Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 186716
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Gustavo Zacarias (RETIRED) <gustavoz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
libvorbis-1.2.0-aotuv-b5.diff libvorbis-1.2.0-aotuv-b5.diff patch Robert Buchholz 2007-08-20 11:22 0000 132.95 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 186716 depends on: Show dependency tree
Bug 186716 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-07-26 18:31 0000 
libvorbis 1.1.2 contains several vulnerabilities allowing heap overwrite,
read violations and a function pointer overwrite. These bugs cause a
at least a denial of service, and potentially code execution.

libvorbis-1.2.0 released upstream fixes this.

------- Comment #1 From Tobias Scherbaum 2007-07-27 20:47:16 0000 ------- 
cc'ing sound@g.o

------- Comment #2 From Pierre-Yves Rofes 2007-07-28 12:25:29 0000 ------- 
setting status. sound, please provide the updated ebuild.

------- Comment #3 From Robert Buchholz 2007-07-29 16:06:29 0000 ------- 
The corresponding CVEs are CVE-2007-4029 and CVE-2007-3106.

------- Comment #4 From Robert Buchholz 2007-08-06 00:28:44 0000 ------- 
Once this goes to stabling, it will probably supersede bug #155258 which is
still open for mips.

------- Comment #5 From Samuli Suominen 2007-08-14 14:50:39 0000 ------- 
I've never touched vorbis sources or ebuild (yet) but it looks like biggest
problem doing this bump is lack of aotuv[1] patch for vorbis 1.2.0 and don't
know how backportable it is (yet)

[1] http://www.geocities.jp/aoyoume/aotuv/

------- Comment #6 From Robert Buchholz 2007-08-20 11:19:24 0000 ------- 
aoTuV's author points out [1]:
  I don't have the plan to merge beta5 and libvorbis 1.2.0.
  It will happen by the upcoming version of aoTuV. ;-) ...

The SUSE people however did exactly that, so we could
1) update the patchset from 4.51 to beta5 with the attached patch
2) remove aotuv
3) wait for a new upstream release (last one is >1 year)

[1] http://www.hydrogenaudio.org/forums/index.php?showtopic=56415&pid=508305

------- Comment #7 From Robert Buchholz 2007-08-20 11:22:28 0000 ------- 
Created an attachment (id=128664) [details]
libvorbis-1.2.0-aotuv-b5.diff

Porting the patch didn't change much against the b5-1.1.2, see [2] for a diff.

[2] http://lists.opensuse.org/opensuse-commit/2007-08/msg00213.html

------- Comment #8 From Samuli Suominen 2007-08-20 14:10:00 0000 ------- 
rbu, Thanks, but still.. I don't know about others, but I'm waiting "official"
aotuv for 1.2.0 before bumping.

Security, Fixing version is 1.1.2-r1, security fixes backported from 1.2.0 by
Debian folks. It's in tree now, so archteams can test and stabilize it.

------- Comment #9 From Samuli Suominen 2007-08-20 14:16:41 0000 ------- 
(In reply to comment #8)
> rbu, Thanks, but still.. I don't know about others, but I'm waiting "official"
> aotuv for 1.2.0 before bumping.

Actually, I meant to say.. I don't have anything against bumping it with your
suggestions.. but I just feel we shouldn't be jumping to stable with it. I
believe it should stay in ~arch for while.. same deal with flac, and other
media-libs.. They potentially break a lot of.. you know

------- Comment #10 From Pierre-Yves Rofes 2007-08-20 14:27:07 0000 ------- 
Thanks drac.
Arches, please test and mark stable media-libs/libvorbis-1.1.2-r1.
Target keywords are:"alpha amd64 arm hppa ia64 ~mips ppc ppc64 sh sparc x86
~x86-fbsd"

------- Comment #11 From Robert Buchholz 2007-08-20 16:21:48 0000 ------- 
(In reply to comment #9)
> Actually, I meant to say.. I don't have anything against bumping it with your
> suggestions.. but I just feel we shouldn't be jumping to stable with it. I
> believe it should stay in ~arch for while.. same deal with flac, and other
> media-libs.. They potentially break a lot of.. you know

I see your point. Would be nice to have the general bump though without having
to wait for aotuv upstream.

Also, amd64 stable.

------- Comment #12 From Markus Ullmann 2007-08-20 17:15:19 0000 ------- 
Songs still play and encode fine

Stable on x86

------- Comment #13 From Jeroen Roovers 2007-08-20 18:02:29 0000 ------- 
Stable for HPPA.

------- Comment #14 From Gustavo Zacarias (RETIRED) 2007-08-21 13:52:50 0000 ------- 
sparc stable.

------- Comment #15 From Tobias Scherbaum 2007-08-22 15:29:48 0000 ------- 
ppc stable

------- Comment #16 From Raúl Porcel 2007-08-24 14:52:29 0000 ------- 
alpha/ia64 stable

------- Comment #17 From Markus Rothe 2007-08-29 10:12:53 0000 ------- 
ppc64 stable

------- Comment #18 From Pierre-Yves Rofes 2007-08-29 11:24:31 0000 ------- 
ready for glsa decision. I didn't see that that code execution was possible, so
it could be rated B2. Anyway, I vote YES.

------- Comment #19 From Matt Drew 2007-09-04 23:57:20 0000 ------- 
If I'm correct in reading this, it would require a malformed ogg vorbis file,
so this looks like a B2 to me - voting yes and submitting request.

------- Comment #20 From Robert Buchholz 2007-09-20 15:36:38 0000 ------- 
It seems 1.2.0 fixed some more issues than mentioned here. RedHat's security
update also mentions CVE-2007-4065 and CVE-2007-4066.

You can find the issues and relevant commits/patches at their bug:
https://bugzilla.redhat.com/249780

sound, could you please verify whether our patch includes these fixes. If not,
we should prepare a new fix or stable 1.2.0.

------- Comment #21 From Samuli Suominen 2007-09-20 16:04:17 0000 ------- 
(In reply to comment #20)
> It seems 1.2.0 fixed some more issues than mentioned here. RedHat's security
> update also mentions CVE-2007-4065 and CVE-2007-4066.
> 
> You can find the issues and relevant commits/patches at their bug:
> https://bugzilla.redhat.com/249780
> 
> sound, could you please verify whether our patch includes these fixes. If not,
> we should prepare a new fix or stable 1.2.0.
> 

it doesn't look like our patch includes fix for these, i'd say mark 1.2.0
stable and be done with it, used it in ~x86 since it was released without
issues, includes a ebuild cleanup too..

(for aotuv we have bug 157549 which we can add once aotuv upstream wakes again
and releases a tarball for 1.2.0)

------- Comment #22 From Robert Buchholz 2007-09-20 16:05:11 0000 ------- 
Sorry to cause double work here, so please test and stabilize
media-libs/libvorbis-1.2.0.
Targets are "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86"

------- Comment #23 From Jeroen Roovers 2007-09-20 16:57:21 0000 ------- 
Stable for HPPA.

------- Comment #24 From Tobias Scherbaum 2007-09-20 17:15:06 0000 ------- 
ppc stable

------- Comment #25 From Christian Faulhammer 2007-09-20 18:53:45 0000 ------- 
x86 stable

------- Comment #26 From Robert Buchholz 2007-09-20 19:07:32 0000 ------- 
amd64 stable

------- Comment #27 From Brent Baude 2007-09-20 20:42:59 0000 ------- 
ppc64 stable

------- Comment #28 From Raúl Porcel 2007-09-22 16:47:30 0000 ------- 
alpha/ia64 stable, thanks Tobias

------- Comment #29 From Raúl Porcel 2007-09-26 14:01:03 0000 ------- 
sparc stable

------- Comment #30 From Robert Buchholz 2007-10-07 21:32:11 0000 ------- 
GLSA 200710-03, thanks anyone.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug