Fedora has issued an advisory on February 20: https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150543.html Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated vorbis-tools package fixes security vulnerabilities: oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero (CVE-2014-9638). Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access (CVE-2014-9639). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9638 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9639 https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150543.html ======================== Updated packages in core/updates_testing: ======================== vorbis-tools-1.4.0-6.2.mga4 from vorbis-tools-1.4.0-6.2.mga4.src.rpm Reproducible: Steps to Reproduce:
You can see some information on reproducing the issues in the RedHat and upstream bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1184448 https://bugzilla.redhat.com/show_bug.cgi?id=1184449 oggenc is the command affected by the update.
I can't reproduce the issue for CVE-2014-9638 (neither could the guy in the RedHat bug). For CVE-2014-9639, using the testcase attached to the RedHat bug, I was able to verify the issue and the fix with the update: $ oggenc -o test.ogg crash_ex.wav Warning: WAV 'block alignment' value is incorrect, ignoring. The software that created this file is incorrect. Segmentation fault # (update vorbis-tools) $ oggenc -o test.ogg crash_ex.wav Warning: Unsupported count of channels in WAV header ERROR: Input file "crash_ex.wav" is not a supported format oggenc also works fine in general.
Whiteboard: (none) => has_procedure MGA4-32-OK
Testing complete mga4 64 Verified as David in comment 2 plus.. Before ------ $ valgrind oggenc -o test.ogg crash_div_zero.wav ==7097== Memcheck, a memory error detector ==7097== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==7097== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info ==7097== Command: oggenc -o test.ogg crash_div_zero.wav ==7097== Warning: WAV 'block alignment' value is incorrect, ignoring. The software that created this file is incorrect. ==7097== ==7097== Process terminating with default action of signal 8 (SIGFPE) ==7097== Integer divide by zero at address 0x802F23C2D ==7097== at 0x405D94: ??? (in /usr/bin/oggenc) ==7097== by 0x406233: ??? (in /usr/bin/oggenc) ==7097== by 0x4034C6: ??? (in /usr/bin/oggenc) ==7097== by 0x5C8AC84: (below main) (in /usr/lib64/libc-2.18.so) After ----- $ valgrind oggenc -o test.ogg crash_div_zero.wav ==7245== Memcheck, a memory error detector ==7245== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==7245== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info ==7245== Command: oggenc -o test.ogg crash_div_zero.wav ==7245== Warning: Unsupported count of channels in WAV header ERROR: Input file "crash_div_zero.wav" is not a supported format ==7245== ==7245== HEAP SUMMARY: ==7245== in use at exit: 57 bytes in 2 blocks ==7245== total heap usage: 78 allocs, 76 frees, 11,823 bytes allocated
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK mga4-64-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK mga4-64-ok => has_procedure advisory MGA4-32-OK mga4-64-ok
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0094.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
*** Bug 28199 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu