libvorbis 1.1.2 contains several vulnerabilities allowing heap overwrite, read violations and a function pointer overwrite. These bugs cause a at least a denial of service, and potentially code execution. libvorbis-1.2.0 released upstream fixes this.
cc'ing sound@g.o
setting status. sound, please provide the updated ebuild.
The corresponding CVEs are CVE-2007-4029 and CVE-2007-3106.
Once this goes to stabling, it will probably supersede bug #155258 which is still open for mips.
I've never touched vorbis sources or ebuild (yet) but it looks like biggest problem doing this bump is lack of aotuv[1] patch for vorbis 1.2.0 and don't know how backportable it is (yet) [1] http://www.geocities.jp/aoyoume/aotuv/
aoTuV's author points out [1]: I don't have the plan to merge beta5 and libvorbis 1.2.0. It will happen by the upcoming version of aoTuV. ;-) ... The SUSE people however did exactly that, so we could 1) update the patchset from 4.51 to beta5 with the attached patch 2) remove aotuv 3) wait for a new upstream release (last one is >1 year) [1] http://www.hydrogenaudio.org/forums/index.php?showtopic=56415&pid=508305
Created attachment 128664 [details, diff] libvorbis-1.2.0-aotuv-b5.diff Porting the patch didn't change much against the b5-1.1.2, see [2] for a diff. [2] http://lists.opensuse.org/opensuse-commit/2007-08/msg00213.html
rbu, Thanks, but still.. I don't know about others, but I'm waiting "official" aotuv for 1.2.0 before bumping. Security, Fixing version is 1.1.2-r1, security fixes backported from 1.2.0 by Debian folks. It's in tree now, so archteams can test and stabilize it.
(In reply to comment #8) > rbu, Thanks, but still.. I don't know about others, but I'm waiting "official" > aotuv for 1.2.0 before bumping. Actually, I meant to say.. I don't have anything against bumping it with your suggestions.. but I just feel we shouldn't be jumping to stable with it. I believe it should stay in ~arch for while.. same deal with flac, and other media-libs.. They potentially break a lot of.. you know
Thanks drac. Arches, please test and mark stable media-libs/libvorbis-1.1.2-r1. Target keywords are:"alpha amd64 arm hppa ia64 ~mips ppc ppc64 sh sparc x86 ~x86-fbsd"
(In reply to comment #9) > Actually, I meant to say.. I don't have anything against bumping it with your > suggestions.. but I just feel we shouldn't be jumping to stable with it. I > believe it should stay in ~arch for while.. same deal with flac, and other > media-libs.. They potentially break a lot of.. you know I see your point. Would be nice to have the general bump though without having to wait for aotuv upstream. Also, amd64 stable.
Songs still play and encode fine Stable on x86
Stable for HPPA.
sparc stable.
ppc stable
alpha/ia64 stable
ppc64 stable
ready for glsa decision. I didn't see that that code execution was possible, so it could be rated B2. Anyway, I vote YES.
If I'm correct in reading this, it would require a malformed ogg vorbis file, so this looks like a B2 to me - voting yes and submitting request.
It seems 1.2.0 fixed some more issues than mentioned here. RedHat's security update also mentions CVE-2007-4065 and CVE-2007-4066. You can find the issues and relevant commits/patches at their bug: https://bugzilla.redhat.com/249780 sound, could you please verify whether our patch includes these fixes. If not, we should prepare a new fix or stable 1.2.0.
(In reply to comment #20) > It seems 1.2.0 fixed some more issues than mentioned here. RedHat's security > update also mentions CVE-2007-4065 and CVE-2007-4066. > > You can find the issues and relevant commits/patches at their bug: > https://bugzilla.redhat.com/249780 > > sound, could you please verify whether our patch includes these fixes. If not, > we should prepare a new fix or stable 1.2.0. > it doesn't look like our patch includes fix for these, i'd say mark 1.2.0 stable and be done with it, used it in ~x86 since it was released without issues, includes a ebuild cleanup too.. (for aotuv we have bug 157549 which we can add once aotuv upstream wakes again and releases a tarball for 1.2.0)
Sorry to cause double work here, so please test and stabilize media-libs/libvorbis-1.2.0. Targets are "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86"
x86 stable
amd64 stable
alpha/ia64 stable, thanks Tobias
sparc stable
GLSA 200710-03, thanks anyone.