According to this thread [1] on oss-security: [quote] > (gdb) bt > #0 0x0000000001f95afd in bark_noise_hybridmp (n=256, b=0x32cd940, f=0x32e5010, noise=0x32f7ed0, offset=140, fixed=-1) at psy.c:630 This shows the function name, n=256, and that the crash is on line 630. > 628 if(hi>=n)break; > 629 > 630 tN = N[hi] - N[lo]; > (gdb) p hi > $4 = 0 > (gdb) p lo > $5 = 49656 // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! And oops, looks like I misread this as "hi" being too high, whereas it was actually "lo" that was too high. So I thought the check on line 628 was wrongly a signed check (or else a "hi" that is too high wouldn't pass it). But actually the bug is probably the lack of check of "lo". [/quote] [1] http://openwall.com/lists/oss-security/2017/09/21/3
Classifying as A3 basec on indication of to DoS vector (crash). No further exploit analysis done.
https://gitlab.xiph.org/xiph/vorbis/issues/2330 has potential patch for this issue
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=733260c31ddf36bc2450e9675eddc93329ab171d commit 733260c31ddf36bc2450e9675eddc93329ab171d Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-12-03 00:25:04 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-12-03 00:25:19 +0000 media-libs/libvorbis: security bump Bug: https://bugs.gentoo.org/631646 Bug: https://bugs.gentoo.org/699862 Package-Manager: Portage-2.3.80, Repoman-2.3.19 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> .../files/libvorbis-1.3.6-CVE-2017-14160.patch | 29 +++++++++++ .../files/libvorbis-1.3.6-CVE-2018-10392.patch | 25 +++++++++ media-libs/libvorbis/libvorbis-1.3.6-r1.ebuild | 60 ++++++++++++++++++++++ 3 files changed, 114 insertions(+)
Note that patch for CVE-2017-14160 is the same like patch for CVE-2018-10393 (bug 699862).
Added to an existing GLSA.
This issue was resolved and addressed in GLSA 202003-36 at https://security.gentoo.org/glsa/202003-36 by GLSA coordinator Thomas Deutschmann (whissi).