Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631646 (CVE-2017-14160) - <media-libs/libvorbis-1.3.6-r1: bark_noise_hybridmp() out of bounds access
Summary: <media-libs/libvorbis-1.3.6-r1: bark_noise_hybridmp() out of bounds access
Status: RESOLVED FIXED
Alias: CVE-2017-14160
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://openwall.com/lists/oss-securit...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on: CVE-2018-10392, CVE-2018-10393
Blocks:
  Show dependency tree
 
Reported: 2017-09-21 15:06 UTC by Ian Zimmerman
Modified: 2020-03-16 21:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2017-09-21 15:06:52 UTC
According to this thread [1] on oss-security:

[quote]
> (gdb) bt
> #0  0x0000000001f95afd in bark_noise_hybridmp (n=256, b=0x32cd940, f=0x32e5010,
noise=0x32f7ed0, offset=140, fixed=-1) at psy.c:630

This shows the function name, n=256, and that the crash is on line 630.

> 628         if(hi>=n)break;
> 629
> 630         tN = N[hi] - N[lo];

> (gdb) p hi
> $4 = 0
> (gdb) p lo
> $5 = 49656                                                                 //
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

And oops, looks like I misread this as "hi" being too high, whereas it
was actually "lo" that was too high.  So I thought the check on line 628
was wrongly a signed check (or else a "hi" that is too high wouldn't
pass it).  But actually the bug is probably the lack of check of "lo".
[/quote]

[1]
http://openwall.com/lists/oss-security/2017/09/21/3
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-09-21 15:20:54 UTC
Classifying as A3 basec on indication of to DoS vector (crash). No further exploit analysis done.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2018-03-22 09:00:07 UTC
https://gitlab.xiph.org/xiph/vorbis/issues/2330 has potential patch for this issue
Comment 3 Larry the Git Cow gentoo-dev 2019-12-03 00:25:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=733260c31ddf36bc2450e9675eddc93329ab171d

commit 733260c31ddf36bc2450e9675eddc93329ab171d
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-12-03 00:25:04 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-12-03 00:25:19 +0000

    media-libs/libvorbis: security bump
    
    Bug: https://bugs.gentoo.org/631646
    Bug: https://bugs.gentoo.org/699862
    Package-Manager: Portage-2.3.80, Repoman-2.3.19
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 .../files/libvorbis-1.3.6-CVE-2017-14160.patch     | 29 +++++++++++
 .../files/libvorbis-1.3.6-CVE-2018-10392.patch     | 25 +++++++++
 media-libs/libvorbis/libvorbis-1.3.6-r1.ebuild     | 60 ++++++++++++++++++++++
 3 files changed, 114 insertions(+)
Comment 4 Thomas Deutschmann gentoo-dev 2019-12-03 00:27:10 UTC
Note that patch for CVE-2017-14160 is the same like patch for CVE-2018-10393 (bug 699862).
Comment 5 Thomas Deutschmann gentoo-dev 2020-03-15 15:16:42 UTC
Added to an existing GLSA.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-03-16 21:13:48 UTC
This issue was resolved and addressed in
 GLSA 202003-36 at https://security.gentoo.org/glsa/202003-36
by GLSA coordinator Thomas Deutschmann (whissi).