Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631632 (CVE-2017-14632, CVE-2017-14633)

Summary: <media-libs/libvorbis-1.3.6: Denial of Service and Remote Code Execution vulnerability (CVE-2017-{14632,14633})
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: maracay, sergeev917, sound
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C2 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 650654    
Bug Blocks:    

Description Aleksandr Wagner (Kivak) 2017-09-21 12:38:23 UTC 
CVE-2017-14633 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14633):

In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability exists in the function mapping0_forward() in mapping0.c, which may lead to DoS when operating on a crafted audio file with vorbis_analysis(). 

References:

https://gitlab.xiph.org/xiph/vorbis/issues/2329

CVE-2017-14632 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14632):

Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uninitialized memory in the function vorbis_analysis_headerout() in info.c when vi->channels<=0, a similar issue to Mozilla bug 550184. 

References:

https://gitlab.xiph.org/xiph/vorbis/issues/2328
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-10-19 17:53:17 UTC 
CVE-2017-14633 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14633):
  In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability
  exists in the function mapping0_forward() in mapping0.c, which may lead to
  DoS when operating on a crafted audio file with vorbis_analysis().

CVE-2017-14632 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14632):
  Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing
  uninitialized memory in the function vorbis_analysis_headerout() in info.c
  when vi->channels<=0, a similar issue to Mozilla bug 550184.
Comment 2 Eddie Chapman 2018-02-24 16:01:37 UTC 
CVE-2017-14632 allows remote code execution - seems pretty bad to me. I know upstream haven't released 1.3.6 yet but are there any plans to backport the fix?

The fix upstream is a simple 1-liner:
https://github.com/xiph/vorbis/commit/c1c2831fc7306d5fbd7bc800324efd12b28d327f

the fix for CVE-2017-14633 is 1 simple line too:
https://github.com/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993
Comment 3 Larry the Git Cow gentoo-dev 2018-03-17 13:43:43 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b027a1630d19999f03a141f7d1be13d285571f6

commit 8b027a1630d19999f03a141f7d1be13d285571f6
Author:     Alexis Ballier <aballier@gentoo.org>
AuthorDate: 2018-03-17 13:43:20 +0000
Commit:     Alexis Ballier <aballier@gentoo.org>
CommitDate: 2018-03-17 13:43:30 +0000

    media-libs/libvorbis: bump to 1.3.6
    
    Bug: https://bugs.gentoo.org/631632
    Bug: https://bugs.gentoo.org/650654
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 media-libs/libvorbis/Manifest               |  1 +
 media-libs/libvorbis/libvorbis-1.3.6.ebuild | 40 +++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)}
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2018-04-22 21:28:18 UTC 
GLSA Vote: No