Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626700 (CVE-2017-11331) - <media-sound/vorbis-tools-1.4.0-r5: oggenc vulnerability
Summary: <media-sound/vorbis-tools-1.4.0-r5: oggenc vulnerability
Status: RESOLVED FIXED
Alias: CVE-2017-11331
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/fulldisclosure/20...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2014-9638, CVE-2014-9639, CVE-2014-9640
Blocks:
  Show dependency tree
 
Reported: 2017-07-31 13:11 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2018-11-24 23:00 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-31 13:11:47 UTC
From URL:

vorbis-tools oggenc vulnerability
================
Author : qflb.wu
===============


Introduction:
=============
The Vorbis Tools package contains command-line tools useful for encoding, playing or editing files using the Ogg CODEC.


Affected version:
=====
1.4.0


Vulnerability Description:
==========================
the wav_open function in oggenc/audio.c in vorbis-tools 1.4.0 can cause a denial of service(memory allocation error) 
via a crafted wav file.


./oggenc vorbis-tools_1.4.0_oggenc_memory_allocation_error.wav -o out


==68126==WARNING: AddressSanitizer failed to allocate 0xffffffffffffbc00 bytes
==68126==AddressSanitizer's allocator is terminating the process instead of returning 0
==68126==If you don't like this behavior set allocator_may_return_null=1
==68126==AddressSanitizer CHECK failed: 
/build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:149 "((0)) != 
(0)" (0x0, 0x0)
    #0 0x46d41f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) 
(/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x46d41f)
    #1 0x472c81 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) 
(/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x472c81)
    #2 0x4719c0 in __sanitizer::AllocatorReturnNull() (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x4719c0)
    #3 0x4674b6 in __interceptor_malloc (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x4674b6)
    #4 0x492896 in wav_open /home/a/Downloads/vorbis-tools-1.4.0/oggenc/audio.c:573
    #5 0x496d8e in open_audio_file /home/a/Downloads/vorbis-tools-1.4.0/oggenc/audio.c:86
    #6 0x485d0a in main /home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc.c:256
    #7 0x7f6d9f8dcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #8 0x47d55c in _start (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x47d55c)


    -----------------
wav->channel_permute = malloc(wav->channels * sizeof(int));
if (wav->channels <= 8)
   /* Where we know the mappings, use them. */
   memcpy(wav->channel_permute, wav_permute_matrix[wav->channels-1], 
           sizeof(int) * wav->channels);
else
   /* Use a default 1-1 mapping */
   for (i=0; i < wav->channels; i++)
       wav->channel_permute[i] = i;


return 1;


Andthe code didn't check the return of malloc.
Comment 1 Andreas Sturmlechner gentoo-dev 2018-06-10 10:41:43 UTC
This is supposedly fixed by bug 537422 already.

https://security-tracker.debian.org/tracker/CVE-2017-11331
Comment 2 Andreas Sturmlechner gentoo-dev 2018-09-14 18:10:26 UTC
sound done here as well.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-11-24 23:00:38 UTC
tree is clean.