626700 – (CVE-2017-11331) <media-sound/vorbis-tools-1.4.0-r5: oggenc vulnerability

Bug 626700 (CVE-2017-11331) - <media-sound/vorbis-tools-1.4.0-r5: oggenc vulnerability

Summary: <media-sound/vorbis-tools-1.4.0-r5: oggenc vulnerability

Status:	RESOLVED FIXED

Alias:	CVE-2017-11331

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://seclists.org/fulldisclosure/20...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	CVE-2014-9638, CVE-2014-9639, CVE-2014-9640
Blocks:
	Show dependency tree

Reported:	2017-07-31 13:11 UTC by Christopher Díaz Riveros (RETIRED)
Modified:	2018-11-24 23:00 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-07-31 13:11:47 UTC

From URL:

vorbis-tools oggenc vulnerability
================
Author : qflb.wu
===============


Introduction:
=============
The Vorbis Tools package contains command-line tools useful for encoding, playing or editing files using the Ogg CODEC.


Affected version:
=====
1.4.0


Vulnerability Description:
==========================
the wav_open function in oggenc/audio.c in vorbis-tools 1.4.0 can cause a denial of service(memory allocation error) 
via a crafted wav file.


./oggenc vorbis-tools_1.4.0_oggenc_memory_allocation_error.wav -o out


==68126==WARNING: AddressSanitizer failed to allocate 0xffffffffffffbc00 bytes
==68126==AddressSanitizer's allocator is terminating the process instead of returning 0
==68126==If you don't like this behavior set allocator_may_return_null=1
==68126==AddressSanitizer CHECK failed: 
/build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:149 "((0)) != 
(0)" (0x0, 0x0)
    #0 0x46d41f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) 
(/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x46d41f)
    #1 0x472c81 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) 
(/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x472c81)
    #2 0x4719c0 in __sanitizer::AllocatorReturnNull() (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x4719c0)
    #3 0x4674b6 in __interceptor_malloc (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x4674b6)
    #4 0x492896 in wav_open /home/a/Downloads/vorbis-tools-1.4.0/oggenc/audio.c:573
    #5 0x496d8e in open_audio_file /home/a/Downloads/vorbis-tools-1.4.0/oggenc/audio.c:86
    #6 0x485d0a in main /home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc.c:256
    #7 0x7f6d9f8dcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #8 0x47d55c in _start (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x47d55c)


    -----------------
wav->channel_permute = malloc(wav->channels * sizeof(int));
if (wav->channels <= 8)
   /* Where we know the mappings, use them. */
   memcpy(wav->channel_permute, wav_permute_matrix[wav->channels-1], 
           sizeof(int) * wav->channels);
else
   /* Use a default 1-1 mapping */
   for (i=0; i < wav->channels; i++)
       wav->channel_permute[i] = i;


return 1;


Andthe code didn't check the return of malloc.

Comment 1 Andreas Sturmlechner gentoo-dev

2018-06-10 10:41:43 UTC

This is supposedly fixed by bug 537422 already.

https://security-tracker.debian.org/tracker/CVE-2017-11331

Comment 2 Andreas Sturmlechner gentoo-dev

2018-09-14 18:10:26 UTC

sound done here as well.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-11-24 23:00:38 UTC

tree is clean.