Bug 23145 - libvorbis new security issues CVE-2017-14160 and CVE-2018-1039[23]
Summary: libvorbis new security issues CVE-2017-14160 and CVE-2018-1039[23]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64...
Keywords: advisory, validated_update
: 25684 25776 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-06-07 23:45 CEST by David Walser
Modified: 2019-11-28 16:28 CET (History)
7 users (show)

See Also:
Source RPM: libvorbis-1.3.6-1.mga7.src.rpm
CVE: CVE-2017-14160, CVE-2018-10392, CVE-2018-10393
Status comment:


Attachments

Description David Walser 2018-06-07 23:45:10 CEST
openSUSE has issued an advisory on May 18:
https://lists.opensuse.org/opensuse-updates/2018-05/msg00067.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-06-07 23:45:18 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-06-08 21:32:32 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11, nicolas.salguero
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2018-06-08 22:00:45 CEST
SUSE has issued an advisory on June 7:
http://lists.suse.com/pipermail/sle-security-updates/2018-June/004158.html

It fixes one additional issue.

Summary: libvorbis new security issues CVE-2017-14160 and CVE-2018-10393 => libvorbis new security issues CVE-2017-14160 and CVE-2018-1039[23]

Comment 3 David Walser 2018-06-10 20:11:14 CEST
openSUSE has issued an advisory on June 9 for that additional issue:
https://lists.opensuse.org/opensuse-updates/2018-06/msg00047.html
Comment 4 Nicolas Salguero 2018-06-19 14:16:02 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact via a crafted mp4 file. (CVE-2017-14160)

mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not validate the number of channels, which allows remote attackers to cause a denial of service (heap-based buffer overflow or over-read) or possibly have unspecified other impact via a crafted file. (CVE-2018-10392)

bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a stack-based buffer over-read. (CVE-2018-10393)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10392
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10393
https://lists.opensuse.org/opensuse-updates/2018-05/msg00067.html
http://lists.suse.com/pipermail/sle-security-updates/2018-June/004158.html
https://lists.opensuse.org/opensuse-updates/2018-06/msg00047.html
========================

Updated package in 5/core/updates_testing:
========================
lib(64)vorbis0-1.3.5-2.4.mga6
lib(64)vorbis-devel-1.3.5-2.4.mga6
lib(64)vorbisenc2-1.3.5-2.4.mga6
lib(64)vorbisfile3-1.3.5-2.4.mga6

from SRPMS:
libvorbis-1.3.5-2.4.mga6.src.rpm

Updated package in 6/core/updates_testing:
========================
lib(64)vorbis0-1.3.5-1.4.mga5
lib(64)vorbis-devel-1.3.5-1.4.mga5
lib(64)vorbisenc2-1.3.5-1.4.mga5
lib(64)vorbisfile3-1.3.5-1.4.mga5

from SRPMS:
libvorbis-1.3.5-1.4.mga5.src.rpm

CVE: (none) => CVE-2017-14160, CVE-2018-10392, CVE-2018-10393
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA6TOO => MGA5TOO
Status: NEW => ASSIGNED

Comment 5 Len Lawrence 2018-06-20 11:51:13 CEST
Mageia 6, x86_64

CVE-2017-14160
http://openwall.com/lists/oss-security/2017/09/21/2
Test is given but no link to a test file.

No other test-cases available from the other links.

'urpmq --whatrequires lib64vorbis0' returns a long list including mplayer, vlc, kodi, k3b, iceape, audacity and deadbeef.

Have to run.  Maybe somebody else would like to take this one.

CC: (none) => tarazed25

Comment 6 Brian Rockwell 2018-06-22 05:26:06 CEST
uname -a
Linux localhost 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 23:51:04 UTC 2018 i686 i686 i686 GNU/Linux


Installed

libvorbis0-1.3.5-2.4
libvorbisenc2-1.3.5-2.4
libvorbisfile3-1.3.5-2.4

I've run:

mplayer against ogg files - working as designed

converted to a wav file using

oggdec


---- really hard to tell which version it is hitting, but everything is working as designed.

Whiteboard: MGA5TOO => MGA5TOO mga6-32-ok
CC: (none) => brtians1

Comment 7 Herman Viaene 2018-06-22 13:58:33 CEST
List of packages are switched in Comment 4.

CC: (none) => herman.viaene

Comment 8 Herman Viaene 2018-06-22 14:28:26 CEST
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
Opened .ogg file with audacity, strace shows call to libvorbis to import the file. Apparently no calls to libvorbis to save to .wav in audacity.
Used oggdec to convert the ogg file to wav. Get exactly the same size of file as from audacity and the resulting file plays OK in parole.
Seems OK.
To Brian: capitals are needed in whiteboard to OK your tests (should I tell you???). Correcting while I'm at it.

Whiteboard: MGA5TOO mga6-32-ok => MGA5TOO MGA5-32-OK MGA6-32-OK

Comment 9 Brian Rockwell 2018-06-22 15:14:41 CEST
Thanks Herman - I was banging my head trying to find tools that are confirmed to use libvorbis.  Now I know, audacity!

CAPS - will try to do that correctly in the future. 

I'll move on to 64-bit later today
Comment 10 Brian Rockwell 2018-06-22 21:07:15 CEST
mga6-64

Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart.

The following 8 packages are going to be installed:

- glibc-2.22-29.mga6.x86_64
- glibc-devel-2.22-29.mga6.x86_64
- kernel-userspace-headers-4.14.50-2.mga6.x86_64
- lib64ogg-devel-1.3.2-4.mga6.x86_64
- lib64vorbis-devel-1.3.5-2.4.mga6.x86_64
- lib64vorbis0-1.3.5-2.4.mga6.x86_64
- lib64vorbisenc2-1.3.5-2.4.mga6.x86_64
- lib64vorbisfile3-1.3.5-2.4.mga6.x86_64

10MB of additional disk space will be used.

9.4MB of packages will be retrieved.

Is it ok to continue?

Ran audacity against .ogg file

ran oggdec and it worked.

working as designed.

Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK

Comment 11 Brian Rockwell 2018-06-22 22:49:16 CEST
$ uname -a
Linux localhost 4.4.114-desktop-1.mga5 #1 SMP Wed Jan 31 19:24:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

mga5-64

Installed vorbis libraries

Audacity is working
Audacious is working

Working as designed with ogg files.

Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK MGA5-64-OK

Comment 12 claire robinson 2018-06-24 21:39:22 CEST
Validating. Advisoried.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2018-06-25 00:03:34 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0294.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 14 David Walser 2019-11-12 23:03:03 CET
*** Bug 25684 has been marked as a duplicate of this bug. ***
Comment 15 David Walser 2019-11-28 16:28:31 CET
*** Bug 25776 has been marked as a duplicate of this bug. ***

CC: (none) => zombie.ryushu


Note You need to log in before you can comment on or make changes to this bug.