptr==ch){
+ chptr=0;
+--
+2.16.2
+
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
index 32e92f009a..20f887c252 100644
--- a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
+++ b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \
file://0001-configure-Check-for-clang.patch \
file://CVE-2017-14633.patch \
file://CVE-2017-14632.patch \
+ file://CVE-2018-5146.patch \
"
SRC_URI[md5sum] = "28cb28097c07a735d6af56e598e1c90f"
SRC_URI[sha256sum] = "54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1"
--
2.16.2
^ permalink raw reply related [flat|nested] 4+ messages in thread