Bug 16677 - vorbis-tools new security issue CVE-2015-6749
Summary: vorbis-tools new security issue CVE-2015-6749
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: x86_64 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/656989/
Whiteboard: MGA4TOO has_procedure advisory MGA5-6...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-08-31 23:28 CEST by David Walser
Modified: 2015-09-09 19:50 CEST (History)
2 users (show)

See Also:
Source RPM: vorbis-tools-1.4.0-10.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-08-31 23:28:59 CEST
A CVE has been assigned for a security issue in vorbis-tools:
http://openwall.com/lists/oss-security/2015/08/30/1

The patch to fix it is attached to the upstream bug report linked in the message above.

Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated vorbis-tools package fixes security vulnerability:

A buffer overread is possible in vorbis-tools in oggenc/audio.c when opening a
specially crafted AIFF file (CVE-2015-6749).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6749
http://openwall.com/lists/oss-security/2015/08/30/1
========================

Updated packages in core/updates_testing:
========================
vorbis-tools-1.4.0-6.3.mga4
vorbis-tools-1.4.0-10.1.mga5

from SRPMS:
vorbis-tools-1.4.0-6.3.mga4.src.rpm
vorbis-tools-1.4.0-10.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2015-08-31 23:29:06 CEST

Whiteboard: (none) => MGA4TOO

Comment 1 Len Lawrence 2015-09-01 04:42:11 CEST
Having a look at this one on mga5, x86_64.

Pre-update:
Played an ogg file OK in mplayer.
Selected audio codec: [ffvorbis] afm: ffmpeg (FFmpeg Vorbis)

Checked to see if ogg123 worked properly - it did not.
[lcl@vega ogg]$ ogg123 JoyToTheWorld.ogg
Audio Device:   PulseAudio Output
Playing: JoyToTheWorld.ogg
Ogg Vorbis stream: 2 channel, 44100 Hz

Sound badly corrupted - had to abort.  This appears to be a problem with the test machine because ogg123 plays sound fine on my production machine with mga5 updated to the same level, different audio setup, so not relevant to this test.

Back later.

CC: (none) => tarazed25

Comment 2 Len Lawrence 2015-09-01 11:46:01 CEST
Installed vorbis-tools-1.4.0-10.1 from Updates Testing.
Tested the various tools, most for the first time:

1) ogg123 played ogg files from the command line.

2) oggenc encodes a collection of audio files into ogg vorbis format with additional comments such as titles and lyrics provided Kate support has been enabled.
[lcl@vega ogg]$ oggenc -L LaMarseillaise.txt Marseillaise.wav
WARNING: Kate support not compiled in; lyrics will not be included.
Opening with wav module: WAV file reader
Encoding "Marseillaise.wav" to 
         "Marseillaise.ogg" 
at quality 3.00
	[ 99.5%] [ 0m00s remaining] - 

Done encoding file "Marseillaise.ogg"

	File length:  1m 02.0s
	Elapsed time: 0m 00.1s
	Rate:         625.7212
	Average bitrate: 32.4 kb/s

The resultant file played perfectly via ogg123.

3) oggdec defaults to WAV output when converting from ogg format.
[lcl@vega ogg]$ oggdec CherryOhBaby.ogg
oggdec from vorbis-tools 1.4.0
Decoding "CherryOhBaby.ogg" to "CherryOhBaby.wav"
	[100.0%}

Playback of the resulting file using mplayer sounds fine.

4) ogginfo <filename> returned information on Vorbis headers.

5) vcut is supposed to allow splitting of an ogg file into two parts at a point defined in either seconds or sample points.  Both cause a segfault before the first part is written.  The first section is an empty file.  Testing this with the released version of vorbis-tools on another box exposes the same fault, so this is not a regresion but a probable bug.

6) vorbiscomment provided help and general information when called without arguments and embedded comments if a file name was given, similar to mediainfo data but including additional comments such as MusicBrainz entries if present.
 
My conclusion is that this update is fine for 64-bits.
Len Lawrence 2015-09-01 11:46:28 CEST

Whiteboard: MGA4TOO => MGA4TOO MGA5-64-OK

Comment 3 Rémi Verschelde 2015-09-01 11:53:49 CEST
Thanks for the detailed procedure :)

Whiteboard: MGA4TOO MGA5-64-OK => MGA4TOO MGA5-64-OK has_procedure

Comment 4 David Walser 2015-09-01 12:44:54 CEST
Also note the PoC attached to the upstream bug report.
Comment 5 Len Lawrence 2015-09-01 14:23:38 CEST
That would be audio_c_overflow.aiff?  Shall add that as an attachment if I can figure out how to run it.  So far all I get is a gecko-player window in the browser.

Need to dust off my virtualboxen and test the candidate on 32-bit VM as well.
Comment 6 David Walser 2015-09-01 14:28:38 CEST
(In reply to Len Lawrence from comment #5)
> That would be audio_c_overflow.aiff?  Shall add that as an attachment if I
> can figure out how to run it.  So far all I get is a gecko-player window in
> the browser.
> 
> Need to dust off my virtualboxen and test the candidate on 32-bit VM as well.

Yes, the AIFF file.  Just use oggenc with it like you did with example 2) in Comment 2.
Comment 7 Len Lawrence 2015-09-01 17:52:56 CEST
Thanks David.  The file I had downloaded was HTML because I tried to use the link as a download link (right-click) instead of left-clicking on it to get the actual link.  The aiff file segfaulted with oggenc in the pre-update case but generated an ogg file after the update but with the -r option only.

[lcl@vega ogg]$ oggenc audio_c_overflow.aiff 
Warning: Unexpected EOF in AIFF chunk
Warning: No SSND chunk found in AIFF file
ERROR: Input file "audio_c_overflow.aiff" is not a supported format
[lcl@vega ogg]$ oggenc -r audio_c_overflow.aiff
Encoding "audio_c_overflow.aiff" to 
         "audio_c_overflow.ogg" 
at quality 3.00
Done encoding file "audio_c_overflow.ogg"

	File length:  0m 00.0s
	Elapsed time: 0m 00.0s
	Rate:         25.3414
	Average bitrate: 115.7 kb/s

[lcl@vega ogg]$ ls -l
total 40540
-rw-r--r-- 1 lcl lcl    29280 Sep  1 16:32 audio_c_overflow.aiff
-rw-r--r-- 1 lcl lcl     6394 Sep  1 16:37 audio_c_overflow.ogg
[lcl@vega ogg]$ file audio_c_overflow.*
audio_c_overflow.aiff: IFF data, AIFF audio
audio_c_overflow.ogg:  Ogg data, Vorbis audio, stereo, 44100 Hz, ~112000 bps, created by: Xiph.Org libVorbis I
[lcl@vega ogg]$ ogg123  audio_c_overflow.ogg
Audio Device:   PulseAudio Output
Playing: audio_c_overflow.ogg
Ogg Vorbis stream: 2 channel, 44100 Hz
Done.
Comment 8 Len Lawrence 2015-09-01 18:00:25 CEST
Further comments:
[lcl@vega ogg]$ mediainfo audio_c_overflow.aiff
General
Complete name                            : audio_c_overflow.aiff
Format                                   : AIFF
Format/Info                              : Apple/SGI
File size                                : 28.6 KiB
Duration                                 : 208ms
Overall bit rate mode                    : Constant
Overall bit rate                         : 1 126 Kbps

Audio
Format                                   : PCM
Codec ID                                 : SSND
Duration                                 : 208ms
Bit rate mode                            : Constant
Channel(s)                               : 2 channels
Sampling rate                            : 44.1 KHz
Bit depth                                : 16 bits

[lcl@vega ogg]$ ogginfo audio_c_overflow.ogg
Processing file "audio_c_overflow.ogg"...

New logical stream (#1, serial: 2c922aa7): type vorbis
Vorbis headers parsed for stream 1, information follows...
Version: 0
Vendor: Xiph.Org libVorbis I 20150105 (ââââ)
Channels: 2
Rate: 44100

Nominal bitrate: 112.000000 kb/s
Upper bitrate not set
Lower bitrate not set
Vorbis stream 1:
	Total data length: 2400 bytes
	Playback length: 0m:00.165s
	Average bitrate: 115.672131 kb/s
Logical stream 1 ended
Comment 9 Len Lawrence 2015-09-02 16:40:09 CEST
i586 virtualbox 3.19.8-desktop-3.mga5

Tried the AIFF file before and after update and saw the same report so I am not convinced that this test provides a POC.
[lcl@cursa ~]$ oggenc -r audio_c_overflow.aiff
Encoding "audio_c_overflow.aiff" to 
         "audio_c_overflow.ogg" 
at quality 3.00
Done encoding file "audio_c_overflow.ogg"
	File length:  0m 00.0s
	Elapsed time: 0m 00.0s
	Rate:         13.2207
	Average bitrate: 115.7 kb/s

All the other tests worked fine with the update candidate.
e.g.
[lcl@cursa ~/Music]$ oggdec -o anthem.wav Marseillaise.ogg 
oggdec from vorbis-tools 1.4.0
Decoding "Marseillaise.ogg" to "anthem.wav"
	[ 99.5%]
[lcl@cursa ~/Music]$ oggdec Marseillaise.ogg 
oggdec from vorbis-tools 1.4.0
Decoding "Marseillaise.ogg" to "Marseillaise.wav"
	[ 99.5%]

Probably safe to pass this for i586.
Len Lawrence 2015-09-02 16:40:40 CEST

Whiteboard: MGA4TOO MGA5-64-OK has_procedure => MGA4TOO MGA5-64-OK has_procedure MGA5-32-OK

Comment 10 Len Lawrence 2015-09-02 18:45:49 CEST
Testing vorbis-tools-1.4.0-6.2.mga4.i586 in vbox
I have not got round to enabling bluetooth in vbox so there is no actual sound but pavucontrol registers a signal.

POC test returned same result as in previous comments.
ogg123, ogginfo, oggenc, oggdec behaved as expected.
vcut segfaulted on both time and sample cuts.

Testing vorbis-tools-1.4.0-6.3.mga4.i586 in vbox

[lcl@alcor ~/Music]$ oggenc -r audio_c_overflow.aiff
Encoding "audio_c_overflow.aiff" to 
         "audio_c_overflow.ogg" 
at quality 3.00
Done encoding file "audio_c_overflow.ogg"
	File length:  0m 00.0s
	Elapsed time: 0m 00.0s
	Rate:         13.3914
	Average bitrate: 115.7 kb/s
[lcl@alcor ~/Music]$ ogg123 Padstow.ogg
Audio Device:   PulseAudio Output
Playing: Padstow.ogg
Ogg Vorbis stream: 2 channel, 44100 Hz

Tested ogginfo on ogg file; OK.
Generated wav file from ogg using oggdec; that played fine in mplayer.
Generated ogg file from wav and that played back with ogg123.
vcut segfaulted in both modes.
I need to check for existing bug report on vcut.
Passing this as OK for mga4 32-bit.

Version: 5 => 4

Len Lawrence 2015-09-02 18:46:15 CEST

Whiteboard: MGA4TOO MGA5-64-OK has_procedure MGA5-32-OK => MGA4TOO MGA5-64-OK has_procedure MGA5-32-OK MGA4-32-OK

David Walser 2015-09-02 18:49:47 CEST

Version: 4 => 5

Comment 11 Len Lawrence 2015-09-03 00:58:17 CEST
Testing vorbis-tools in vbox, mga4 x86_64.

Installed vorbis-tools-1.4.0-6.2.mga4.x86_64 for the pre-update tests.
[lcl@bellatrix ~/Music]$ oggenc audio_c_overflow.aiff
Segmentation fault
[lcl@bellatrix ~/Music]$ oggenc -r audio_c_overflow.aiff
Encoding "audio_c_overflow.aiff" to 
         "audio_c_overflow.ogg" 
at quality 3.00

and so on....

Installed vorbis-tools-1.4.0-6.3.mga4.x86_64

Ran all the previous tests; positive results except for vcut.

Version: 5 => 4
Hardware: i586 => x86_64

Len Lawrence 2015-09-03 00:59:19 CEST

Whiteboard: MGA4TOO MGA5-64-OK has_procedure MGA5-32-OK MGA4-32-OK => MGA4TOO MGA5-64-OK MGA4-64-OK has_procedure MGA5-32-OK MGA4-32-OK

Comment 12 David Walser 2015-09-03 01:08:13 CEST
Len, please be careful in Bugzilla, you've changed the version to 4 twice.

Version: 4 => 5

Comment 13 Len Lawrence 2015-09-03 10:51:03 CEST
Oops!  Sorry.
Comment 14 Rémi Verschelde 2015-09-07 07:30:02 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 claire robinson 2015-09-08 15:39:11 CEST
Advisory uploaded.

Whiteboard: MGA4TOO MGA5-64-OK MGA4-64-OK has_procedure MGA5-32-OK MGA4-32-OK => MGA4TOO has_procedure advisory MGA5-64-OK MGA4-64-OK has_procedure MGA5-32-OK MGA4-32-OK

Comment 16 Mageia Robot 2015-09-08 19:57:41 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0353.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-09-09 19:50:40 CEST

URL: (none) => http://lwn.net/Vulnerabilities/656989/


Note You need to log in before you can comment on or make changes to this bug.