Bug 15403

Summary: vorbis-tools new security issues CVE-2014-9638 and CVE-2014-9639
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, zombie_ryushu
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/635284/
Whiteboard: has_procedure advisory MGA4-32-OK mga4-64-ok
Source RPM: vorbis-tools-1.4.0-6.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-03-02 22:33:27 CET 
Fedora has issued an advisory on February 20:
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150543.html

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated vorbis-tools package fixes security vulnerabilities:

oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of
service (divide-by-zero error and crash) via a WAV file with the number of
channels set to zero (CVE-2014-9638).

Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to
cause a denial of service (crash) via a crafted number of channels in a WAV
file, which triggers an out-of-bounds memory access (CVE-2014-9639).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9638
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9639
https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150543.html
========================

Updated packages in core/updates_testing:
========================
vorbis-tools-1.4.0-6.2.mga4

from vorbis-tools-1.4.0-6.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-03-02 22:35:29 CET 
You can see some information on reproducing the issues in the RedHat and upstream bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1184448
https://bugzilla.redhat.com/show_bug.cgi?id=1184449

oggenc is the command affected by the update.
Comment 2 David Walser 2015-03-03 18:29:26 CET 
I can't reproduce the issue for CVE-2014-9638 (neither could the guy in the RedHat bug).

For CVE-2014-9639, using the testcase attached to the RedHat bug, I was able to verify the issue and the fix with the update:
$ oggenc -o test.ogg crash_ex.wav
Warning: WAV 'block alignment' value is incorrect, ignoring.
The software that created this file is incorrect.
Segmentation fault
# (update vorbis-tools)
$ oggenc -o test.ogg crash_ex.wav
Warning: Unsupported count of channels in WAV header
ERROR: Input file "crash_ex.wav" is not a supported format

oggenc also works fine in general.

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 3 claire robinson 2015-03-05 15:55:31 CET 
Testing complete mga4 64

Verified as David in comment 2 plus..

Before
------
$ valgrind oggenc -o test.ogg crash_div_zero.wav     
==7097== Memcheck, a memory error detector
==7097== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==7097== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==7097== Command: oggenc -o test.ogg crash_div_zero.wav
==7097== 
Warning: WAV 'block alignment' value is incorrect, ignoring.
The software that created this file is incorrect.
==7097== 
==7097== Process terminating with default action of signal 8 (SIGFPE)
==7097==  Integer divide by zero at address 0x802F23C2D
==7097==    at 0x405D94: ??? (in /usr/bin/oggenc)
==7097==    by 0x406233: ??? (in /usr/bin/oggenc)
==7097==    by 0x4034C6: ??? (in /usr/bin/oggenc)
==7097==    by 0x5C8AC84: (below main) (in /usr/lib64/libc-2.18.so)


After
-----
$ valgrind oggenc -o test.ogg crash_div_zero.wav
==7245== Memcheck, a memory error detector
==7245== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==7245== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==7245== Command: oggenc -o test.ogg crash_div_zero.wav
==7245== 
Warning: Unsupported count of channels in WAV header
ERROR: Input file "crash_div_zero.wav" is not a supported format
==7245== 
==7245== HEAP SUMMARY:
==7245==     in use at exit: 57 bytes in 2 blocks
==7245==   total heap usage: 78 allocs, 76 frees, 11,823 bytes allocated

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK mga4-64-ok

Comment 4 claire robinson 2015-03-05 17:56:24 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure advisory MGA4-32-OK mga4-64-ok

Comment 5 Mageia Robot 2015-03-05 20:35:06 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0094.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 6 David Walser 2021-01-23 03:01:09 CET 
*** Bug 28199 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu