Bug 24252

Summary: libvorbis possible new security issues CVE-2017-11333 and CVE-2017-11735
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, lists.jjorge, marja11, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: libvorbis-1.3.5-2.4.mga6.src.rpm CVE:
Status comment:

Description David Walser 2019-01-28 01:44:01 CET 
Fedora has issued an advisory on January 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7LMKDBAKXCTXK2PG6XESIGC7ZP4742RA/

Their git history doesn't reference these CVEs, but comparing the patch they added and the patches we have in Cauldron, we have some of the same changes, but each have changes the other doesn't have.  It's also possible these two CVEs were fixed in 1.3.6 and we just need to update Mageia 6 to that.

https://src.fedoraproject.org/cgit/rpms/mingw-libvorbis.git/commit/?id=c81109debd41e7fa6c17d55ba9f05db30130f862
Comment 1 Marja Van Waes 2019-01-30 12:42:50 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing a committer.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, nicolas.salguero

Comment 2 José Jorge 2019-01-30 18:50:15 CET 
Version 1.3.6 pushed to MGA6 to ensure this old CVEs are fixed.

Suggested advisory:
========================

The vorbis library version 1.3.6  fix security vulnerabilities:
- CVE-2017-11735 libvorbis: NULL pointer dereference in vorbis_block_clear function in lib/block.c 
- CVE-2017-11333 libvorbis: Memory exhaustion in vorbis_analysis_wrote function in lib/block.c

References:
https://lists.opensuse.org/opensuse-updates/2018-05/msg00067.html
http://lists.suse.com/pipermail/sle-security-updates/2018-June/004158.html
https://lists.opensuse.org/opensuse-updates/2018-06/msg00047.html
========================

Updated package in 6/core/updates_testing:
========================
lib(64)vorbis0-1.3.6-1.mga6
lib(64)vorbis-devel-1.3.6-1.mga6
lib(64)vorbisenc2-1.3.6-1.mga6
lib(64)vorbisfile3-1.3.6-1.mga6

from SRPMS:
libvorbis-1.3.6-1.mga6.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
CC: (none) => lists.jjorge

Comment 3 Len Lawrence 2019-01-31 01:07:15 CET 
Mageia6, x86_64

Followed up the CVE links but could find no POC files although tests against sample files are described.

An extract from the list of dependent packages:
audacity
easytag
godot
gstreamer-plugins
iceape
icecast
k3b
kodi
mplayer
vlc-plugin-common
zaz

There are many more.

Updated the four packages.
Ran mplayer under strace on an MKV video.
$ grep vorbis trace
open("/lib64/libvorbis.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libvorbisenc.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libvorbis.so.0.4.8", O_RDONLY) = 3
open("/usr/lib64/libvorbisenc.so.2.0.11", O_RDONLY) = 3

Installed kodi, launched it and added some resources.  Played an MP4 video OK.
No sign of vorbis in the trace so that is a dud.

Installed iceape and invoked it under strace.  Search and display APOD.
The trace has several references to libvorbis.

This looks fine for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Lewis Smith 2019-01-31 18:30:28 CET

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 4 Mageia Robot 2019-01-31 23:56:44 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0059.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED