Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 217603 - media-sound/vorbis-tools <1.2.0-r1 speex implementations insufficient boundary checks
Summary: media-sound/vorbis-tools <1.2.0-r1 speex implementations insufficient boundar...
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://trac.xiph.org/ticket/1347
Whiteboard: B2 [noglsa]
Keywords:
Depends on: 217715
Blocks:
  Show dependency tree
 
Reported: 2008-04-14 09:15 UTC by Matthias Geerdsen (RETIRED)
Modified: 2008-04-17 12:17 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-14 09:15:50 UTC 
This bug is not public yet, please do not disclose any information.

vorbis-tools appears to include vulnerable speex code

see http://www.ocert.org/advisories/ocert-2008-2.html
as well as bug 216499 and bug 217373 for similar issues
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2008-04-14 13:55:08 UTC 
(In reply to comment #0)
> This bug is not public yet, please do not disclose any information.
> 
> vorbis-tools appears to include vulnerable speex code
> 
> see http://www.ocert.org/advisories/ocert-2008-2.html
> as well as bug 216499 and bug 217373 for similar issues
> 

+*vorbis-tools-1.2.0-r1 (14 Apr 2008)
+
+  14 Apr 2008; Samuli Suominen <drac@gentoo.org>
+  +files/vorbis-tools-1.2.0-sec.patch, +vorbis-tools-1.2.0-r1.ebuild:
+  Fix for security #217603.

Should be fine, but kindly review vorbis-tools-1.2.0-sec.patch to verify.
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2008-04-14 14:05:01 UTC 
(In reply to comment #0)
> This bug is not public yet, please do not disclose any information.

I've talked it with aballier, and reported at upstream trac (since it has been a pain to get hold of xiph guys by other means)
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-14 14:23:54 UTC 
Maybe I should have included a bit more information, but this was not meant to be made public yet (see first sentence in description and CONFIDENTIAL in status whiteboard), even though this was more of a semi-public but a confidential bug.
BTW Maintainers have been contacted by oCERT a few days ago afaik.

http://www.gentoo.org/security/en/coordinator_guide.xml#doc_chap4 has the details on handling confidential vulnerabilites.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-04-14 16:59:20 UTC 
Arch Security Liaisons, please test and mark stable:
=media-sound/vorbis-tools-1.2.0-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2008-04-14 17:58:44 UTC 
Stable for HPPA.
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2008-04-14 18:00:33 UTC 
ppc64 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-04-14 18:03:06 UTC 
Adding Tobias for alpha
Comment 8 Ferris McCormick (RETIRED) gentoo-dev 2008-04-14 18:32:50 UTC 
Sparc stable.
Comment 9 Samuli Suominen (RETIRED) gentoo-dev 2008-04-14 19:35:30 UTC 
amd64 stable
Comment 10 Markus Meier gentoo-dev 2008-04-14 20:47:36 UTC 
x86 stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2008-04-15 20:00:42 UTC 
Stable for alpha.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-16 19:37:58 UTC 
ppc stable
Comment 13 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-17 09:42:33 UTC 
now public via http://www.ocert.org/advisories/ocert-2008-004.html
Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-17 10:09:43 UTC 
This will fixed with the speex update in bug 217715, keeping open until the GLSA has been released.

removing arch liaisons, adding herd, ...
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 12:17:11 UTC 
speex has been sent as GLSA 200804-17, this also fixes this bug.