Bug 22370

Summary: libvorbis new security issues CVE-2017-14632 and CVE-2017-14633
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, marja11, nicolas.salguero, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: libvorbis-1.3.5-2.mga6.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 22378    

Description David Walser 2018-01-10 23:43:03 CET 
openSUSE has issued an advisory on January 9:
https://lists.opensuse.org/opensuse-updates/2018-01/msg00015.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-01-10 23:43:11 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-01-11 07:07:56 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Salguero 2018-01-11 09:45:33 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar issue to Mozilla bug 550184. (CVE-2017-14632)

In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis(). (CVE-2017-14633)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633
https://lists.opensuse.org/opensuse-updates/2018-01/msg00015.html
========================

Updated packages in core/updates_testing:
========================
lib(64)vorbis0-1.3.5-2.1.mga6
lib(64)vorbis-devel-1.3.5-2.1.mga6
lib(64)vorbisenc2-1.3.5-2.1.mga6
lib(64)vorbisfile3-1.3.5-2.1.mga6

from SRPMS:
libvorbis-1.3.5-2.1.mga6.src.rpm

Version: Cauldron => 6
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 3 David Walser 2018-01-11 12:19:06 CET 
Thanks.  Patches checked into Mageia 5 SVN.
Comment 4 PC LX 2018-01-12 12:07:21 CET 
Installed and tested without issues.

Tests included:
- Encoding several wav and flac files to ogg/vorbis files, using oggenc;
- Playing the encoded files and several other ogg/vorbis files using ogg123.
- Use strace to confirm the libvorbis*.so libs are at least loaded.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ #########################################
$ journalctl -xb | grep -o install.*.*vorbis.*success | sort -u
install lib64vorbis0-1.3.5-2.1.mga6.x86_64: success
install lib64vorbisenc2-1.3.5-2.1.mga6.x86_64: success
install lib64vorbisfile3-1.3.5-2.1.mga6.x86_64: success
$ #########################################
$ for U in *.flac *.wav ; do oggenc "$U" -o "$U.ogg" ; done
Opening with flac module: FLAC file reader
Encoding "test.flac" to 
         "test.flac.ogg" 
at quality 3,00
        [ 99,6%] [ 0m00s remaining] - 

Done encoding file "test.flac.ogg"

        File length:  4m 12,0s
        Elapsed time: 0m 09,6s
        Rate:         26,3845
        Average bitrate: 111,8 kb/s
<SNIP>
$ #########################################
$ strace -o tmp/oggenc.log oggenc test.flac -o test.flac.ogg
Opening with flac module: FLAC file reader
<SNIP>
$ #########################################
$ strace -o ~/tmp/ogg123.log ogg123 *.ogg

Audio Device:   PulseAudio Output

Playing: test1.ogg
Ogg Vorbis stream: 2 channel, 44100 Hz
Date: 2017
Encoder: Lavf57.71.100
Fmps_playcount: 1
Fmps_rating: 0
Fmps_rating_amarok_score: 0.0030497
                                                                           
Done.
$ #########################################
$ grep libvorbis tmp/oggenc.log 
open("/usr/lib64/tls/x86_64/libvorbisenc.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/libvorbisenc.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/x86_64/libvorbisenc.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libvorbisenc.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libvorbis.so.0", O_RDONLY|O_CLOEXEC) = 3
$ #########################################
$ grep libvorbis ~/tmp/ogg123.log
open("/usr/lib64/tls/x86_64/libvorbisfile.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/libvorbisfile.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/x86_64/libvorbisfile.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libvorbisfile.so.3", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libvorbis.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libvorbisenc.so.2", O_RDONLY|O_CLOEXEC) = 4

Whiteboard: (none) => MGA6-64-OK
CC: (none) => mageia

Comment 5 Lewis Smith 2018-01-12 13:52:23 CET 
Thank you PC_LX for a rapid test.
Under present policy, validating; Advisory uploaded.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

David Walser 2018-01-12 15:15:13 CET

Blocks: (none) => 22378

Comment 6 Mageia Robot 2018-01-12 20:50:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0070.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED