A CVE has been assigned for a security issue in vorbis-tools: http://openwall.com/lists/oss-security/2015/08/30/1 The patch to fix it is attached to the upstream bug report linked in the message above. Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated vorbis-tools package fixes security vulnerability: A buffer overread is possible in vorbis-tools in oggenc/audio.c when opening a specially crafted AIFF file (CVE-2015-6749). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6749 http://openwall.com/lists/oss-security/2015/08/30/1 ======================== Updated packages in core/updates_testing: ======================== vorbis-tools-1.4.0-6.3.mga4 vorbis-tools-1.4.0-10.1.mga5 from SRPMS: vorbis-tools-1.4.0-6.3.mga4.src.rpm vorbis-tools-1.4.0-10.1.mga5.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
Having a look at this one on mga5, x86_64. Pre-update: Played an ogg file OK in mplayer. Selected audio codec: [ffvorbis] afm: ffmpeg (FFmpeg Vorbis) Checked to see if ogg123 worked properly - it did not. [lcl@vega ogg]$ ogg123 JoyToTheWorld.ogg Audio Device: PulseAudio Output Playing: JoyToTheWorld.ogg Ogg Vorbis stream: 2 channel, 44100 Hz Sound badly corrupted - had to abort. This appears to be a problem with the test machine because ogg123 plays sound fine on my production machine with mga5 updated to the same level, different audio setup, so not relevant to this test. Back later.
CC: (none) => tarazed25
Installed vorbis-tools-1.4.0-10.1 from Updates Testing. Tested the various tools, most for the first time: 1) ogg123 played ogg files from the command line. 2) oggenc encodes a collection of audio files into ogg vorbis format with additional comments such as titles and lyrics provided Kate support has been enabled. [lcl@vega ogg]$ oggenc -L LaMarseillaise.txt Marseillaise.wav WARNING: Kate support not compiled in; lyrics will not be included. Opening with wav module: WAV file reader Encoding "Marseillaise.wav" to "Marseillaise.ogg" at quality 3.00 [ 99.5%] [ 0m00s remaining] - Done encoding file "Marseillaise.ogg" File length: 1m 02.0s Elapsed time: 0m 00.1s Rate: 625.7212 Average bitrate: 32.4 kb/s The resultant file played perfectly via ogg123. 3) oggdec defaults to WAV output when converting from ogg format. [lcl@vega ogg]$ oggdec CherryOhBaby.ogg oggdec from vorbis-tools 1.4.0 Decoding "CherryOhBaby.ogg" to "CherryOhBaby.wav" [100.0%} Playback of the resulting file using mplayer sounds fine. 4) ogginfo <filename> returned information on Vorbis headers. 5) vcut is supposed to allow splitting of an ogg file into two parts at a point defined in either seconds or sample points. Both cause a segfault before the first part is written. The first section is an empty file. Testing this with the released version of vorbis-tools on another box exposes the same fault, so this is not a regresion but a probable bug. 6) vorbiscomment provided help and general information when called without arguments and embedded comments if a file name was given, similar to mediainfo data but including additional comments such as MusicBrainz entries if present. My conclusion is that this update is fine for 64-bits.
Whiteboard: MGA4TOO => MGA4TOO MGA5-64-OK
Thanks for the detailed procedure :)
Whiteboard: MGA4TOO MGA5-64-OK => MGA4TOO MGA5-64-OK has_procedure
Also note the PoC attached to the upstream bug report.
That would be audio_c_overflow.aiff? Shall add that as an attachment if I can figure out how to run it. So far all I get is a gecko-player window in the browser. Need to dust off my virtualboxen and test the candidate on 32-bit VM as well.
(In reply to Len Lawrence from comment #5) > That would be audio_c_overflow.aiff? Shall add that as an attachment if I > can figure out how to run it. So far all I get is a gecko-player window in > the browser. > > Need to dust off my virtualboxen and test the candidate on 32-bit VM as well. Yes, the AIFF file. Just use oggenc with it like you did with example 2) in Comment 2.
Thanks David. The file I had downloaded was HTML because I tried to use the link as a download link (right-click) instead of left-clicking on it to get the actual link. The aiff file segfaulted with oggenc in the pre-update case but generated an ogg file after the update but with the -r option only. [lcl@vega ogg]$ oggenc audio_c_overflow.aiff Warning: Unexpected EOF in AIFF chunk Warning: No SSND chunk found in AIFF file ERROR: Input file "audio_c_overflow.aiff" is not a supported format [lcl@vega ogg]$ oggenc -r audio_c_overflow.aiff Encoding "audio_c_overflow.aiff" to "audio_c_overflow.ogg" at quality 3.00 Done encoding file "audio_c_overflow.ogg" File length: 0m 00.0s Elapsed time: 0m 00.0s Rate: 25.3414 Average bitrate: 115.7 kb/s [lcl@vega ogg]$ ls -l total 40540 -rw-r--r-- 1 lcl lcl 29280 Sep 1 16:32 audio_c_overflow.aiff -rw-r--r-- 1 lcl lcl 6394 Sep 1 16:37 audio_c_overflow.ogg [lcl@vega ogg]$ file audio_c_overflow.* audio_c_overflow.aiff: IFF data, AIFF audio audio_c_overflow.ogg: Ogg data, Vorbis audio, stereo, 44100 Hz, ~112000 bps, created by: Xiph.Org libVorbis I [lcl@vega ogg]$ ogg123 audio_c_overflow.ogg Audio Device: PulseAudio Output Playing: audio_c_overflow.ogg Ogg Vorbis stream: 2 channel, 44100 Hz Done.
Further comments: [lcl@vega ogg]$ mediainfo audio_c_overflow.aiff General Complete name : audio_c_overflow.aiff Format : AIFF Format/Info : Apple/SGI File size : 28.6 KiB Duration : 208ms Overall bit rate mode : Constant Overall bit rate : 1 126 Kbps Audio Format : PCM Codec ID : SSND Duration : 208ms Bit rate mode : Constant Channel(s) : 2 channels Sampling rate : 44.1 KHz Bit depth : 16 bits [lcl@vega ogg]$ ogginfo audio_c_overflow.ogg Processing file "audio_c_overflow.ogg"... New logical stream (#1, serial: 2c922aa7): type vorbis Vorbis headers parsed for stream 1, information follows... Version: 0 Vendor: Xiph.Org libVorbis I 20150105 (ââââ) Channels: 2 Rate: 44100 Nominal bitrate: 112.000000 kb/s Upper bitrate not set Lower bitrate not set Vorbis stream 1: Total data length: 2400 bytes Playback length: 0m:00.165s Average bitrate: 115.672131 kb/s Logical stream 1 ended
i586 virtualbox 3.19.8-desktop-3.mga5 Tried the AIFF file before and after update and saw the same report so I am not convinced that this test provides a POC. [lcl@cursa ~]$ oggenc -r audio_c_overflow.aiff Encoding "audio_c_overflow.aiff" to "audio_c_overflow.ogg" at quality 3.00 Done encoding file "audio_c_overflow.ogg" File length: 0m 00.0s Elapsed time: 0m 00.0s Rate: 13.2207 Average bitrate: 115.7 kb/s All the other tests worked fine with the update candidate. e.g. [lcl@cursa ~/Music]$ oggdec -o anthem.wav Marseillaise.ogg oggdec from vorbis-tools 1.4.0 Decoding "Marseillaise.ogg" to "anthem.wav" [ 99.5%] [lcl@cursa ~/Music]$ oggdec Marseillaise.ogg oggdec from vorbis-tools 1.4.0 Decoding "Marseillaise.ogg" to "Marseillaise.wav" [ 99.5%] Probably safe to pass this for i586.
Whiteboard: MGA4TOO MGA5-64-OK has_procedure => MGA4TOO MGA5-64-OK has_procedure MGA5-32-OK
Testing vorbis-tools-1.4.0-6.2.mga4.i586 in vbox I have not got round to enabling bluetooth in vbox so there is no actual sound but pavucontrol registers a signal. POC test returned same result as in previous comments. ogg123, ogginfo, oggenc, oggdec behaved as expected. vcut segfaulted on both time and sample cuts. Testing vorbis-tools-1.4.0-6.3.mga4.i586 in vbox [lcl@alcor ~/Music]$ oggenc -r audio_c_overflow.aiff Encoding "audio_c_overflow.aiff" to "audio_c_overflow.ogg" at quality 3.00 Done encoding file "audio_c_overflow.ogg" File length: 0m 00.0s Elapsed time: 0m 00.0s Rate: 13.3914 Average bitrate: 115.7 kb/s [lcl@alcor ~/Music]$ ogg123 Padstow.ogg Audio Device: PulseAudio Output Playing: Padstow.ogg Ogg Vorbis stream: 2 channel, 44100 Hz Tested ogginfo on ogg file; OK. Generated wav file from ogg using oggdec; that played fine in mplayer. Generated ogg file from wav and that played back with ogg123. vcut segfaulted in both modes. I need to check for existing bug report on vcut. Passing this as OK for mga4 32-bit.
Version: 5 => 4
Whiteboard: MGA4TOO MGA5-64-OK has_procedure MGA5-32-OK => MGA4TOO MGA5-64-OK has_procedure MGA5-32-OK MGA4-32-OK
Version: 4 => 5
Testing vorbis-tools in vbox, mga4 x86_64. Installed vorbis-tools-1.4.0-6.2.mga4.x86_64 for the pre-update tests. [lcl@bellatrix ~/Music]$ oggenc audio_c_overflow.aiff Segmentation fault [lcl@bellatrix ~/Music]$ oggenc -r audio_c_overflow.aiff Encoding "audio_c_overflow.aiff" to "audio_c_overflow.ogg" at quality 3.00 and so on.... Installed vorbis-tools-1.4.0-6.3.mga4.x86_64 Ran all the previous tests; positive results except for vcut.
Version: 5 => 4Hardware: i586 => x86_64
Whiteboard: MGA4TOO MGA5-64-OK has_procedure MGA5-32-OK MGA4-32-OK => MGA4TOO MGA5-64-OK MGA4-64-OK has_procedure MGA5-32-OK MGA4-32-OK
Len, please be careful in Bugzilla, you've changed the version to 4 twice.
Oops! Sorry.
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4TOO MGA5-64-OK MGA4-64-OK has_procedure MGA5-32-OK MGA4-32-OK => MGA4TOO has_procedure advisory MGA5-64-OK MGA4-64-OK has_procedure MGA5-32-OK MGA4-32-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0353.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/656989/