Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 650654 (CVE-2018-5146) - <media-libs/libvorbis-1.3.6: out of bounds write
Summary: <media-libs/libvorbis-1.3.6: out of bounds write
Status: RESOLVED FIXED
Alias: CVE-2018-5146
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/xiph/vorbis/releas...
Whiteboard: C3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-14632, CVE-2017-14633
  Show dependency tree
 
Reported: 2018-03-16 18:10 UTC by Hanno Boeck
Modified: 2018-04-22 21:28 UTC (History)
1 user (show)

See Also:
Package list:
media-libs/libvorbis-1.3.6
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Boeck gentoo-dev 2018-03-16 18:10:30 UTC
libvorbis 1.3.6 fixes one of the vulns found in firefox during the pwn2own competition and two other less severe vulns:
https://github.com/xiph/vorbis/releases/tag/v1.3.6

The other vulns are already tracked in #631632.

Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2018-03-17 13:43:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b027a1630d19999f03a141f7d1be13d285571f6

commit 8b027a1630d19999f03a141f7d1be13d285571f6
Author:     Alexis Ballier <aballier@gentoo.org>
AuthorDate: 2018-03-17 13:43:20 +0000
Commit:     Alexis Ballier <aballier@gentoo.org>
CommitDate: 2018-03-17 13:43:30 +0000

    media-libs/libvorbis: bump to 1.3.6
    
    Bug: https://bugs.gentoo.org/631632
    Bug: https://bugs.gentoo.org/650654
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 media-libs/libvorbis/Manifest               |  1 +
 media-libs/libvorbis/libvorbis-1.3.6.ebuild | 40 +++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)}
Comment 2 Sebastian Pipping gentoo-dev 2018-03-17 15:09:56 UTC
There's a mail on mailing list xiph-announce by Xiph member Jean-Marc Valin stating that tremor is affected by the same thing, pointing to commit:

  https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4

The mailing list archive online do not seem to cover 2018.  I have sent a copy to Hanno now, though.

Should there be a dedicated bug for tremor or should this ticket be about both of them?  Only once could be aliases to CVE-2018-5146 if we make two tickets, I suppose.
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-17 15:58:41 UTC
(In reply to Sebastian Pipping from comment #2)
> There's a mail on mailing list xiph-announce by Xiph member Jean-Marc Valin
> stating that tremor is affected by the same thing, pointing to commit:
> 
>   https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4
> 
> The mailing list archive online do not seem to cover 2018.  I have sent a
> copy to Hanno now, though.
> 
> Should there be a dedicated bug for tremor or should this ticket be about
> both of them?  Only once could be aliases to CVE-2018-5146 if we make two
> tickets, I suppose.

bug 650656 is assigned for tremor, which has CVE-2018-5147
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-05 17:48:57 UTC
(In reply to Sebastian Pipping from comment #2)
> There's a mail on mailing list xiph-announce by Xiph member Jean-Marc Valin
> stating that tremor is affected by the same thing, pointing to commit:
> 
>   https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4
> 
> The mailing list archive online do not seem to cover 2018.  I have sent a
> copy to Hanno now, though.
> 
> Should there be a dedicated bug for tremor or should this ticket be about
> both of them?  Only once could be aliases to CVE-2018-5146 if we make two
> tickets, I suppose.

We can create a tracker bug for the issue.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-05 17:51:00 UTC
@arches, please stabilize.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-05 17:51:38 UTC
(In reply to Aaron Bauman from comment #4)
> (In reply to Sebastian Pipping from comment #2)
> > There's a mail on mailing list xiph-announce by Xiph member Jean-Marc Valin
> > stating that tremor is affected by the same thing, pointing to commit:
> > 
> >   https://git.xiph.org/?p=tremor.git;a=commitdiff;h=562307a4
> > 
> > The mailing list archive online do not seem to cover 2018.  I have sent a
> > copy to Hanno now, though.
> > 
> > Should there be a dedicated bug for tremor or should this ticket be about
> > both of them?  Only once could be aliases to CVE-2018-5146 if we make two
> > tickets, I suppose.
> 
> We can create a tracker bug for the issue.

disregard
Comment 7 Thomas Deutschmann gentoo-dev Security 2018-04-05 23:21:55 UTC
x86 stable
Comment 8 Larry the Git Cow gentoo-dev 2018-04-06 00:42:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdbbf187fd7e4710e247d003f3af2e83a448160a

commit fdbbf187fd7e4710e247d003f3af2e83a448160a
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-04-06 00:40:16 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-04-06 00:41:02 +0000

    media-libs/libvorbis: amd64 stable
    
    Bug: https://bugs.gentoo.org/650654
    Package-Manager: Portage-2.3.28, Repoman-2.3.9

 media-libs/libvorbis/libvorbis-1.3.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 9 Tobias Klausmann gentoo-dev 2018-04-06 17:14:32 UTC
Stable on alpha.
Comment 10 Larry the Git Cow gentoo-dev 2018-04-07 10:43:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05663070a8588ac39b87c95e2eb4b8e4f1e9aefa

commit 05663070a8588ac39b87c95e2eb4b8e4f1e9aefa
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-04-07 08:09:47 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-04-07 10:42:15 +0000

    media-libs/libvorbis: stable 1.3.6 for sparc
    
    Bug: https://bugs.gentoo.org/650654
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 media-libs/libvorbis/libvorbis-1.3.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 11 Matt Turner gentoo-dev 2018-04-08 04:59:48 UTC
ppc/ppc64 stable
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-04-21 11:54:14 UTC
arm stable
Comment 13 Matt Turner gentoo-dev 2018-04-22 20:19:55 UTC
hppa stable
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-22 21:27:36 UTC
GLSA Vote: No
Comment 15 Larry the Git Cow gentoo-dev 2018-04-22 21:28:59 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2d018a14c77675c9cfe98b2147006ecf583a015c

commit 2d018a14c77675c9cfe98b2147006ecf583a015c
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-04-22 21:28:26 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-04-22 21:28:51 +0000

    media-libs/libvorbis: drop vulnerable
    
    Closes: https://bugs.gentoo.org/650654
    Package-Manager: Portage-2.3.31, Repoman-2.3.9

 media-libs/libvorbis/Manifest               |  1 -
 media-libs/libvorbis/libvorbis-1.3.5.ebuild | 39 -----------------------------
 2 files changed, 40 deletions(-)