Bug 22788

Summary: libvorbis new security issue CVE-2018-5146
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: brtians1, mageia, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK MGA5-32-OK
Source RPM: libvorbis-1.3.5-3.mga7.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 22776, 22904    

Description David Walser 2018-03-17 04:34:23 CET 
Firefox 52.7.2 has been released today (March 16):
https://www.mozilla.org/en-US/firefox/52.7.2/releasenotes/

It includes a security fix for libvorbis:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/
http://openwall.com/lists/oss-security/2018/03/16/4

Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron.

Advisory:
========================

Updated libvorbis packages fix security vulnerability:

libvorbis can write out of bounds on codebook decoding when processing
malformed Vorbis audio data (CVE-2018-5146).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146
https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/
http://openwall.com/lists/oss-security/2018/03/16/4
========================

Updated packages in core/updates_testing:
========================
libvorbis0-1.3.5-1.3.mga5
libvorbis-devel-1.3.5-1.3.mga5
libvorbisenc2-1.3.5-1.3.mga5
libvorbisfile3-1.3.5-1.3.mga5
libvorbis0-1.3.5-2.3.mga6
libvorbis-devel-1.3.5-2.3.mga6
libvorbisenc2-1.3.5-2.3.mga6
libvorbisfile3-1.3.5-2.3.mga6

from SRPMS:
libvorbis-1.3.5-1.3.mga5.src.rpm
libvorbis-1.3.5-2.3.mga6.src.rpm
David Walser 2018-03-17 04:35:03 CET

Whiteboard: (none) => MGA5TOO
Blocks: (none) => 22776

Comment 1 Brian Rockwell 2018-03-17 18:13:27 CET 
$ uname -a
Linux localhost 4.4.114-desktop-1.mga5 #1 SMP Wed Jan 31 19:24:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux


The following 7 packages are going to be installed:

- glibc-devel-2.20-27.mga5.x86_64
- kernel-userspace-headers-4.4.114-1.mga5.x86_64
- lib64ogg-devel-1.3.2-3.mga5.x86_64
- lib64vorbis-devel-1.3.5-1.3.mga5.x86_64
- lib64vorbis0-1.3.5-1.3.mga5.x86_64
- lib64vorbisenc2-1.3.5-1.3.mga5.x86_64
- lib64vorbisfile3-1.3.5-1.3.mga5.x86_64

9.7MB of additional disk space will be used.

3.8MB of packages will be retrieved.

Is it ok to continue?


I used ffmpeg to encode (after reboot).

$ ffmpeg -i begin.flac -c:a libvorbis begin.ogg


working as designed.

CC: (none) => brtians1
Whiteboard: MGA5TOO => MGA5TOO mga5-64-ok

Lewis Smith 2018-03-17 20:26:27 CET

Keywords: (none) => advisory

Comment 2 PC LX 2018-03-17 23:42:41 CET 
Installed and tested without issues.

Tests used the vorbis-tools and involved decoding existing ogg files to wav files, encoding the wav files back to ogg files, and playing the resulting ogg files.

$ uname -a
Linux marte 4.14.25-desktop-1.mga6 #1 SMP Fri Mar 9 19:48:35 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep vorbis | sort
lib64vorbis0-1.3.5-2.3.mga6
lib64vorbisenc2-1.3.5-2.3.mga6
lib64vorbisfile3-1.3.5-2.3.mga6
libvorbis0-1.3.5-2.3.mga6
libvorbisenc2-1.3.5-2.3.mga6
libvorbisfile3-1.3.5-2.3.mga6
vorbis-tools-1.4.0-12.mga6
$ strace -o ogg123.strace ogg123 *.ogg
<SNIP>
$ grep libvorbis ogg123.strace | grep -v ENOENT
open("/usr/lib64/libvorbisfile.so.3", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libvorbis.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libvorbisenc.so.2", O_RDONLY|O_CLOEXEC) = 4
$ for U in *.ogg ; do oggdec -o "$U.wav" "$U" ; oggenc -q 6 -o "$U.2.ogg" "$U.wav" ; ogg123 "$U.2.ogg" ; done
<SNIP>

CC: (none) => mageia
Whiteboard: MGA5TOO mga5-64-ok => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 3 Brian Rockwell 2018-03-17 23:57:11 CET 
$ uname -a
Linux localhost 4.4.114-desktop-1.mga5 #1 SMP Wed Jan 31 20:41:03 UTC 2018 i686 i686 i686 GNU/Linux


The following 7 packages are going to be installed:

- glibc-devel-2.20-27.mga5.i586
- kernel-userspace-headers-4.4.114-1.mga5.i586
- libogg-devel-1.3.2-3.mga5.i586
- libvorbis-devel-1.3.5-1.3.mga5.i586
- libvorbis0-1.3.5-1.3.mga5.i586
- libvorbisenc2-1.3.5-1.3.mga5.i586
- libvorbisfile3-1.3.5-1.3.mga5.i586

9.3MB of additional disk space will be used.

3.7MB of packages will be retrieved.



Ran the following commands:

ffmpeg -i begin.flac -c:a libvorbis in_the_begining.ogg
ffmpeg  -c:a libvorbis -i in_the_begining.ogg begginning.flac
ffmpeg -i beginning.wav -c:a libvorbis in_the_begining_wav.ogg

all of the files played using mplayer and sounded fine.
Comment 4 Brian Rockwell 2018-03-17 23:59:19 CET 
(In reply to PC LX from comment #2)
> Installed and tested without issues.
> 
> Tests used the vorbis-tools and involved decoding existing ogg files to wav
> files, encoding the wav files back to ogg files, and playing the resulting
> ogg files.
> 
> $ uname -a
> Linux marte 4.14.25-desktop-1.mga6 #1 SMP Fri Mar 9 19:48:35 UTC 2018 x86_64
> x86_64 x86_64 GNU/Linux
> $ rpm -qa | grep vorbis | sort
> lib64vorbis0-1.3.5-2.3.mga6
> lib64vorbisenc2-1.3.5-2.3.mga6
> lib64vorbisfile3-1.3.5-2.3.mga6
> libvorbis0-1.3.5-2.3.mga6
> libvorbisenc2-1.3.5-2.3.mga6
> libvorbisfile3-1.3.5-2.3.mga6
> vorbis-tools-1.4.0-12.mga6
> $ strace -o ogg123.strace ogg123 *.ogg
> <SNIP>
> $ grep libvorbis ogg123.strace | grep -v ENOENT
> open("/usr/lib64/libvorbisfile.so.3", O_RDONLY|O_CLOEXEC) = 3
> open("/usr/lib64/libvorbis.so.0", O_RDONLY|O_CLOEXEC) = 3
> open("/lib64/libvorbisenc.so.2", O_RDONLY|O_CLOEXEC) = 4
> $ for U in *.ogg ; do oggdec -o "$U.wav" "$U" ; oggenc -q 6 -o "$U.2.ogg"
> "$U.wav" ; ogg123 "$U.2.ogg" ; done
> <SNIP>

Where did you find oggenc?  I was looking for that one.
Brian Rockwell 2018-03-17 23:59:36 CET

Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK MGA5-32-OK

Comment 5 PC LX 2018-03-18 01:32:45 CET 
oggenc is in vorbis-tools package.

Use the command "urpmf --files SOMEFILE" to find files in the enabled repositories.

$ urpmf --files oggenc | sort -u
fish:/usr/share/fish/completions/oggenc.fish                                                                                                                                                 
man-pages-de:/usr/share/man/de/man1/oggenc.1.xz                                                                                                                                              
man-pages-fr:/usr/share/man/fr/man1/oggenc.1.xz
vorbis-tools:/usr/bin/oggenc
vorbis-tools:/usr/share/man/man1/oggenc.1.xz
Comment 6 Lewis Smith 2018-03-18 12:02:56 CET 
Thanks to you both for the testing. I see no reason not to validate this update.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-03-19 13:14:33 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0179.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2018-04-14 02:20:25 CEST

Blocks: (none) => 22904