From $URL: Will Drewry of the Google Security Team reported several flaws in the way libvorbis processed audio data. An attacker could create a carefully crafted OGG audio file in such a way that it could cause an application linked with libvorbis to crash, or execute arbitrary code when it was opened. (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423) Moreover, additional OGG file sanity-checks have been added to prevent possible exploitation of similar issues in the future. Fixes: https://trac.xiph.org/changeset/14604 https://trac.xiph.org/changeset/14602 https://trac.xiph.org/changeset/14600 https://trac.xiph.org/changeset/14598
Setting whiteboard. Does any software bundle libvorbis? (embedded-code-copies from the security overlay doesn't list any)
1.2.0-r1 has the patches
The patches libvorbis-1.2.0-CVE-2008-1419.patch and libvorbis-1.2.0-CVE-2008-1420.patch don't apply here.
(In reply to comment #3) > The patches libvorbis-1.2.0-CVE-2008-1419.patch and > libvorbis-1.2.0-CVE-2008-1420.patch don't apply here. Yep they had dos line endings, thanks to dleverton for pointing that. It should be better now.
Thanks for patching so far. There are some issues that are not covered in our bug report, and so did not make it into your patches: (1) vorbis comment length checks https://trac.xiph.org/changeset/14502 (2) "Additional bulletproofing to hufftree decoding" https://trac.xiph.org/changeset/14811 Both are what was called "additional sanity-checks" at the top, and might lead to buffer-overread / overflow situations. Furthermore, an 1.2.1-rc1 is out with all the patches, and I guess one could just ping Ralph to release the final: http://thread.gmane.org/gmane.comp.multimedia.ogg.vorbis.devel/4809
Alexis/Sound maintainers, is there any update here? I would really like to have a later version in stable that either includes the additional patches, or is based on a current SVN snapshot. I talked to Ralph Giles, and he confirmed that the 1.2.1 rc1 is good on linux, and so is the current trunk. The reason for the delay of the release was build problems on Windows.
1.2.1_rc1 committed to portage cvs
Thanks, Ben. Do you want to keep this in ~arch for a few days, or go stabling right away?
I'd say go ahead with stabling, as there are no issues on linux reported upstream, and everything on my end works fine.
Arches, please test and mark stable: =media-libs/libvorbis-1.2.1_rc1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sh sparc x86"
Stable for HPPA.
stable on sparc
ppc64 done
x86 stable
ppc stable
ia64 stable
Stable on alpha.
====amd64==== 1. Compiles fine. 2. Installs with no errors/warnings. 3. All things on my system that depend still link/run with the new libvorbis. Portage 2.1.4.4 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r8 x86_64) ================================================================= System uname: 2.6.24-gentoo-r8 x86_64 AMD Athlon(tm) 64 Processor 3400+ Timestamp of tree: Fri, 13 Jun 2008 19:30:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-lang/python: 2.4.4-r13 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/svn/env /usr/kde/svn/share/config /usr/kde/svn/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=athlon64 -O2 -pipe" DISTDIR="/distfiles" FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/science /overlay" SYNC="rsync://raptor.gentoo.osuosl.org/gentoo-portage" USE="X acl aiglx aim amd64 berkdb branding cli cracklib crypt cups dri fortran gdbm gpm gtk iconv imap ipv6 isdnlog midi mmx mpeg3 mudflap ncurses nls nptl nptlonly nvidia opengl openmp pam pcre perl pppd python qt3 readline reflection session sockets spl sqlite3 sse sse2 ssl tcpd unicode vim xcomposite xine xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 stable - thanks for testing
Fixed in release snapshot.
GLSA 200806-09
