Bug 15164

Summary: vorbis-tools new security issue CVE-2014-9640
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: rverschelde, sysadmin-bugs, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/631305/
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK advisory
Source RPM: vorbis-tools-1.4.0-6.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-01-30 16:46:02 CET 
Fedora has issued an advisory on January 27:
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148852.html

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated vorbis-tools package fixes security vulnerability:

oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial
of service (out-of-bounds read) via a crafted raw file (CVE-2014-9640).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9640
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148852.html
========================

Updated packages in core/updates_testing:
========================
vorbis-tools-1.4.0-6.1.mga4

from vorbis-tools-1.4.0-6.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-01-30 19:18:49 CET 
PoC is in the upstream bug:
https://trac.xiph.org/ticket/2009

Before:
$ dd if=/dev/zero bs=1 count=1 | oggenc -r - -o out.ogg 
1+0 records in
1+0 records out
1 byte (1 B) copied, 2.222e-05 s, 45.0 kB/s
Encoding standard input to 
         "out.ogg" 
at quality 3.00


Done encoding file "out.ogg"

        File length:  0m 00.0s
        Elapsed time: 0m 00.0s
        Rate:         0.0000
        Average bitrate: inf kb/s

Segmentation fault

After:
$ dd if=/dev/zero bs=1 count=1 | oggenc -r - -o out.ogg 
Encoding standard input to 
         "out.ogg" 
at quality 3.00
1+0 records in
1+0 records out
1 byte (1 B) copied, 2.6581e-05 s, 37.6 kB/s


Done encoding file "out.ogg"

        File length:  0m 00.0s
        Elapsed time: 0m 00.0s
        Rate:         0.0000
        Average bitrate: inf kb/s

Testing complete Mageia 4 i586.

Whiteboard: (none) => has_procedure MGA4-32-OK

David Walser 2015-01-30 19:26:33 CET

URL: (none) => http://lwn.net/Vulnerabilities/631305/

Comment 2 William Kenney 2015-02-03 19:25:37 CET 
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
vorbis-tools

default install of vorbis-tools

[root@localhost wilcal]# urpmi vorbis-tools
Package vorbis-tools-1.4.0-6.mga4.x86_64 is already installed

[wilcal@localhost ~]$ dd if=/dev/zero bs=1 count=1 | oggenc -r - -o out.ogg
.....Segmentation fault

install vorbis-tools from updates_testing

[root@localhost wilcal]# urpmi vorbis-tools
Package vorbis-tools-1.4.0-6.1.mga4.x86_64 is already installed

[wilcal@localhost ~]$ dd if=/dev/zero bs=1 count=1 | oggenc -r - -o out.ogg
...Done encoding file "out.ogg"...
/home/wilcal/out.ogg created

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

William Kenney 2015-02-03 19:26:08 CET

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 3 William Kenney 2015-02-03 19:27:08 CET 
This update works fine.
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 RĂ©mi Verschelde 2015-02-04 11:54:47 CET 
Advisory uploaded.

Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisory
CC: (none) => remi

Comment 5 Mageia Robot 2015-02-05 23:26:44 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0051.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED